How to Build a BYOD Policy Part I: Defining Enterprise Mobility Needs


By David Abbou - Nov-25-2014

Freedom in the enterprise: It’s the way of the future, and it is here to stay. But freedom without structure equals chaos. For most organizations, adapting to the BYOD world and finding this balance has proven to be a work in progress, and for some the road has been a rocky one.

A recent study by research firm Ovum found that 62 percent of BYOD employees are doing so with no policy in place. But despite that, employees are going ahead with BYOD – with or without their company’s approval. It’s time to accept and embrace BYOD for what it is – the future. But in order to make BYOD work for your organization, you need a well-researched and defined policy that is tailored to who needs access to corporate data, what apps and programs they need to be productive, which devices and operating systems (OSs) will need support and how to best secure this data in scalable and sustainable way not just for the short-term, but well into the future. Asking the right questions will help you define the requirements for successful enterprise mobility and how to keep it secure.

It’s important not to forget that implementing BYOD in your organization is meant to enhance your business in ways that greatly exceed the security adjustments needed to realize this vision. Effective BYOD is not a one-size-fits-all solution for every organization or industry, so it’s vital at the very beginning to obtain valuable and actionable feedback from your security team as well as management and staff at different levels who are the BYOD end-users. That way you can create policies that are driven by their needs and your organization’s strategic objectives, while aligning with regulatory and compliance requirements.

Here’s an overview of the steps you should take to create a BYOD policy. Covering these bases will help your company strike the balance between BYOD freedom and security.

Step 1: Define your BYOD Policy Team
Which Personnel (i.e. IT, HR, Finance, etc.) can form your policy team be channels
to obtain accurate feedback on the BYOD needs of your employees?Example: Have Communications prepare a survey distribute via your BYOD policy team to gather feedback.
Step 2: Define your BYOD Objectives
What tasks do your employees need to perform by using BYOD?
For example:

  • Email (Compose, Respond, Open Send attachments)
  • Create share documents
  • Use corporate apps. (e.g. CRM ERP databases)
  • Use consumer business apps from Apple Google stores with corporate data?
What are the main strategic benefits you expect to see from your BYOD program? For example:

  • Efficiency:
    • Save costs on hardware or software?
    • Save time IT resources on addressing device security issues threats?
  • Productivity:
    • Better collaboration workflow?
    • Quicker response times?
  • Flexibility: Anytime, Anywhere access
Step 3: Define BYOD apps data
What data must employees access to achieve the BYOD objectives? Engage departments business units to define the functions roles who need to access corporate information on mobile devices. checkList_ic
What data in your company is highly proprietary/sensitive? Separate data into categories of sensitivity. Example:

  • High: CRM
  • Medium: Emails
  • Low: Contact list, Calendar
Which apps are most in-demand by employees in your organization why? List apps by department function. Sales – CRM to generate quote documents Admin. – Time tracking, expense reporting apps etc. checkList_ic
What are the UX requirements that work best for your employees?

  • Native touch interface
  • Works with HTML
Step 4: Define the BYOD Users
Who in your organization needs to access work email business apps away from the office? List the departments functions that apply. checkList_ic
Which employees require special permission for mobile access to information that is highly sensitive (Proprietary/Confidential)?
CFO – financial data
Which employees require mobile access to lower levels of data sensitivity?
Example: Customer Service reps – access to emails calendar.
Step 5: Identify Security Threats Vulnerabilities
Which mobile devices OSs are being used by your defined BYOD users?

  • 60% use iPhone 4s – iPhone 6
  • 95% of iPhone users use iOS 8
  • 20% use Samsung Galaxy 4 up
  • 20% use other Android phones (e.g. Nexus, LG)
  • 10% use iPads (all versions)
Which types OSs devices cannot be supported for BYOD by IT Why?

  • Android devices version 2.2 or lower (Unsecured incompatible with majority of apps)
  • Devices with a screen size of 3 inches or lower (Apps unable to run smoothly on screens this small)
Which device vulnerabilities must be excluded from your BYOD Program
Example: Jailbroken Rooted Devices

Once you’ve gathered all of the information and determined your BYOD policy congratulate your team! This is the first major step towards a successful BYOD program. The next step is implementation of your BYOD policy. In Part II of this series, we’ll break down the different considerations you should make in determining the security approach that will best fit your organization. Stay tuned!