BYOD Policy

Implementation Guidance
(This section must be removed from final version of the document)
Purpose of this document
This document describes how information security will managed within and
outside the company, whenever the employees use their own digital devices for
accomplishing Company related work.
Areas of the standard addressed
The following areas of ISO standard are addressed by this document
Annex A
A.6. Organization of Information Security
A.6.1 Internal organization
A.6.2 Mobile devices and teleworking
General Guidance
This document provides rules on aspects and areas that should be considered for
managing information security within and outside iFour Consultancy.
Review Frequency
We would recommend that this document is reviewed quarterly and upon
significant change to iFour Consultancy.
Version Number
V.1.0 Draft
Disclaimer
Please Note: This document is intended only for iFour Consultancy use and if
used for any other purpose, a responsible person should be contacted
immediately within iFour Consultancy.

1
V 1.0 Draft

BYOD Policy

Bring Your Own Device Policy

Document Name
Document Authors
Document owner
Security classification
Responsible person
Date

Bring Your Own Device Policy

iFour Audit Team
Bharat Parmar (Director iFour Consultancy)
Public available
HR, iFour Consultancy
5th May 2014

Version no. : V 1.0

2
V 1.0 Draft

BYOD Policy
Revision History
Version

Date

V 1.0
V1.1

5/5/2014
6/5/2014

Change by

Summary
Changes

Document Review
Date of next schedule review
1/11/2014
Distribution
Name
Bharat Parmar(HR)

Title
Director

Approval
Name
Bharat Parmar

Position
Director

Signature

Table of Contents
3
V 1.0 Draft

Date
5/5/2014

of

BYOD Policy
1.

2.

Introduction.......................................................................................................... 5
1.1

Risk addressed............................................................................................... 5

1.2

Scope............................................................................................................. 5

1.3

Related Documents........................................................................................ 5

1.4

Purpose.......................................................................................................... 5

Policy detail.......................................................................................................... 6
2.1

Applicability................................................................................................... 6

2.2

Background.................................................................................................... 6

2.3

Detailed policy requirements.........................................................................7

3.

Responsibilities of the management....................................................................9

4.

Related policies, standards, procedures and guidelines.....................................10

1. Introduction
4
V 1.0 Draft

BYOD Policy
Employees who prefer to use their personally-owned IT equipment for work
purposes must be explicitly authorized to do so but care must be taken to
secure corporate data to the same extent as on corporate IT equipment, and
the personal devices must not introduce unacceptable risks (such as
malware) onto the corporate networks by failing to secure their own
equipment.

1.1 Risks Addressed

Bring Your Own Device (BYOD) is associated with a number of information security
risks such as:
1) Loss, disclosure or corruption of corporate data on Personally Owned Devices
(PODs)
2) Incidents involving threats to, or compromise of, the corporate ICT infrastructure
and other information assets (e.g. malware infection or hacking)
3) Noncompliance with applicable laws, regulations and obligations (e.g. privacy or
piracy)
4) Intellectual property rights for corporate information created, stored,
processed or communicated on PODs in the course of work for the organization.
5) Costs associated with the services. Users might pay for devices, but who's going
to pay for the voice and data plans? There are a couple of ways you can handle
cost-sharing, but it's important to pick one and get users to agree to it.
6) Tech support headaches. Where IT controls end, tech support headache begins.
Levels of help desk support for BYOD devices must be determined and
communicated to end users.
7) Productivity and bandwidth drains. Social media, gaming, video and other sites
and apps can consume end user time as well as network resources.

1.2 Scope
This policy applies to all systems, people and processes that constitute the
organizations information systems, including board members, directors, employees,
suppliers and other third parties who have access to iFour Consultancys systems.

1.3 Related Documents

The following policies and procedures are relevant to this document:

ISMS12002
ISMS12003
ISMS15001
ISMS15002
ISMS15003
ISMS15004
ISMS16001

Mobile Computing Policy

Teleworking Policy
Access Control Policy
User Access Management Policy
Procedure for Remote Supplier Access to Systems
Procedure for the Reset of User Passwords
Cryptographic Policy

5
V 1.0 Draft

BYOD Policy
1.4 Purpose
The purpose of this policy is to set out the controls that must be in place when using
mobile devices that are not owned or provided by the organization. It is intended to
mitigate the following risks:

Loss or theft of mobile devices, including the data on them

Compromise of classified information through observation by the public
Introduction of viruses and malware to the network
Loss of reputation

It is important that the controls set out in this policy are observed at all times in
the use and transport of BYOD mobile devices. It is a joint decision between the
organization and the owner of the device concerning whether any particular
device will be used for business purposes. Such use is not compulsory and the
employee has the right to decide whether the additional controls placed on the
device by the organization are acceptable and therefore whether they choose to
use the device for business purposes.

