Sample BYOD Acceptable Use Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Sample BYOD Acceptable Use Standard

This BYOD Acceptable Use Standard builds on the objectives established in the Acceptable Use Standard, and provides specific instructions and requirements on the proper and appropriate business use of Company Technology Resources while using a Company supported and or Employee-owned device.

Objectives

  1. Business Use
    1. Company Technology Resources are provided primarily for official and authorized Company business use and purposes in support of the following business goals and objectives:
      1. Support of the Company mission: In the event that the BYOD technology cannot be supported so that all Company requirements are met, the device in question will not be permitted to connect in any way to Company Technology Resources.
    2. Limited personal use of Company Technology Resources is acceptable as long as it does not interfere with normal business operations, conflict with business interests, or has an adverse impact on the reputation of the Company.
    3. The use of Company Technology Resources shall be in accordance with applicable laws and regulations.
    4. Users shall be accountable for all activity associated with their accounts.
    5. Any rules or regulations regarding device features/functionality or carrier value added services that are not explicitly listed in this policy guide should not be considered prohibited.
    6. In the event that the Company reimburses you for BYOD expenses in service plans and usage, equipment costs and software expenses, the following actions may result in disciplinary action with your supervisor and/or group manager that could result in the employee paying for mobile devices or wireless services:
      1. Not all employees are approved for the same devices or plans. Employee approved devices and plans are determined by the Senior Vice President and Chief Information Officer.
      2. Excessive fees after being warned of going over budget
      3. Excessive use of 411 or other pay per use features
      4. Unapproved replacement of devices before renewal date
      5. Unapproved replacement of accessories or purchase of non-approved accessories
  2. Improper Use
    1. Any use of Company Technology Resources must not be illegal, must not constitute or be perceived as a conflict of Company interest, must not violate Company policies, and must not interfere with normal business activities and operations.
    2. Employees are not allowed to use personal smartphones and other BYOD technology for corporate network access unless acceptance of this policy and all associated Company policies are first accepted and subsequent Company supporting security, privacy and risk technology and processes are fully implemented.
    3. Users shall not violate any laws or regulations through the use of Company Technology Resources.
    4. Company Technology Resources shall not be used to download, transmit, or store objectionable material, images, or content.
    5. Company Technology Resources shall not be used to conduct personal or non-Company solicitations.
    6. Users must not allow others to access Technology Resources by using their accounts.
    7. The use of third party Technology Resources such as personal Electronic Mail or File Storage accounts outside of Company provided Technology Resources in the transmission of Company information is prohibited. Accessing third party personal Technology Resources is only permitted while an employee is off duty and while an employee is not using Company resources. The usage of Company Technology Resources is for business purposes only.
    8. Jail-breaking or Rooting your personally owned device is a technique that poses a risk to Company Technology Resources if it adversely impacts the intended performance of security software, data leakage controls and risk mitigating controls implemented by the Company. Disabling the technology implemented to protect Company Technology Resources can result in disciplinary actions up to and including termination of employment for employees.
    9. In the event that the Company reimburses you for BYOD expenses in service plans and usage, equipment costs and software expenses, the following actions may result in disciplinary action with your supervisor and/or group manager that could result in you losing mobile device privileges:
      1. Excessive use of mobile services;
      2. Not following security protocols as defined by the Director, Information Security and Compliance;
      3. Not following the federal/state/city regulations related to mobile phones (e.g., no texting while driving or not using a Bluetooth earpiece);
      4. Not upgrading to standard devices and operating systems that company can secure and cost-effectively support.
  3. Downloaded Materials
    1. Company Technology Resources shall not be used to send, receive or store any commercial software, shareware, or freeware without the Company's prior written authorization.
    2. The content and attachments of electronic mail messages must be reviewed for malicious code and viruses in accordance with the Asset Protection Standard and the Anti-Virus Standard.
    3. The storage media used must be encrypted with strong encryption ciphers that are authorized by the Company’s Encryption Standard which protects any Company data that may be stored on the BYOD technology.
    4. Sensitive Company information containing Personally Identifying Information (PII), financial data including credit card information or database data and any restricted or classified information identified in the Company Asset Identification and Classification Standard.
  4. Right to Monitor
    1. All Technology Resources and data created, received, processed, transmitted, and/or stored on Company Technology Resources are Company information assets and property.
    2. The Company reserves the right to monitor and review all activities associated with using Company Technology Resources at any time by authorized Company personnel.
    3. The Company reserves the right to disclose the nature and content of any User's activities involving Company Technology Resources to law enforcement officials or other third parties without any prior notice to the User.
    4. Mobile Devices that are lost or stolen will be locked and or wiped clean of all data.
      1. The Company takes no responsibility for the personal information you may have lost on your device(s) and encourages the employee to make frequent back-ups.
    5. When an employee leaves The Company, mobile devices owned by the user, must be wiped clean of all company data, including but not limited to: corporate directory, email, PIM, applications and stored data.
  5. Privacy Expectations
    1. Users should have no expectations of privacy when using Company Technology Resources.
    2. The Company reserves the right to monitor the location of employees’ mobile devices to restrict file/data access.
    3. Devices will require end-to-end encryption should employees be accessing corporate data from any location.
  6. Storage Capacity
    1. Users shall delete unnecessary electronic mail message to avoid unnecessary accumulation of storage on the Company electronic mail servers.
    2. Electronic mail messages containing business critical information should be stored on production servers to ensure proper data backup.
    3. The use of document sharing/syncing applications (e.g. DropBox or Box.net) is not permitted.
    4. The use of native cloud syncing solutions (e.g., iCloud, SkyDrive, Google) is not permitted.
    5. The approved record retention period for electronic mail messages is governed by the Records Retention Schedule.
    6. The storage media used must be encrypted with strong encryption ciphers that are authorized by the Company’s Encryption Standard which protects any Company data that may be stored on the BYOD technology.
  7. Misuse Reporting
    1. Actual or suspected misuse of Company Technology Resources should be reported in accordance with the Misuse Reporting Standard.
    2. The following actions may result in disciplinary action with your supervisor and/or group manager that could result in the termination of your position within The Company:
      1. Not reporting a lost or stolen device that contains customer and/or employee information (i.e., most emails) to the IT department within X hours of realizing you cannot locate your device;
      2. Downloading inappropriate software on your device for the workplace;
      3. Use of services/data on mobile devices in violation of corporate governance rules;
      4. Use of services/data on mobile devices in violation of 3rd party industry standards and regulations (e.g., PCI, HIPAA, etc.);
      5. Fraudulent use of devices/services;


Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.