Sheet Music

Gartner for IT Leaders Tool [Organization Name] Mobile Device Policy and Procedures for Personally Owned Devices: BYOD Program

Categories
Published
of 14
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Description
Tool [Organization Name] Mobile Device Policy and Procedures for Personally Owned Devices: BYOD Program June 2012 Unless otherwise marked for external use, the items in this Gartner Toolkit are for internal
Transcript
Tool [Organization Name] Mobile Device Policy and Procedures for Personally Owned Devices: BYOD Program June 2012 Unless otherwise marked for external use, the items in this Gartner Toolkit are for internal noncommercial use by the licensed Gartner client. The materials contained in this Toolkit may not be repackaged or resold. Gartner makes no representations or warranties as to the suitability of this Toolkit for any particular purpose, and disclaims all liabilities for any damages, whether direct, consequential, incidental or special, arising out of the use of or inability to use this material or the information provided herein. The instructions, intent and objective of this template are contained in the source document. Please refer back to that document for details. June 2012 Page 1 TABLE OF CONTENTS About This Template... 3 Policy Background and Context... 3 Definitions... 4 Smartphone... 4 Media Tablet... 4 Mobile Device... 5 Mobile Applications... 5 Scope... 5 User Roles and Responsibilities... 5 User Responsibilities... 5 Condition... 5 Loss or Theft... 5 Applications and Downloads... 5 Backup and File Sharing or Synchronization... 6 Functionality and Feature Management... 6 User Safety... 7 Data and System Security... 7 Penalties... 8 Support for BYOD... 8 Reimbursement Guidelines... 9 Organization Discounts... 9 Technical Support Processes... 9 How to Get Support... 9 Warranty and Replacement Responsibility Miscellaneous Termination of Employment Exceptions E-Discovery Related and Other Documents User Agreement Appendix A: Guidelines for Eligibility Appendix B: Eligible Devices and Platforms Appendix C: Security Criteria for Personally Owned Mobile Devices Appendix D: Stipends for Eligible Employees Appendix E: Reimbursable Software and Services... 13 June 2012 Page 2 LIST OF TABLES Table 1. Eligible Devices and Platforms... 12 June 2012 Page 3 About This Template Gartner has developed this bring your own device (BYOD) mobile device policy template for the following purposes: To help clients navigate discussions about the wide range of policy and procedural issues related to the use of mobile devices. To provide options for policies and procedures based on Gartner's knowledge of mobile device issues To provide language that can be adopted verbatim (or easily adapted) for an organization's policy documents Think of the policies in this template as options that you can incorporate into your organization's policy. In some sections, we have provided specific options that you can select. The policy language is crafted so that you can adopt it verbatim or modify it to your specific situation. We do not expect that all the issues covered in this policy template will apply to all organizations. Review the template document, discuss the topics and select the policies that will create the desired impacts of risk mitigation and cost control in your organization. We also recommend the following general guidelines for policy development practices: Engage stakeholders from the human resources, legal and/or compliance departments during the process. Include policies that are relevant to your organization's standard operating procedures. Do not adopt policies that your organization won't be able to enforce. The mobile device policy template includes a User Agreement section for the end-user's signature. Once the policies are changed, the IT organization can issue the policy document to existing and new employees and other end users. Periodically review your policy document to ensure that it is up to date with your organization's needs and related regulations. Help your end users comply with the policy by making it easy for them to understand. Use plain, clear language. Make the document as concise as possible. Policy Background and Context [Note for policy authors: You can add the following text or similar content to the introduction of your policy document.] The purpose of this policy is to define accepted practices, responsibilities and procedures for the use of personally owned mobile devices that [Organization name] authorizes to connect to enterprise systems. This policy defines the commitment requirement, provides guidance for the secure use of end-user mobile devices and provides reimbursement guidelines for all mobile endpoint devices, including mobile phones, smartphones and media tablets. June 2012 Page 4 At the core of this policy is the concept that the employee, through an opt-in decision, trades control over his/her personal device in exchange for access to corporate resources (such as the network and ). It is important that the consequences and obligations of this arrangement are well-understood. Therefore, we require a signature on the last page of this policy to confirm that it has been read and comprehended. These obligations include, but are not limited to: Employee acceptance that a personal device may be remotely wiped (i.e., erasing all data and applications) by [Organization name] Employee understanding that he or she is solely responsible for backing up any personal content on the device Employee agreement to keep the device updated and in good working order Employee acknowledgment that [Organization name] will in no way be responsible for damaged, lost or stolen personal devices while the employee is performing organizational business Employee agreement to allow IT to load manageability software on personally owned devices Mobile devices are a valuable tool in conducting business. It is the policy of [Organization name] to protect and maintain user safety, security and privacy, while simultaneously protecting enterprise information assets while using these tools. Use of mobile devices supplied by or funded by [Organization name] shall be primarily for enterprise business. However, [Organization name] will permit the use of personally owned devices, subject to the following broad guidelines: The decision to be eligible to use a personally owned mobile device for organization business will be based on a documented business need and appropriate management approval. Guidelines for eligibility can be found in Appendix A. Definitions Smartphone Reimbursement of expenses incurred by qualified users will follow enterprisewide or departmental policies. A smartphone is a mobile device with screen dimensions of between 2.5 inches and 5 inches, with