BYOD. opos WHAT IS YOUR POLICY? SUMMARY

Transcription

1 BYOD WHAT IS YOUR POLICY? opos SUMMARY The organization s employees and contractors frequently perform employment-related tasks which require connecting to the organization s networks, systems, and/or . Employees and contractors may want to use their own desktop computers, laptops, tablets, smartphones, or other devise in the process. This policy describes the steps these individuals must take when connecting personal devices to the organization s systems, , and networks. The organization refuses the right to revoke users right to use such their own devices if users do not abide by the policies and procedures outlined below. Users must agree to the terms and conditions set forth in this policy in order to be able to connect their devices to the organization s networks, systems and s. AUDIENCE All full-time employees, contract workers, consultants, part-time staff, and temporary workers and other personnel granted access to the organization s systems, networks, software, and/or data. PURPOSE All users should understand that whenever a staff member or contractor connects a computer device to the organization s network, systems, or computers, the opportunity exists for: Exposure to computer viruses, spyware, or other malware. Intentional or accidental copying of protected information and/or proprietary organization information to unauthorized devices. The introduction of a technical incompatibility to the organization s systems or networks Camino Ramon #195, San Ramon, CA

2 As a result of any of the three circumstances listed above, a user connecting his or her own device to organization resources, systems, or networks could interrupt business operations, cause unplanned downtime for multiple users, and/or cause a data breach releasing organization, client, and/or partner data to unauthorized parties. In worstcase scenarios (and in events entirely realized at other organizations), civil and criminal penalties for the user and/or substantial costs and expenses to the organization could arise. Additionally devices may not be used at any time to: Store, receive or transmit illicit materials; store or transmit proprietary information belonging to another organization; harass others; engage in outside business activities; and/or to be used in any other manner prohibited by the organization in its discretion. The organization has a zero-tolerance policy regarding texting or ing while driving, and only hands-free talking while driving is permitted if allowed by law. COVERED EQUIPMENT The following commonly used items are covered by the organization s BYOD Policy whenever these devices are connected to the organization s networks, external hard disks, flash drives, and other organization-provided or supported systems (including ): Desktops, laptops, and tablet computers Smartphones, defined as any cellular telephone that connects to the Internet via WiFi or a telecommunications-provider s network Flash, memory and/or thumb drives External hard disks BYOD AUTHORIZATION PROCESS Whenever any organization user wishes to use a personally owned or personally provided device to connect to the organization s networks, devices and/or systems, the following protocol should be followed: The user must request in writing that the personally owned or personally provided device be approved for use within the organization. The IT department will ensure that the user s device does not have a static IP address that could introduce incompatibilities. The IT department will ensure that the user s device does not have third-party software or applications that pose a threat to the organization s systems and networks or that could introduce application incompatibilities.

3 The IT department will ensure that the user s device does not have a virus, spyware, or malware infection. The IT department will ensure that the user s device is properly protected against viruses, spyware, and other malware infections and that the system has properly licensed anti-malware software, when appropriate. The IT department will ensure that the user s device is properly encrypted if the potential exists for the device to save, cache, or even temporarily store organization data. The IT department will log the system and ensure that it is properly configured to access resources remotely, if necessary, via a secure VPN connection. The IT director s written authorization to use the personally owned or personally provided device to connect to the organization s systems and networks must be obtained before the device is connected to the organization s networks, systems, or devices. Whenever a user decommissions, prepares to return, or otherwise ceases using a personally owned or personally provided device that the IT director has authorized for organization use, the user must notify the IT director that the device will no longer be used to connect to organization resources, systems, and networks. The IT director will remove any required encryption, VPN, and anti-malware licensing from the user s device. The IT director will confirm that the user s device does not contain any traces of protected, sensitive, corporate, or proprietary information and delete any protected, sensitive, corporate and/or proprietary data, licensing, and information remaining on the device. In the event that a user believes a personally- owned device that is authorized to connect to the organization s resources, systems, and networks might be infected with a virus, spyware infection, or other malware threat or might be somehow compromised, he or she must immediately notify the IT department, in writing, of the potential security risk. In the event that a user loses or misplaces a personally owned or personally provided device that is authorized to connect to the organization s resources, systems, and networks, he or she must immediately notify the IT department, in writing, of the potential security risk. Employees are responsible for notifying their mobile carrier immediately upon loss of a device.

4 A personally-owned device may be remotely wiped if 1) the device is verified lost or stolen 2) the employee terminates his or her employment, 3) IT detects a data or policy breach, a virus or similar threat to the security of the organization s data and technology infrastructure. ADDITIONAL RISKS/LIABILITIES/DISCLAIMERS While the organization will take every precaution to prevent the employee s personal data from being lost in the event it must remote wipe a device, it is the employee s responsibility to take additional precautions, such as backing up , contacts, etc. The organization reserves the right to disconnect devices or disable services without notification. The employee is expected to use his or her devices in an ethical manner at all times and adhere to the organization s acceptable use policy as outlined above. The employee is personally liable for all costs associated with his or her device. The employee assumes full liability for risks including, but not limited to, the partial or complete loss of organization and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable. The organization reserves the right to take appropriate disciplinary action up to and including termination for noncompliance with this policy BYOD CHECKLIST Whenever a user has a personally owned device he or she wants to connect to the organization s resources, systems, networks, and devices, the user may use this BYOD Checklist to begin the BYOD Authorization Process. User s full name: User s Title: Date of Request: Device user wants to connect to organization resources, systems, or networks:

5 Organization s resources, systems, or networks to which user wishes to connect: User s work telephone: User s mobile telephone: User s home telephone: User s address: User s department: Date user received decommissioning: Date user requested decommissioning: Date IT department decommissioned device:

6 ACKNOWLEDGMENT OF BYOD POLICY This form is used to acknowledge receipt of and compliance with the organization s BYOD Policy. PROCEDURE Complete the following steps: Read the entire BYOD Policy. Sign and date this form in the spaces provided below. Return this page only to the IT department manager. SIGNATURE By signing below, I agree to the following terms: I have received and read a copy of the BYOD Policy and agree to comply with its provisions. I understand and agree to comply with staff and user prevention responsibilities described within this policy. I understand and agree that I am not to connect any non-organization-provided equipment including desktop computers, laptops, tablet systems, smartphones, and similar devices, including external hard disks and flash drives to any organization computer, network, or system. I understand that violations of the BYOD Policy could result in termination of employment and legal action including civil and criminal prosecution should I fail to maintain compliance with and/or intentionally violate the policy s provisions. Employee Signature Employee Title Employee Name Date Department / Location Disclaimer: This sample BYOD policy is intended only to provide sample text and a format that can be used in the development of an actual, comprehensive BYOD policy. There is no warranty offered that the text of this template is inclusive of all regulatory requirements or satisfies the intent of applicable rules, regulations or laws. This sample policy is not a substitute for legal advice. You should consult with your attorney on the development of your BYOD policy to ensure completeness and compliance with the law.