Search the internet and you’ll find plenty of templates for writing a BYOD policy. This kind of abundant advice, while helpful for comparison, can lead just as quickly to confusion and conflict about what you really need in your BYOD policy — and what you can leave out. To boil it all down to the essentials, here’s our take on the five pieces every policy needs to have.
1. Terms, Definition and Scope
One piece missing from most internet templates is a simple set of terms and definitions. When you’re cresting the buzzword wave, even terms like “BYOD” and “mobile device” are open to interpretation. Take a paragraph or two at the top and explain exactly what you mean so that everyone starts off with the same context. For example, if you use the term BYOD (or CYOD), define it in terms of which devices are covered, along with who pays for, picks out, and controls them (since these are often different).
With terms laid out, you should also include scope: exactly who is covered by this policy. If you want to use a term like “employee” or “staff,” make sure that’s defined in the terms and definitions. With heavy long-term use of consultants, contractors, partners and outsourcers in many organizations, the scope of the policy is critical to lay out early on. As you’re defining scope, you’ll also want to define eligibility: who is allowed to participate in this policy, and who is excluded.
2. Supported Devices and Support Strategy
You don’t want your policy to be too “device specific,” but you also don’t want to be in a situation where it’s not clear which types of devices you’re willing to support and which you’re not. Make a short list of types of devices, and make it clear what level of support you’re going to provide for those devices.
For example, if you’re including Android smartphones in your list of supported devices, you can say something like, “Android devices running current versions of the operating system with minimum hardware specifications will be enrolled and supported. See IT department Intranet for the current list.” This will clarify specifically which devices are and are not included under the plan and eliminate any confusion.
3. The Money Question
A concise, specific statement of who is paying for the device and who is paying for monthly service should be in there, even if you don’t intend to pay for anything. Or, if you have some cases where you do pay and somewhere you don’t, or different limits for different types of users, make that very clear. Nothing good ever comes from financial ambiguity.
4. Participant Responsibilities
The main consumer of a BYOD policy is going to be the device user, so you want to make it abundantly clear what the user responsibilities are. The list can get long, but keep it laid out as easily digestible chunks. Start with the acceptable use policy (AUP) and data protection policy, including using the device safely, even if these are just inherited from company-wide AUP and protection policies. Make sure participants know how issues such as backups and support are going to be handled. And be clear on what they need to do in case of loss or theft of the device, including timeframes.
The responsibilities should also include at least some discussion of what happens if the participant fails to comply. In some companies, this is covered elsewhere — in which case it should be clear where the participant can find out what the consequences are.
Many organizations like to get an explicit signoff on the BYOD policy when the user’s device is enrolled into the program. If this is your approach, then matching up BYOD responsibilities, potential consequences of violating these responsibilities, and an explicitly signed agreement all in one document is an excellent idea that makes very clear how seriously you’re taking BYOD security.
5. The Caveats
You don’t want your BYOD policy to turn into pages of unreadable legalese, but you do want to make clear disclaimers for issues such as privacy, security settings and MDM, and what’s going to happen when the device is disenrolled (such as when someone leaves the company).
When it comes to these issues, it pays to be open about the potential consequences for BYOD users. A statement like the following will cover most companies and environments pretty well: “We don’t spy on you routinely, but we do collect a lot of information as part of our normal system management, and if we need to, we can get a pretty good picture of how you’re using your smartphone, even if it is outside the scope of your employment.” If you treat user privacy more seriously (such as by destroying or anonymizing logs), that’s great, but make sure that users know how much information they’re sharing with you as part of participating in a BYOD program.
Your BYOD policy should be short and to the point, making it clear what the policy covers and what users should expect. Get these five key pieces into your policy, and you’ll have a solid one that will help make your BYOD program successful.
Hungry for more? Download our free guide and template for a deeper dive into BYOD policy development.