Tool [Organization Name] Mobile Device Policy and Procedures for Personally Owned Devices: BYOD Program June 2012 Unless otherwise marked for external use, the items in this Gartner Toolkit are for internal noncommercial use by the licensed Gartner client. The materials contained in this Toolkit may not be repackaged or resold. Gartner makes no representations or warranties as to the suitability of this Toolkit for any particular purpose, and disclaims all liabilities for any damages, whether direct, consequential, incidental or special, arising out of the use of or inability to use this material or the information provided herein. The instructions, intent and objective of this template are contained in the source document. Please refer back to that document for details.
June 2012 Page 1 TABLE OF CONTENTS About This Template... 3 Policy Background and Context... 3 Definitions... 4 Smartphone... 4 Media Tablet... 4 Mobile Device... 5 Mobile Applications... 5 Scope... 5 User Roles and Responsibilities... 5 User Responsibilities... 5 Condition... 5 Loss or Theft... 5 Applications and Downloads... 5 Backup and File Sharing or Synchronization... 6 Functionality and Feature Management... 6 User Safety... 7 Data and System Security... 7 Penalties... 8 Support for BYOD... 8 Reimbursement Guidelines... 9 Organization Discounts... 9 Technical Support Processes... 9 How to Get Support... 9 Warranty and Replacement Responsibility... 10 Miscellaneous... 10 Termination of Employment... 10 Exceptions... 10 E-Discovery... 11 Related and Other Documents... 11 User Agreement... 11 Appendix A: Guidelines for Eligibility... 11 Appendix B: Eligible Devices and Platforms... 12 Appendix C: Security Criteria for Personally Owned Mobile Devices... 12 Appendix D: Stipends for Eligible Employees... 12 Appendix E: Reimbursable Software and Services... 13
June 2012 Page 2 LIST OF TABLES Table 1. Eligible Devices and Platforms... 12
June 2012 Page 3 About This Template Gartner has developed this bring your own device (BYOD) mobile device policy template for the following purposes: To help clients navigate discussions about the wide range of policy and procedural issues related to the use of mobile devices. To provide options for policies and procedures based on Gartner's knowledge of mobile device issues To provide language that can be adopted verbatim (or easily adapted) for an organization's policy documents Think of the policies in this template as options that you can incorporate into your organization's policy. In some sections, we have provided specific options that you can select. The policy language is crafted so that you can adopt it verbatim or modify it to your specific situation. We do not expect that all the issues covered in this policy template will apply to all organizations. Review the template document, discuss the topics and select the policies that will create the desired impacts of risk mitigation and cost control in your organization. We also recommend the following general guidelines for policy development practices: Engage stakeholders from the human resources, legal and/or compliance departments during the process. Include policies that are relevant to your organization's standard operating procedures. Do not adopt policies that your organization won't be able to enforce. The mobile device policy template includes a User Agreement section for the end-user's signature. Once the policies are changed, the IT organization can issue the policy document to existing and new employees and other end users. Periodically review your policy document to ensure that it is up to date with your organization's needs and related regulations. Help your end users comply with the policy by making it easy for them to understand. Use plain, clear language. Make the document as concise as possible. Policy Background and Context [Note for policy authors: You can add the following text or similar content to the introduction of your policy document.] The purpose of this policy is to define accepted practices, responsibilities and procedures for the use of personally owned mobile devices that [Organization name] authorizes to connect to enterprise systems. This policy defines the commitment requirement, provides guidance for the secure use of end-user mobile devices and provides reimbursement guidelines for all mobile endpoint devices, including mobile phones, smartphones and media tablets.
