Creating a Security Policy for “BYOD”

As more employees and contractors wish to use their own mobile devices and computers to create, access, and store sensitive information, it creates a special information security challenge for companies. This issue is commonly referred to as the “BYOD” or “Bring Your Own Device” (to work) problem. Companies need to account for BYOD in their security policy to decrease their potential liability in case of a breach and reduce the chance that such a breach will occur.

A very restrictive policy would indicate that employees and contractors are forbidden from creating, accessing, or storing company confidential materials and consumers’ sensitive or private information (as defined in another policy) on non-company devices. This would help ensure that such information is not put at risk via the use of computers that have not been configured for high security (as per yet another policy).

But, what if your company can’t stomach such a restrictive policy? Then you need to have a policy that provides for at least some risk management, and includes at least the following restrictions:

  • All devices used to create, access or store company confidential materials and consumers’ sensitive or private information must be configured [in cooperation with the company IT department] so that the device:
    • operating system is configured for security
    • is password protected
    • has appropriate encryption enabled
    • runs appropriate anti-virus and anti-malware software
    • runs software allowing data to be remotely deleted. Note that some companies require this software to be under their control and the policy includes provisions and processes under which the device may be remotely deleted.
    • accesses the company network in a secure manner (i.e. VPN)
    • uses encrypted protocols for accessing email
    • does not have insecure software installed
  • Methods for ensuring ongoing compliance may be specified, i.e. provision of security scans to IT on a monthly basis, or regular device check-ups by the IT department. Note that a company may wish to limit “BYOD” to devices that it feels can be fully secured and which IT staff has skills to audit.
  • Legal reasons may require the company to access its data on these devices and the device owner accessing company data understands that they may be compelled to provide access to the device and all of the data on it for this purpose.
  • Reasonable judgment will be used to physically protect these devices, and they will not be shared with others. Lost or stolen devices should be reported immediately to the IT department (which may deactivate the device or the device’s access to the network, email, etc. as feasible).
  • These devices should not be used illegally, for illegal purposes, harassment, or other activities running counter to other existing policies.
  • Company data must be returned and eliminated from these devices on termination of employment or company request. These devices must be securely disposed of, so that sensitive information is not left in device memory or storage.

This is just a starting point for elements to look for in a BYOD security policy. Depending on the kind of information being managed through the devices, state laws, and other relevant acts and standards, there may be a wide variety of other policy components required. One should consult an attorney during policy creation process to ensure all legal concerns are addressed.

About the author: Matt Cohen is Clareity Consulting’s Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops, and leadership retreats around the country on security-related topics, and is a well-regarded real estate industry expert on real estate technology and information security. Clareity Consulting (www.callclareity.com) was founded in 1996 to provide management and information technology consulting to the real estate industry.