voice, messaging, scheduling, and Internet capabilities. Smartphones also permit access to application stores, where aftermarket software can be purchased. A smartphone is based on an open OS. The OS has a software developer kit available that allows developers to use native APIs to write applications. It can be supported by a sole vendor or multiple vendors. It can, but need not, be open source. Examples include BlackBerry OS, ios, Symbian, Android, Windows Phone, Linux, Limo Foundation, webos and Bada. Media Tablet A tablet is an open-face wireless device with a touchscreen display and without physical keyboards. The primary use is the consumption of media; it also has messaging, scheduling, , and Internet capabilities. Diagonal screen dimensions are typically between 5 inches and 10 inches. Media tablets may have open-source OSs (such as Android) or a closed OS under the June 2012 Page 5 control of the OS vendor and/or device make (such as Apple's ios and Windows). Media tablets may or may not support an application store. Mobile Device This refers to any mobile phone, smartphone or media tablet. Mobile Applications This refers to software designed for any or all the mobile devices defined in this policy. Scope This policy applies to all users, (e.g., employees, contractors, consultants, suppliers, customers, government, academic agencies and all personnel affiliated with third parties) worldwide who access and/or use [Organization name] IT resources from non-[organization name] issued and owned devices. User Roles and Responsibilities User Responsibilities Despite individual ownership of the mobile device, the organization expects the user to assume certain responsibilities for any device that contains enterprise information or connects to enterprise resources. Users must ensure that they comply with all sections of this agreement. Condition Users must agree to keep up to date (as defined in Appendix B) and in good working order all devices and platforms supported by [Organization name]. Loss or Theft Users must maintain a device compatible with the organization's published technical specifications, which will be updated at least every two years. If a device falls out of compliance, then it may be blocked from access until it is in good working order and meets minimum requirements. Within [define time frame of number of hours or days], users must report the temporary or permanent loss of personal devices to the help desk (to allow the device to be remotely wiped over the network) before cancelling any mobile operator services. Users must cancel any individual services for personally owned devices after the remote wipe of the device is completed. Applications and Downloads Users must ensure that they install application updates in accordance with [Organization name] guidelines. Downloading applications from the platform's (e.g., Apple's, Android's) general application store is acceptable, as long as the application complies with this policy and the IT security policy and HR policies of [Organization name], and is not on the blacklist June 2012 Page 6 at [insert app store or intranet URL] or the app is available on the whitelist at [insert app store URL]. Users [may not charge or may only charge approved] individual application purchases to the organization's credit card. Backup and File Sharing or Synchronization Users are responsible for backing up all personal information on their personal hard drives or other backup systems. [Organization name] cannot be held liable for erasing user content and applications when it is deemed necessary to protect enterprise information assets or if a wipe is accidentally conducted. The procedures to do this are located at: For ios: [insert intranet URL] For Android: [insert intranet URL] For BlackBerry: [insert intranet URL] Users must use enterprise-sanctioned network file shares for the purpose of synchronizing organization information between devices, and may not use unapproved cloud-based file synchronization services (such as [Proprietary solution name], etc.). Only [Organization name-provided solution X] may be used for this purpose. Users may not use external accounts to synchronize the organization's information to a personal device. Functionality and Feature Management Cameras in mobile devices are not to be used in the organization's secured facility areas unless permission from site management is obtained beforehand. Upon the organization's request, users must allow the installation of a mobile device management software agent, or any other software deemed necessary, on the user's device. The device functionality must not be modified unless required or recommended by [Organization name]. The use of devices that are jailbroken, rooted or have been subjected to any other method of changing built-in protections is not permitted and constitutes a material breach of this policy. Users must accept that, when connecting the personal mobile device to [Organization name] resources, the [Organization name] ' security policy will be enforced on the device. The security policy implemented may include, but is not limited to, areas such as passcode, passcode timeout, passcode complexity and encryption. Users must take appropriate precautions to prevent others from obtaining access to their mobile device(s). Users will be responsible for all transactions made with their credentials, and should not share individually assigned passwords, PINs or other credentials. Users are responsible for bringing or sending the mobile device to the IT security department and handing over necessary device access codes when notified that the June 2012 Page 7 User Safety device has been selected for a physical security audit, or in the event the device is needed for e-discovery purposes. Users may not provide access credentials to any other individual, and each device in use must be explicitly granted access after agreeing to the terms and conditions of this document. Users should comply with the following safety guidelines when using mobile phones while in their vehicles: Users must comply with all country and local regulations regarding automobile safety. It is preferable to dial while the vehicle is not moving; otherwise, use voice recognition or speed dial to minimize risk. Never use the phone in heavy traffic or bad weather. When driving, always use a hands-free phone, a Bluetooth headset or a corded headset when possible. Never look up phone numbers while driving. Never have stressful conversations while driving. Do not program navigation applications while driving. Keep your eyes on the road while on the phone. Follow the local laws guiding the use of mobile phones, if such laws exist. [Note for policy authors: Alternatively, you may use the following statement to substitute for the text in