June 2012 Page 4 At the core of this policy is the concept that the employee, through an opt-in decision, trades control over his/her personal device in exchange for access to corporate resources (such as the network and email). It is important that the consequences and obligations of this arrangement are well-understood. Therefore, we require a signature on the last page of this policy to confirm that it has been read and comprehended. These obligations include, but are not limited to: Employee acceptance that a personal device may be remotely wiped (i.e., erasing all data and applications) by [Organization name] Employee understanding that he or she is solely responsible for backing up any personal content on the device Employee agreement to keep the device updated and in good working order Employee acknowledgment that [Organization name] will in no way be responsible for damaged, lost or stolen personal devices while the employee is performing organizational business Employee agreement to allow IT to load manageability software on personally owned devices Mobile devices are a valuable tool in conducting business. It is the policy of [Organization name] to protect and maintain user safety, security and privacy, while simultaneously protecting enterprise information assets while using these tools. Use of mobile devices supplied by or funded by [Organization name] shall be primarily for enterprise business. However, [Organization name] will permit the use of personally owned devices, subject to the following broad guidelines: The decision to be eligible to use a personally owned mobile device for organization business will be based on a documented business need and appropriate management approval. Guidelines for eligibility can be found in Appendix A. Definitions Smartphone Reimbursement of expenses incurred by qualified users will follow enterprisewide or departmental policies. A smartphone is a mobile device with screen dimensions of between 2.5 inches and 5 inches, with voice, messaging, scheduling, email and Internet capabilities. Smartphones also permit access to application stores, where aftermarket software can be purchased. A smartphone is based on an open OS. The OS has a software developer kit available that allows developers to use native APIs to write applications. It can be supported by a sole vendor or multiple vendors. It can, but need not, be open source. Examples include BlackBerry OS, ios, Symbian, Android, Windows Phone, Linux, Limo Foundation, webos and Bada. Media Tablet A tablet is an open-face wireless device with a touchscreen display and without physical keyboards. The primary use is the consumption of media; it also has messaging, scheduling, email, and Internet capabilities. Diagonal screen dimensions are typically between 5 inches and 10 inches. Media tablets may have open-source OSs (such as Android) or a closed OS under the
June 2012 Page 5 control of the OS vendor and/or device make (such as Apple's ios and Windows). Media tablets may or may not support an application store. Mobile Device This refers to any mobile phone, smartphone or media tablet. Mobile Applications This refers to software designed for any or all the mobile devices defined in this policy. Scope This policy applies to all users, (e.g., employees, contractors, consultants, suppliers, customers, government, academic agencies and all personnel affiliated with third parties) worldwide who access and/or use [Organization name] IT resources from non-[organization name] issued and owned devices. User Roles and Responsibilities User Responsibilities Despite individual ownership of the mobile device, the organization expects the user to assume certain responsibilities for any device that contains enterprise information or connects to enterprise resources. Users must ensure that they comply with all sections of this agreement. Condition Users must agree to keep up to date (as defined in Appendix B) and in good working order all devices and platforms supported by [Organization name]. Loss or Theft Users must maintain a device compatible with the organization's published technical specifications, which will be updated at least every two years. If a device falls out of compliance, then it may be blocked from access until it is in good working order and meets minimum requirements. Within [define time frame of number of hours or days], users must report the temporary or permanent loss of personal devices to the help desk (to allow the device to be remotely wiped over the network) before cancelling any mobile operator services. Users must cancel any individual services for personally owned devices after the remote wipe of the device is completed. Applications and Downloads Users must ensure that they install application updates in accordance with [Organization name] guidelines. Downloading applications from the platform's (e.g., Apple's, Android's) general application store is acceptable, as long as the application complies with this policy and the IT security policy and HR policies of [Organization name], and is not on the blacklist
June 2012 Page 6 at [insert app store or intranet URL] or the app is available on the whitelist at [insert app store URL]. Users [may not charge or may only charge approved] individual application purchases to the organization's credit card. Backup and File Sharing or Synchronization Users are responsible for backing up all personal information on their personal hard drives or other backup systems. [Organization name] cannot be held liable for erasing user content and applications when it is deemed necessary to protect enterprise information assets or if a wipe is accidentally conducted. The procedures to do this are located at: For ios: [insert intranet URL] For Android: [insert intranet URL] For BlackBerry: [insert intranet URL] Users must use enterprise-sanctioned network file shares for the purpose of synchronizing organization information between devices, and may not use unapproved cloud-based file synchronization services (such as [Proprietary solution name], etc.). Only [Organization name-provided solution X] may be used for this purpose. Users may not use external email accounts to synchronize the organization's information to a personal device. Functionality and Feature Management Cameras in mobile devices are not to be used in the organization's secured facility areas unless permission from site management is obtained beforehand. Upon the organization's request, users must allow the installation of a mobile device management software agent, or any other software deemed necessary, on the user's device. The device functionality must not be modified unless required or recommended by [Organization name]. The use of devices that are jailbroken, "rooted" or have been subjected to any other method of changing built-in protections is not permitted and constitutes a material breach of this policy. Users must accept that, when connecting the personal mobile device to [Organization name] resources, the [Organization name] ' security policy will be enforced on the device. The security policy implemented may include, but is not limited to, areas such as passcode, passcode timeout, passcode complexity and encryption. Users must take appropriate precautions to prevent others from obtaining access to their mobile device(s). Users will be responsible for all transactions made with their credentials, and should not share individually assigned passwords, PINs or other credentials. Users are responsible for bringing or sending the mobile device to the IT security department and handing over necessary device access codes when notified that the
June 2012 Page 7 User Safety device has been selected for a physical security audit, or in the event the device is needed for e-discovery purposes. Users may not provide access credentials to any other individual, and each device in use must be explicitly granted access after agreeing to the terms and conditions of this document. Users should comply with the following safety guidelines when using mobile phones while in their vehicles: Users must comply with all country and local regulations regarding automobile safety. It is preferable to dial while the vehicle is not moving; otherwise, use voice recognition or speed dial to minimize risk. Never use the phone in heavy traffic or bad weather. When driving, always use a hands-free phone, a Bluetooth headset or a corded headset when possible. Never look up phone numbers while driving. Never have stressful conversations while driving. Do not program navigation applications while driving. Keep your eyes on the road while on the phone. Follow the local laws guiding the use of mobile phones, if such laws exist. [Note for policy authors: Alternatively, you may use the following statement to substitute for the text in this section: "Users are asked not to talk, text or otherwise communicate via a mobile device while driving."] Data and System Security All organization data that is stored on the device must be secured using [Organization name]- mandated physical and electronic methods at all times. Mobile device users must comply with the physical security requirements defined in [reference appropriate organization document] when equipment is at the user's workstation and when traveling. Users must take the following physical security preventative measures to protect [Organization name] data and systems. All users shall abide by [Organization name] standard information security directives for the device at all times. Device users must comply within [define time frame, in number of hours or days] with directives from their business units to update or upgrade system software, and must otherwise act to ensure security and system functionality. Personally owned mobile devices connecting to the network must meet the security criteria listed in Appendix C.
June 2012 Page 8 Mobile devices must not be left in plain view in an unattended vehicle, even for a short period of time. Mobile devices must not be left in a vehicle overnight. Mobile devices must be positioned so that they (and the information contained within them) are not visible from outside a ground-floor window. A mobile device displaying sensitive information being used in a public place (e.g., train, aircraft or coffee shop) must be positioned so that the screen cannot be viewed by others, thus protecting [Organization name] information. A tinted/polarized screen guard may be used to decrease the viewing angles of any mobile device. Penalties Personally owned laptops and portable computing devices are prohibited from connecting to the [Organization name] network without prior approval from the IT security department. There are consequences for end users who do not comply with the policies detailed in this document: [Note for policy authors: Include text that defines the following policies and procedures. Who or which department within the organization is responsible for monitoring compliance The organization's position on issuing warnings for most breaches of policy before penalty enforcement, including number of warnings and the procedure for documenting warnings The organization's appeal process Note that HR guidelines will likely have input for the proper course of action, including possible termination for the most egregious offenses.] Support for BYOD [Organization name] supports the following BYOD models: [Note for policy authors: Delete the items that are not applicable.] Users that are eligible for a organization-liable smartphone may, at their own expense, purchase another device from the list of supported devices in Appendix B and transfer their organization-liable subscription to this new device. Users with personal preferences for a different brand or model of mobile device may purchase one at their own expense as long as it meets the requirements in Appendix A. Eligible users can receive a monthly stipend toward cellular services (see Appendix D for amounts) provided they purchase a device from the list of supported devices in Appendix B. Phone Number Ownership:
