In my last blog, I touched on the first part of crafting a BYOD program: define your goals, assess your risk tolerance, and identify the key stakeholders in your program’s development.

The next step? Build your strategy. Here are a few things to consider:

Determine who will be allowed to bring their own devices
Many companies choose to slow roll BYOD, enabling only certain groups of employees in the first round and then opening it up to more employees at a later date. This allows them to test the waters before they dive right in.

Determine what devices employees will be allowed to bring
Too restrictive of a policy will cause frustration and turn the IT staff into enforcers. Too liberal of a policy can create headaches for the IT staff in terms of technical support and security. We typically see corporations limiting access to the most popular 3-5 OSs and associated smart devices.

You should also consider allowing only devices with security features such as device encryption. And if you are using Mobile Device Management (MDM) to assist with your BYOD efforts, make sure the solution you choose covers not only the top OSs but also has a history of quickly adapting to changes in the device and OS market.

Determine what corporate access to allow
What applications will you allow access to from employee-owned smartphones and tablets – i.e. just email, specific corporate applications, the entire corporate LAN? How will you ensure the security of that access and will access vary by employee type?

Determine what to do in the event a device is lost or stolen
Most MDM solutions include tools that allow employees and/or the IT department to find lost phones via GPS or cell tower triangulation. You will want to determine what action to take when a device is lost or stolen, whether that means locking the phone, wiping the entire phone back to factory defaults, or wiping specific files and corporate apps.

Design an Acceptable Use Policy (AUP)
AUPs serve as a means for employees to know what they can and cannot do with their smart devices. This helps IT managers minimize support costs and security threats, while maximizing employee productivity. AUPs can be constructed using criteria such as the following:

• Application black or white lists
• Required encryption of the device
• What to do if the device has been jailbroken or rooted – jailbreaking or rooting a phone circumvents the built-in security and protection of the operating system, potentially opening up the phone to malware
• Device type and OS rev – prohibit devices and/or OS revs that may be less secure
• What to do if a device hasn’t checked in for a predetermined time frame – may be an indication the device was lost or stolen

 As part of your BYOD strategy, you should also determine what to do if the AUP is violated. For example, an alert might be sent to the end user and their access to corporate applications restricted until remediation occurs.

I’ve raised a lot of questions in this blog with no right or wrong answers. To achieve a successful implementation, you will need to take a look at what you are trying to accomplish with your BYOD program and then create a strategy specific to your corporation.

Share this post

•