2. Policy detail
2.1

Applicability
This policy forms part of the corporate governance framework.
It is particularly
relevant to employees who wish to use PODs for work purposes. This policy also
applies to third parties acting in a similar capacity to our employees whether they
are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound
(e.g. by generally held standards of ethics and acceptable behavior) to comply with
our information security policies.

2.2

Background
In contrast to Information and Communications Technology (ICT) devices owned by
the organization, PODs are ICT devices owned by employees or by third parties
(such as clients, consultancies and maintenance contractors). Authorized
employees and third parties may wish to use their PODs for work purposes, for
example making and receiving work phone calls and text messages on their own
personal cellphones, using their own tablet computers to access, read and respond
to work emails, or working in a home-office.
Due to managements concerns about information security risks associated
with BYOD, individuals who wish to opt-in to BYOD must be authorized by
management and must explicitly accept the requirements laid out in this policy
beforehand.
Management reserves the right not to authorize individuals, or to
6
V 1.0 Draft

BYOD Policy
withdraw the authorization, if they deem BYOD not to be appropriate and in the best
interests of the organization.
The organization will continue to provide its choice of fully owned and managed ICT
devices as necessary for work purposes, so there is no compulsion for anyone to
opt-in to BYOD if they choose not to participate in the scheme.

Policy axioms (guiding principles)

1) The organization and the owners and users of PODs share responsibilities for
information security.
2) Nothing in this policy affects the organizations ownership of corporate
information, including all work-related intellectual property created in the
course of work on PODs.

2.3

Detailed policy requirements

1) Use Mobile Device Management (MDM) software as recommended by
IT: Corporate data can only be created, processed, stored and
communicated on personal devices running the organizations chosen
Mobile Device Management
(MDM) client software. Devices not
running MDM (including devices that cannot run MDM, those on which the
owners decline to allow IT to install MDM with the rights and privileges it
needs to operate correctly, and those on which MDM is disabled or deleted
after installation) may connect to designated guest networks providing
Internet connections, but will not be granted access to the corporate LAN.
They must not be used to create, modify, store or communicate
corporate data.
2) Use Appropriate Device Authentication: PODs must use appropriate
forms of device authentication approved by Information Security, such as
digital certificates created for each specific device. Digital certificates must
not be copied to or transferred between PODs.
3) Control application access and permissions: BYOD users must use
appropriate forms of user authentication approved by Information
Security, such as userIDs, passwords and authentication devices.
4) The following classes or types of corporate data are not suitable for
BYOD and are not permitted on PODs:
Anything classified SECRET ;
Other currently unclassified but highly valuable or sensitive corporate
information which is likely to be classified as SECRET ;
Large quantities of corporate data (i.e. greater than 1 GB in aggregate on
any one POD or storage device).
7
V 1.0 Draft

BYOD Policy
5) Organization Control: The organization has the right to control its
information. This includes the right to backup, retrieve, modify, determine
access and/or delete corporate data without reference to the owner or
user of the POD.
6) Forensic Examination: The organization has the right to seize and
forensically examine any POD believed to contain corporate data where
necessary for investigatory or control purposes.
7) Run mobile antivirus software or scanning tools: Suitable antivirus
software must be properly installed and running on all PODs.
8) Back up device data: POD users must ensure that valuable corporate
data created or modified on PODs are backed up regularly, preferably by
connecting to the corporate network and synchronizing the data between
POD and a network drive, otherwise on removable media stored securely.
9) Corporate data should be encrypted: Any POD used to access, store
or process sensitive information must encrypt data transferred over the
network (e.g. using SSL or a VPN) and while stored on the POD or on separate
storage media (e.g. using TrueCrypt), whatever storage technology is
used (e.g. hard disk, solid-state disk, CD/DVD, USB/flash memory stick, floppy
disk etc.).
10)
Limited Tech Support: Since IT Help/Service Desk does not have the
resources or expertise to support all possible devices and software, PODs
used for BYOD will receive limited support on a best endeavors basis for
business purposes only.
11)
Business data and personal data must be kept separate: While
employees have a reasonable expectation of privacy over their personal
information on their own equipment, the organizations right to control
its data and manage PODs may result in support personnel
unintentionally gaining access to their personal information.
To reduce
the possibility of such disclosure, POD users are advised to keep their
personal data separate from business data on the POD in separate
directories, clearly named (e.g. Private and BYOD).
12)
Maintain Individual Privacy: Take care not to infringe other peoples
privacy rights, for example do not use PODs to make audio-visual recordings
at work.
13)
Actions Against Non-Compliance: The employees/owners PODs
shall be responsible, in case of loss of the PODs and are subject to
appropriate compensation for that loss of the companys data. Hence the
employees shall ensure that the Companys data stored is secured
(encryption, passwords, etc.) so as to keep it protected from being misused.
The Company reserves the right to take actions against such non-compliance.
14)
Maintain PODs Security: If agreed upon the POD owners must
maintain PODs and take necessary precautions so as to keep the PODs
secure.
15)
Jail broken and rooted devices are not allowed : Most, if not all,
mobile security suites consider jail broken and rooted devices to be security
8
V 1.0 Draft

BYOD Policy
compromised. These compromised devices are exposed to security
vulnerabilities, malware, viruses, and hacks that secured devices are not.
16)
Devices must be regularly updated with latest OS and patches :
To stay ahead of malware, users have to keep their devices updated to the
latest operating systems. This updating includes minor updates that may fix
security vulnerabilities between major revisions. You can enforce update
policies and push updates from some mobile security management suites to
ensure that users devices maintain the highest available patch levels.
17)
Require periodic re-authentication: Periodic re-authentication
assures that the user is genuine. Unlimited access without re-authentication
is a secure vulnerability for any device that might be stolen or compromised
during authenticated use. Management suites can enforce re-authentication
after a set time period.
18)
Prevent offline access: If you require a very high level of security for
particular documents or applications, prevent any offline access to them. Do
not allow documents or data to be downloaded or cached on the local device.
Only allow access to sensitive information while connected to the corporate
network.
19)
Beware of free apps: Many free applications have been found to
track users and share user information with advertisers or other third parties.
Enterprise users should review app permissions prior to downloading and
download only from trusted publishers. IT and security teams can assist
employees by providing lists of applications that are approved for download.

3. Responsibilities of the management

1) Information Security Management is responsible for maintaining this
policy and advising generally on information security controls.
It is
responsible for issuing digital certificates to authenticate authorized PODs,
and for monitoring network security for unauthorized access, inappropriate
network traffic etc. Working in conjunction with other corporate functions, it
is also responsible for running educational activities to raise awareness and
understanding of the obligations identified in this policy.
2) IT Department is responsible for managing the security of corporate data
and configuring security on authorized PODs using MDM. IT is also explicitly
responsible for ensuring the security of the MDM software and related
procedures in order to minimize the risk of hackers exploiting MDM to access
mobile devices.
3) IT Help/Service Desk is responsible for providing limited support for BYOD n
PODs on a best endeavors basis for work-related issues only. Information
security incidents affecting
PODs used for BYOD should be reported
promptly to IT Help/Service Desk in the normal way.
4) All relevant employees are responsible for complying with this and other
corporate policies at all times.
9
V 1.0 Draft

BYOD Policy
5) Internal Audit is authorized to assess compliance with this and other
corporate policies at any time.

4. Related policies, standards, procedures and guidelines

Item
Information
security policy
manual
Mobile/portable
computing policy
Information Asset
Ownership policy
Human Resources
policies,
procedures, code
of conduct etc.
BYOD guidelines
and briefings

Relevance
Defines the overarching set of information security controls
reflecting ISO/IEC 27002, the international standard code of
practice for information security management
Specifies a number of information security controls applicable
to the use of mobile and portable devices.
Information Asset Owners are responsible for classifying their
assets and may determine whether BYOD is or is not
appropriate for them.
Explain standards of behavior expected of employees, and
disciplinary processes if the rules are broken.
Further security awareness materials are available on this topic.

10
V 1.0 Draft