June 2012 Page 9 [Option 1 (for systems where pooled minutes require that all numbers be enterpriseowned)] Employees who wish to put their personal device on a corporate contract must realize that their personal phone numbers will become the property of [Organization name] and that the return of that number to the individual may be impossible. The organization has the discretion to port the phone number back to the employee, unless there is a prior written agreement in place. Individuals who wish to keep their personal numbers permanently must change to an [Organization name] phone number or [Option 2 (requires implementation of an enterprise communications gateway)] Employees will be required to install unified communications software that will mask the employees' phone numbers behind the [Organization name] internal telephony system. When business calls are made from a personal phone, those calls will have to be directed through the [Organization name] telephony system. Personal calls can be directed through an employee's personal number. Employees who are not eligible for an organization-funded mobile device may connect a personal device to corporate resources, as long as it meets the requirements in Appendix A and the employee has signed this policy after receiving manager approval of inclusion in the BYOD program. Reimbursement Guidelines Ensure that any and all expenses pertaining to downloads of applications and/or use of websites are submitted for reimbursement in accordance with all current and future [Organization name] reimbursement policies. [Organization name] will not be responsible for personal purchases. Submit appropriate documentation to secure a reimbursement for data service up to the level specified by [Organization name] management and in accordance with [Organization name] reimbursement guidelines governing user expenses for business purposes. If an employee wants accessories for his or her device, they may be purchased at the employee's discretion. [Organization name] does not provide accessories beyond basic chargers, hands-free kits and belt clips. The normal procurement, approval and expense reimbursement procedures should be followed. Only software or services listed in Appendix E may be submitted for reimbursement. Organization Discounts [Organization name] has preferred operator agreement(s) with [Vendor name(s)]. All users should seek to source their mobile device and/or applications from the preferred supplier to benefit from any organization-negotiated discounts. Technical Support Processes How to Get Support The help desk will provide support for BYOD when it comes to connectivity and back-end system operational questions only. Support for BYOD participants is limited to no more than 15 minutes of support for one incident per month [alternative: two incidents per quarter]. Support calls that
June 2012 Page 10 exceed this limit will be billed on a time-and-materials basis to the end-user's department.[organization name] has provided self-support tools in the form of a wiki at [insert URL] and a mail distribution list to facilitate peer support activities. The help desk will not support device replacement, device upgrade, device operational questions or embedded software operational questions (such as questions related to the browser, email system, etc.). The help desk will only provide assistance on questions related to [Organization name] back-end software and the delivery of [Organization name] content to the device. All other inquiries must be directed to the end-user's mobile operator or other issuing retailer supporting the personal device. Warranty and Replacement Responsibility If an employee's device breaks or becomes damaged while conducting corporate business, [Organization name] will not reimburse the employee for any repairs or replacements. Consult with your device's manufacturer or retailer for applicable warranty agreements or repair services. The help desk has a pool of loaner devices that can be used for a period of [up to 10] working days while the personally owned device is being replaced or repaired. These devices may not necessarily be identical to the BYOD device being repaired. Alternatively, the end user should make arrangements with the mobile operator for temporary device replacement plans. Miscellaneous Termination of Employment Upon termination of employment, [Organization name] will remotely wipe all devices with the organization's information on them. It will be up to the end user to back up personal application and data prior to this event, and to restore only personal information after the device has been cleared of contents. Former employees are not authorized to restore any application or data that originated through the relationship with their former organization. Any attempt to restore such information will be subject to legal action against the former employee. Certain devices may be considered an exception; the help desk will verify that all organizationrelated information has been removed. Terminated employees must sign off on having no other copies of [Organization name] information stored on their devices. Please note that the paragraphs in the employee agreement related to handling corporate information also pertains to any information stored on personal devices or backups of them, regardless of media. Employees may also be responsible for any charges for service paid in advance of actual use. Exceptions [Note for policy authors: In any policy document, there will be exceptions. When exceptions grow to include large numbers of end users, revise the policy document to reflect and deal with reality. Policies can also outline a process for managing exceptions, as noted below.] Security exceptions should be routed to the IT security department. Financial exceptions should be routed to the supervisor, business unit manager or financial department. There should be an escalation process, where necessary, that may be through a committee or designated individual.
June 2012 Page 11 E-Discovery Exceptions to this policy may only be approved by the CIO. [This statement could apply to a particular policy or to the entire document.] In the unlikely event of [Organization name] needing access to the device for e-discovery purposes, the employee is obliged to hand over the device along with the necessary passcodes. Related and Other Documents [Enter a reference to your organization's IT security policy here.] User Agreement I acknowledge that I have read this document in full and understand the terms of use and my responsibilities as a designated user. I agree to these terms in their entirety and agree to fully and to the best of my ability comply at all times to the responsibilities of users contained herein. I make no claims on my organization to protect any personal data and fully understand that I have accepted this policy under no coercion of any kind from my employer. I understand that violations of this agreement can result in revocation of BYOD eligibility and subject me to potential disciplinary actions, up to and including termination of employment. [Organization name] can, at anytime and at its discretion, modify this user agreement and require device users to reconfirm their agreement. Participant Name (printed): Participant Signature: Date: Participant's eligibility for program verified by: Manager Name (printed): Manager Signature: Date: Appendix A: Guidelines for Eligibility Eligibility for participation in the BYOD program will be assessed by the employee's line manager. The manager should use the following guidelines for his or her evaluation: There is a justifiable business requirement for having mobile access to [Organization name] information. Employee agrees to opt in to [Organization name] management policies and procedures defined here and in related policy documents. The employee's device satisfies the conditions listed in Appendix B and Appendix C. The organization may have reasons to deny eligibility, which may include: Working with classified documents
June 2012 Page 12 Working in a high-security area or department Working in a department with rigorous discovery and compliance requirements Temporary or probationary employee status. Appendix B: Eligible Devices and Platforms The following device and platform types are eligible for the BYOD program (see Table 1). These choices are subject to change at any time. Users should check periodically for updates at [insert intranet URL]. Users will be notified if their devices are automatically detected as no longer being eligible. [Note for policy authors: See "Use Managed Diversity to Support Endpoint Devices" as a framework to develop this appendix.] Table 1. Eligible Devices and Platforms Android IOS Symbian Windows RIM Platform Device Software Appendix C: Security Criteria for Personally Owned Mobile Devices All personally owned mobile devices connecting to the network or accessing organization information must meet the following security criteria: All [Organization name] users must select strong passwords and change passwords in accordance with the [Organization name] password management policy. All personal mobile devices must be configured with a minimum password length of eight characters. All personal mobile computing devices must be protected by boot passwords as well as by disabling the boot options from alternate media (including, but not limited to, USB flash drive, CD or floppy). All personal mobile devices must be secured with a password-protected screen saver when left unattended, and must be configured to automatically lock after a predefined period of inactivity. The [Organization name] MDM tool [Tool name] must be installed on the device. Appendix D: Stipends for Eligible Employees Stipends can be for device purchase or for services, or for both. [Organization name] does/does not provide stipends for device purchase. [Note for policy authors: Define payment process and taxation requirements here, or reference a related policy document.] Through the payroll function, [Organization name] may issue
June 2012 Page 13 monthly stipends to employees to cover service costs for voice, data or a combination. Such stipends will be listed as "mobile service allowance." Management will determine the stipend amounts to be granted according to the user category to which the employee belongs. Employees who receive stipends are expected to pay any received bills in a timely fashion according to the mobile operator's terms and conditions. The enterprise will not act on the employee's behalf to cover any charges issued by the mobile operator to cover any violation of terms. Employees are responsible for any charges exceeding the monthly stipend for service charges. Employees may retain any amount of the stipend in excess of actual charges to apply to future overages. The enterprise may adjust the stipend amount provided to employees at anytime and for any reason. Unusual charges for business may be submitted for expense reimbursement at the discretion of the supervisor. Examples include those for valid international travel or excessive use during any one charge period. Appendix E: Reimbursable Software and Services The following mobile applications and services are reimbursable; follow your department's appropriate reimbursement policies: [Note for policy authors: These are only examples. You should modify this list to include appropriate applications.] Navigation Package Docs to Go MindMap