This intent of this policy is to act as a standard for organizations considering implementing or updating their mobile device security procedures. The most obvious observance is that users don’t acknowledge the dangers mobile devices signify to information and data integrity; as a result, users frequently don’t employ similar data security procedures that users should to similar devices like workstations. Secondly, while users utilize their own devices for business reasons frequently they provide more concern to their personal rights on the device rather than providing concern for the employer’s necessity safeguarding its information. This policy provides the structure for safeguarding portable devices and should be an accompaniment to additional policies regarding the company’s security position on information technology and data integrity.

BYOD Policy

1. Introduction

Mobile devices, like tablets and smartphones, remain essential instruments for the company and their use is maintained in order to realize the objectives of the business. Mobile devices also characterize substantial risks to company data as they can channel unauthorized access to the company’s network if the applicable security policies and procedures are not put in place. This consequently leads to stolen and/or hijacked networks and potential infection from malware and other viruses.

The obligation of the company is to safeguard its data in order to defend the customer’s intellectual property and standing.

2. Scope
3. All employee or company owned mobile devices that have access to networks owned and managed by the company with the exclusion of company-managed laptops.
4. Exemptions: authorized individuals must conduct a risk assessment when there is a business needs to be exempted from this policy.
5. All expenses associated with the replacement of a lost or stolen device will be solely the employee’s responsibility.
6. All employees shall retain full ownership of their personal device used for company business, however, under this policy, employees will be required to update the latest patches and software immediately upon availability or within a reasonable amount of time.
7. It is the responsibility of the employee to notify the company in the event the device is lost or stolen.
8. This policy will not apply to the device owner’s personal access, as the employee’s personal data should always remain private and separate from corporate data.
9. Corporate data residing on the employee’s device will be managed at the app level as opposed to the device level ensuring that the device owner’s rights are not infringed upon
10. The following mobile OSs are allowed: IOS 8.x or later and Android 5.0 or later.
11. Protected passwords that are configured on mobile devices must conform to company password policies. The password should not be identical to other credentials used within the company.
12. Direct connection to the interior company networks are not allowed except IT managed devices.
    • User Requirements

1. Required data for the user function can be loaded on user mobile device(s).
2. Every device that’s stolen or lost must be reported to the company’s IT department as soon as possible.
3. If users believe unapproved company access to data has occurred by any portable device then the user should advise IT of the incident in association with the incident response procedure.
4. “JAILBROKEN” devices are not permitted nor can devices contain software written to achieve unauthorized functionality intended for malicious use.
5. Pirated software or illegal content is not to be installed on any employee’s mobile devices.
6. Only applications from official platform-owner approved sources can be installed. Any code installed from un-trusted sources is forbidden. The company’s IT department should be contacted in the event software needs to be identified as safe or not.
7. Devices must be updated with patches that are checked and installed on a weekly basis.
8. Device encryption is required.
9. Personal and company email on user devices must not be combined. Users should pay particular attention to assuring company data is only directed throughout the corporate email system.
10. All device lock notifications must be disabled by default on all mobile devices.
11. Screen Capture must be disabled by default on all mobile devices.

3.3 Microsoft Exchange ActiveSync Mailbox Policies

1. Employees (Default Sync Policy)

• Password Required = Yes
• Alphanumeric password = Yes
• Password Expiration = Yes, 15 days
• Attachments enabled = No
• Device Encryption = Yes
• SharePoint Access = No
• Minimum password length = 6
• Idle timeout frequency = 5 min
• Allow Simple Password = No

2. Managers (Default Sync Policy)

• Password Required = Yes
• Alphanumeric password = Yes
• Password Expiration = Yes, 30 days
• Attachments enabled = Yes
• Device Encryption = Yes
• SharePoint Access = Yes
• Minimum password length = 6
• Idle timeout frequency = 5 min
• Allow Simple Password = No

3.4 Android Device Settings

1. All Employees

• Google Sync = Yes
• Google Glass = Disabled
• Enforce Work Profile = Yes
• Allow Camera = No
• Remote Wipe = Yes
• Google Play Private Channel = Yes
• Enable Lock Screen Widgets = No
• Auto-Account Wipe = Yes 20 days
• Compromised Device = Enabled
• Cross Profile Copy & Paste = Disabled
• Verify Apps = Disabled
• Developer Options = Disabled
• Unknown Sources = Enabled
• Sharing to other profiles = Disabled
• Add or remove accounts = Disabled

