Incident Response Sample Policy(BYOD)

Some major sections under BYOD Policy can be as:

Acceptable Use Policy

Define activities acceptable on the Device eg.Reading,Surfing web.
Unacceptable browsing vulnerable sites
Define activities acceptable during office hours of work.
Any recreation can be unacceptable, relaxations must be specified
Block/Blacklist websites that cannot be accessed
Blocking should be automated and specified
The website must be specified as(not limited to though):
Website1,Website2...
Media capture capabilities eg.camera/video must be limited and specified
Not permitted within sensitive zones of company data displays
Device must at any time not be used for any storage,transfer,illegal activities of company data of any kind
Acceptable list of applications
Specify the whitelisted list
Specify the blacklisted list
Devices may use particular protocol to access any company resource
Specify protocol and steps
Any violations must be blocked automatically

Supported Devices

IT Staff & Support Provided

Device hardening is mandatory before connecting to company network/other resourse
Support for any connectivity issues will be handled by IT staff
No third party can make changes to device without prior permission from IT staff
IT Staff shall provide all company acceptable business productivity apps or resources on device

Costs & Reimbursements

On loss of device/damage, the company is not liable of reimbursements.
If company will reimburse, the amount or percentage of cost to be paid
Device data plans or allowances the company may want to pay
Roles of employee to avail this facility
Reimbursements are not available for following:
Specify list eg. Loss of device, Personal calls, Roaming etc.

Security Controls

Mandate password protection of device and autolock
Mandate strong password policy for access to Company Data and lock under any misuse
Specify password details eg. 12character password with atleast 2 numbers and 1 special character
Jailbroken or Rooted devices are banned
Specify full list for acceptable OS
Prohibition of any resource(apps) including downloads/installation for blacklisted resources
Should be automated
Personal use only devices may never be connected to company networks
Monitor and allow only devices that help business grow
Identify the device and access to company data should be role based
Remote wipe will be performed by IT staff, which may affect employee data under certain circumstances
Employee must be specified deadline to report loss of mishandling of device eg. 24hours

Ownerships/Liability

Remote wipe will be performed by IT staff, which may affect employee data under certain circumstances
Loss/damage of device must be reported within short notice eg. 24hours
Device damage and reporting to bank or service provider authorities is responsibility of employee
Any device not following user acceptable policy may be disconnected from company networks
Company at any time reserves rights to allow/disallow devices connecting
Company also reserves rights to ban the policy under any requirements

Disclaimers

Device owner remains liable of all the data (personal/company) and its loss or misuse

Policy Framework & Basics-

Reference

1.Incident Response by Leighton R. Johnson

What are the critical areas incorporated in your BYOD Incident Response Policy? Share your thoughts in comments below

All Articles