Publication Summary

Title	BYOD Policy
Author(s)	Alessandro Cardinali
Issued by	CEO
Version doc. Review freq.	0.1 Yearly
Date of issue	December 11, 2023
Owner	Alessandro Cardinali
Document status	Draft – Final Draft - Final
Approval Date	n/a
Classification	Internal

Change Log

Version	Date	Author	Comments
0.1	December 11, 2023		First draft document
1.0	December 20, 2023

Contents

1 Introduction 8

2 BYOD policy 9

2.1 General 9

2.2 Assessment for BYOD 9

2.3 Technical approaches to BYOD 11

2.4 Policy monitoring and audit 11

Tables

Table 1: BYOD guidance 10

Introduction

Mobile computing is an increasing part of everyday life, as devices become smaller and more powerful the number of tasks that can be achieved away from the office grows.

Mobile devices include items such as:

• Laptops

• Notebooks

• Tablet devices

• Smartphones

• Smart watches

The low cost and general availability of such devices has fuelled the desire amongst employees and other stakeholders to use their own devices for business use. This is commonly referred to as “Bring Your Own Device” (BYOD). In some cases, this can provide increased flexibility and remove the need for the employee to carry more than one device on a regular basis.

However, the concept of allowing an employee to make use of their own device(s) for business purposes may result in the need for such devices to be subject to additional controls over and above those typically in place for a consumer device.

The purpose of this policy is to set out the controls that must be in place when an employee uses their own mobile device for work tasks. It is intended to mitigate the following risks:

• Loss or theft of personal mobile devices, including the corporate data on them

• Compromise of classified information through observation by the public

• Introduction of viruses and malware to the network

• Loss of reputation

It is important that the controls set out in this policy are always observed in the use of personal mobile devices.

This policy applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Soon Technologies B.V. systems.

The following policies and procedures are relevant to this document:

• Mobile Device Policy

• Access Control Policy

• Remote Working Policy

• User Access Management Process

• Cryptographic Policy

BYOD policy

General

It is a joint decision between the organization and the owner of the device concerning whether any particular device will be used for business purposes. Such use is not compulsory, and the employee has the right to decide whether the additional controls placed on the device by the organization are acceptable and therefore whether they choose to use the device for business purposes.

Common issues and security challenges with BYOD may include:

• Use of the device by other family members

• Default storage of data in cloud backup facilities

• Increased exposure to potential loss in social situations e.g. on the beach, in a bar

• Potential access to websites that do not meet the organizations acceptable use policy

• Connection to insecure networks e.g. unsecured wireless hotspots

• Anti-virus protection and how often the device is patched

• Installation of potentially malicious apps onto the device (often without the user being aware that they are malicious)

These issues must be considered when assessing the suitability of any given device to hold specific data belonging to the organization.

It is important that the controls set out in this policy are always observed in the use and transport of BYOD mobile devices. Individuals must not use their own devices to hold and process company information unless they have submitted a request to do so, and that request has been formally approved.

Assessment for BYOD

It is Soon Technologies B.V.’s policy to assess each BYOD request on an individual basis in order to establish:

• The identity of the person making the request

• The business reason for the request

• The data that will be held or processed on the device

• The specific device that will be used

Requests must be submitted to the [IT Support Desk].

The general principle of this policy is that the degree of control exercised by the organization over the BYOD device will be appropriate to the sensitivity of the data held on it. The information classification scheme in use within Soon Technologies B.V. is described in the document Information Classification Procedure.

Guidance to be used in the decision regarding who should have access to what information on which device is summarised in Table 1 below.

[Please note that the guidance in the following table is an example only and is included to illustrate the kinds of decisions you will need to make in defining your own specific BYOD policy].

INFO CATEGORY	EXAMPLES	WHO MAY HAVE ACCESS VIA BYOD	TYPES OF BYOD DEVICES	REQUIRED CONTROLS	COMMENTS
Level 0 - Public	Product catalogues, pricing information, company location addresses and contact numbers	Anyone	Any	None	This information is generally available to the public and accessed via publicly accessible means, such as a website
Level 1 - Protected	Internal procedures, product details, internal company communications e.g. non-restricted or confidential email	Employees and other approved stakeholders	Laptops Tablets Smartphones	Device password protection Inactive lock Remote wipe Multi-factor authentication Periodic audits	This area is the most likely use of BYOD within the organization
Level 2 - Restricted	HR information, bank details, personal information covered by data protection legislation	Restricted groups of employees	Laptops only	(In addition to Level 1 controls) Full disk encryption VPN Automated patching Anti-virus Firewall Regular audits	This information must only be accessed via devices with strict security controls. This may practically preclude the use of a BYOD device depending on the circumstances
Level 3 - Confidential	Company resourcing plans, commercial proposals, unpublished financial information	No-one	None	Not applicable	This information must only be accessed via organization-provided devices with strict security controls

Table 1: BYOD guidance

Technical approaches to BYOD

Depending on the specific circumstances, including the type of device and the classification of the information involved, a number of alternative approaches to providing access to corporate systems and data from a personal device may be considered. These include:

• The provision of a corporately owned and managed mobile device with restricted personal use allowed (although this is not strictly BYOD)

• Use of a separately defined corporate workspace on the personally owned mobile device, which is managed using the organization’s MDM service

• Use of container applications, which isolate corporate data from other applications on the personally owned device

• A dual boot approach which effectively provides a separate corporate computer image to the user

• Thin client access to corporate applications provided from a server or remote desktop

• Basic access to corporate systems from within a browser on the personal device

The most appropriate approach will be selected as part of the initial assessment of the BYOD request.

Policy monitoring and audit

In order to ensure its data is adequately protected it is important for Soon Technologies B.V. to be able to monitor and audit the level of compliance with this policy. The level of monitoring and audit will be appropriate to the classification of the information held on the device.

The methods and timing of monitoring and audit will be such that the device owner’s privacy is not invaded and must be in line with applicable privacy legislation. In general, monitoring of usage outside of business hours will be avoided.

In the event of the device being lost or stolen, the owner must inform the [IT Support Desk] as soon as possible, giving details of the circumstances of the loss and the sensitivity of the business information stored on it. Soon Technologies B.V. reserves the right to remote wipe the device where possible as a security precaution. Depending on the implementation approach used, this may involve the deletion of non-business data belonging to the device owner.

Upon leaving the organization, the device owner must allow the device to be audited and all business-related data and applications removed.