3.5 IOS Device Settings

1. Employees

• Google Sync = Yes
• Control Center = No
• Notifications View = No
• Today View = No
• iCloud Backup = Yes
• Document Sync = Yes
• Keychain Sync = Yes

*Jailbreaking a device is the process of removing controls enacted by the manufacturer. Access to the operating system is achieved, thereby unlocking all its features and enabling the installation of unauthorized software. Any jailbreaking of any mobile device when used under this BYOD policy will be in strict violation of company policy, which will lead to disciplinary actions and/or termination of employment.

Employee’s Acknowledgement_______________________ Dated ______________

Management’s Acknowledgement____________________ Dated ______________

Policy Choices

Device Encryption was chosen to help protect the data on the mobile device just in case it’s either lost or stolen, which then renders the data unusable if recovered by unauthorized individuals. Device and data is further protected by not allowing any kind of notifications to appear in the locked window eliminating the vulnerability associated with the risk of the device being unlocked from the notification window or private and confidential data from being retrieved from the locked window. For the Microsoft Exchange Server, a minimum, non-simple, password length of six alphanumeric characters with a 15-day expiration was chosen because it provides enough time to allow remote wiping in those instances when the device is not abled to be recovered. Verified Apps is disabled to block employees from bypassing built in security mechanisms that prevent potentially malicious software from being installed from unauthorized third party sources. “Enforce work profiles” is enabled to essentially keep company apps and data segregated from personal apps and data. This allows the employee to use the personal portion of their device without interference by the company portion of the device and vise-versa. The intention is to exhibit an unobtrusively fluid user experience without compromising company app and data security. Compromised device is enabled in the company’s best interest to automatically wipe data on the entire device in the event the device is modified in a way that jeopardizes a breach in company security.

Conclusion

While allowing employees to combine the personal and business use of their devices are beneficial to organizations, it’s critical to have a BYOD policy in place to help eliminate security vulnerabilities. BYOD Policies can help reduce risks but also introduce new ones if the wrong policy is put in forth. More now than ever before, mobile devices are subject to viruses, Trojans, malware, phishing, and many other security threats that evolve from the cyber information highway. All these vulnerabilities can easily be relayed to corporate networks and therefore must be addressed through policy and enforcement. Some would argue that BYOD’s are a waste of time as they detract from IT’s other responsibilities. Synching company data to personal devices is justification enough for having a sound BYOD policy in place. Other concerns stem from worries regarding employees who are terminated or otherwise leave the company under less than desirable conditions that may become hostile towards the company. In the end, it’s all about protecting the company’s interests along the lines of network and information security and, in doing so, eliminates the problems involved with a breach.

Citations:

Burke, D. (2015). Android M has arrived: here’s what you need to know. Retrieved 6 2015, from AndroidPIT: https://www.androidpit.com/android-m-release-date-news-features-name

Google. (2015). Configure mobile device settings. Retrieved 6 2015, from Google Support: https://support.google.com/a/answer/1408902?hl=en

Google. (2015). Google User Content. Retrieved 6 2015, from Android Security 2014 Year in Review: https://static.googleusercontent.com/media/source.android.com/en/us/devices/tech/security/reports/Google_Android_Security_2014_Report_Final.pdf

Microsoft. (2010). Understanding Exchange ActiveSync Mailbox Policies. Retrieved 6 2015, from technet.microsoft.com: https://technet.microsoft.com/en-us/library/bb123484(v=exchg.141).aspx

Skidmore, S. (2015, 2 2). YOU NEED A BYOD POLICY! A FRAMEWORK TO GET STARTED. Retrieved 6 20, 2015, from Apperian: https://www.apperian.com/need-byod-policy-framework-get-started/

Sophos. (2015). Example Mobile Device Security Policy. Retrieved 6 2015, from Sophos: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CB8QFjAA&url=https%3A%2F%2Fwww.sophos.com%2Fen-us%2Fmedialibrary%2FPDFs%2Fother%2FExample%2520Mobile%2520Device%2520Security%2520Policy.docx&ei=OPSGVcSyJ5PdoATN2afQCw&usg=AFQjCNGqP1OYD6RI2pzLWHngHVrQCb_iig&bvm=bv.96339352,d.cGU