BYOD Policy Setting Matrix

Device Choice

User Experience and Privacy

• Analyzing employee preference and understanding which devices they have already bought
• Defining an acceptable baseline of what security and supportability features a bring-your-own-device program should support
• Understanding the operating system, hardware, and regional variances around that baseline
• Developing a light-touch certification plan for evaluation of future devices
• Establishing clear communication to users about which devices are allowed or not, and why
• Ensuring the IT team has the bandwidth to stay up-to-date
  
  

• Identifying the activities and data IT will monitor
• Clarifying the actions IT will take and under which circumstances
• Defining the BYOD privacy policy
• Critically assessing security policies and restrictions for sustainability
• Deploying core services (email, critical apps, WLAN access) to the employee
• Preserving the native experience
• Communicating compliance issues clearly to the employee

Trust Model

App Design and Governance

• Identifying and assessing risk for common security posture issues on personal devices
• Defining remediation options (notification, access control, quarantine, selective wipe)
• Setting tiered policy
• Establishing the identity of user and device
• Lending a critical eye to the sustainability of the security policy being instituted

• Designing mobile apps to match the trust level of personal devices
• Modifying app catalog availability based on device ownership
• Committing to the resource investment of building apps with personal devices in mind
• Updating app acceptable-use policies
• Defining enforcement levels for app violations (notification, access control, quarantine, or selective wipe
  
  

Liability

Economics

• Defining the elements of baseline protection for enterprise data on BYOD devices
• Assessing liability for personal web and app usage
• Assessing liability for usage onsite vs. offsite, and inside work hours vs. outside work hours
• Evaluating whether the nature of BYOD reimbursement affects liability (partial stipend vs. full payment of service costs)
• Quantifying the monitoring, enforcement and audit costs of the BYOD compliance policy
• Assessing the risk and resulting liability of accessing and damaging personal data (for example, doing a full instead of selective wipe by mistake)

• Shifting the cost of device hardware to the user and moving to a stipend model
• Controlling excess service charges through more responsible usage
• Establishing appropriate service plans, realizing some negotiating leverage might be lost
• Assessing the productivity impact of users being able to use their desired platforms
• Changing the help desk model (with BYOD, employees use the help desk as the last resort instead of a first resort)
• Reducing compliance and audit costs, if the legal assessment shows lower liability with personal devices)
• Assessing tax Implications
  
  

Sustainability

Internal Marketing

• Securing corporate data
• Minimizing the cost of implementation and enforcement
• Preserving the native user experience
• Staying up-to-date with user preferences and technology innovations
  

• Communicating why the company is moving to BYOD
• Understanding BYOD is an HR initiative as much as an IT initiative
• Defining IT's "brand"
• Supporting the brand message with appropriate action