this section: Users are asked not to talk, text or otherwise communicate via a mobile device while driving. ] Data and System Security All organization data that is stored on the device must be secured using [Organization name]- mandated physical and electronic methods at all times. Mobile device users must comply with the physical security requirements defined in [reference appropriate organization document] when equipment is at the user's workstation and when traveling. Users must take the following physical security preventative measures to protect [Organization name] data and systems. All users shall abide by [Organization name] standard information security directives for the device at all times. Device users must comply within [define time frame, in number of hours or days] with directives from their business units to update or upgrade system software, and must otherwise act to ensure security and system functionality. Personally owned mobile devices connecting to the network must meet the security criteria listed in Appendix C. June 2012 Page 8 Mobile devices must not be left in plain view in an unattended vehicle, even for a short period of time. Mobile devices must not be left in a vehicle overnight. Mobile devices must be positioned so that they (and the information contained within them) are not visible from outside a ground-floor window. A mobile device displaying sensitive information being used in a public place (e.g., train, aircraft or coffee shop) must be positioned so that the screen cannot be viewed by others, thus protecting [Organization name] information. A tinted/polarized screen guard may be used to decrease the viewing angles of any mobile device. Penalties Personally owned laptops and portable computing devices are prohibited from connecting to the [Organization name] network without prior approval from the IT security department. There are consequences for end users who do not comply with the policies detailed in this document: [Note for policy authors: Include text that defines the following policies and procedures. Who or which department within the organization is responsible for monitoring compliance The organization's position on issuing warnings for most breaches of policy before penalty enforcement, including number of warnings and the procedure for documenting warnings The organization's appeal process Note that HR guidelines will likely have input for the proper course of action, including possible termination for the most egregious offenses.] Support for BYOD [Organization name] supports the following BYOD models: [Note for policy authors: Delete the items that are not applicable.] Users that are eligible for a organization-liable smartphone may, at their own expense, purchase another device from the list of supported devices in Appendix B and transfer their organization-liable subscription to this new device. Users with personal preferences for a different brand or model of mobile device may purchase one at their own expense as long as it meets the requirements in Appendix A. Eligible users can receive a monthly stipend toward cellular services (see Appendix D for amounts) provided they purchase a device from the list of supported devices in Appendix B. Phone Number Ownership: June 2012 Page 9 [Option 1 (for systems where pooled minutes require that all numbers be enterpriseowned)] Employees who wish to put their personal device on a corporate contract must realize that their personal phone numbers will become the property of [Organization name] and that the return of that number to the individual may be impossible. The organization has the discretion to port the phone number back to the employee, unless there is a prior written agreement in place. Individuals who wish to keep their personal numbers permanently must change to an [Organization name] phone number or [Option 2 (requires implementation of an enterprise communications gateway)] Employees will be required to install unified communications software that will mask the employees' phone numbers behind the [Organization name] internal telephony system. When business calls are made from a personal phone, those calls will have to be directed through the [Organization name] telephony system. Personal calls can be directed through an employee's personal number. Employees who are not eligible for an organization-funded mobile device may connect a personal device to corporate resources, as long as it meets the requirements in Appendix A and the employee has signed this policy after receiving manager approval of inclusion in the BYOD program. Reimbursement Guidelines Ensure that any and all expenses pertaining to downloads of applications and/or use of websites are submitted for reimbursement in accordance with all current and future [Organization name] reimbursement policies. [Organization name] will not be responsible for personal purchases. Submit appropriate documentation to secure a reimbursement for data service up to the level specified by [Organization name] management and in accordance with [Organization name] reimbursement guidelines governing user expenses for business purposes. If an employee wants accessories for his or her device, they may be purchased at the employee's discretion. [Organization name] does not provide accessories beyond basic chargers, hands-free kits and belt clips. The normal procurement, approval and expense reimbursement procedures should be followed. Only software or services listed in Appendix E may be submitted for reimbursement. Organization Discounts [Organization name] has preferred operator agreement(s) with [Vendor name(s)]. All users should seek to source their mobile device and/or applications from the preferred supplier to benefit from any organization-negotiated discounts. Technical Support Processes How to Get Support The help desk will provide support for BYOD when it comes to connectivity and back-end system operational questions only. Support for BYOD participants is limited to no more than 15 minutes of support for one incident per month [alternative: two incidents per quarter]. Support calls that June 2012 Page 10 exceed this limit will be billed on a time-and-materials basis to the end-user's department.[organization name] has provided self-support tools in the form of a wiki at [insert URL] and a mail distribution list to facilitate peer support activities. The help desk will not support device replacement, device upgrade, device operational questions or embedded software operational questions (such as questions related to the browser, system, etc.). The help desk will only provide assistance on questions related to [Organization name] back-end software and the delivery of [Organization name] content to
Search
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks