3.3 BYOD Policy

00:01

Hello and welcome to I t Security Policy Training here on Cyber Eri.

00:05

This is a continuation of module to the B Y o d policy otherwise known as to bring your own device

00:11

and is being taught by myself. Troy Lemaire

00:15

learning objective for this training is gonna be looking at the acceptable Use the types of devices and support

00:21

reimbursement

00:23

security, and then risk liabilities and disclaimers all revolving around. Bring your own device.

00:30

Policy source for this one is from I t manager daily dot com, and you can go to the link that is on the screen, and it will give you the template that we're going to use.

00:43

So in looking at their template policy,

00:46

basically, in the beginning, it says that the company's got a grand employees the privilege of purchasing using smartphones and tablets on their two of their choosing at work for their convenience.

00:56

But the company reserves the right to revoke the privilege if users do not abide by the policies and procedures outlined bloat.

01:03

If we look at the first section which is acceptable use, so the company to finds acceptable business uses as activities that directly or indirectly support the business of the company.

01:12

Employees are blocked from accessing certain websites during work hours while connected to the corporate network at the discretion of the company.

01:21

And then, it goes, enlists types of websites that they may or may not be able to get to.

01:26

You can go in and modify this part of the policy to put in different websites that change very often, especially whenever you're looking at things like social media and things like that. But some of the things that you know these stick with your HR policies as well. In saying that

01:44

you know your devices

01:46

shouldn't have illicit material harassed others.

01:49

Um,

01:49

you don't want to be able to put certain types of AP, such as Facebook and things like that.

01:55

And then also, they have a zero tolerance policy for texting, emailing wire driving and only hands free text talking while driving is permitted

02:04

again. This whole section you want a modified to fit the needs of your organization

02:08

devices in support.

02:12

Basically, here's where you're going to spell out what type of devices are allowed or not allowed.

02:16

We had a policy and one organization that I work with that we on Lee,

02:21

um, allowed Windows based machines. So if people came in with an iPad or something like that, we did not allow IPADS on the network at all. It had to be a Windows based machine. And that was because we knew that the application we were running we're not gonna run on a Mac or an Apple based product.

02:38

So therefore, there was no usedto have those even on the network. But if you put that in your policy, you can spell that out ahead of time to know exactly why certain things are allowed and certain other things they're not allowed.

02:50

You reimbursement policy, this part of the policy, you're gonna work with your HR again and basically because you're gonna have to figure out what is the reimbursement policy across the board, which you don't want to have is a policy that says we're going to reimburse x amount. But the manager has people in their department that they don't need to reimburse for,

03:08

and that manager says

03:09

we're not reimbursing you. But the policy says that the company will reimburse. So again, you always want to make sure that you're working with your HR and your other managers around the organization so that your policy can fit with what is actual procedures that are actually going on within the organization.

03:28

And then we never get to the security section, you know, in order present prevent unauthorized access. Device must be password protected to use the features of the device. And a strong password is required so that strong password policy is going to stick with the overall company. Strong password policy

03:45

as a device must lock itself with the password

03:47

after five failed log in attempts, which is what is here. You can change that three year. Whatever the case you want, um,

03:55

it's gonna sit idle for five minutes. Excuse me. After five long ends, the device will lock and you have to go in and unlock it by contacting I t.

04:05

A. Not gonna allow routed or jailbroken devices.

04:11

Those the ones that can have fire sis because it doesn't go through the

04:15

service's and approval process. That happens in the normal process of accepting APS,

04:21

smartphones and tablets that are not in the company's list of supported diocese or not allowed to connect to the network

04:28

and employees access to computer company data is limited based on the user profile defined by I T and automatically and force again.

04:34

You don't want somebody to be able to use a be wild D device to access certain types of information on the network that they can't access through their normal workstation or laptop or whatever case they use on a normal daily basis. You don't want that to be circumvented it anyway,

04:51

and then we're looking at when we're looking at risk liabilities and disclaimers,

04:57

I'm gonna take every precaution. Prevent employee's personal data from being lost in the venomous remote, wipe a device

05:02

this employee responsibility. Take additional precautions, such as backing up email contacts. This is really where a lot of times the employees have the hardest time. If it's a B Y o D device, that means it belongs to the employees. It does not belong to the company. And if you have to put on a,

05:18

um,

05:19

software that needs to allow you to wipe the device in case it is lost or stolen

05:25

at times the employees will have an issue that they don't want all of their information to be wiped out from that device. So that's something that you're gonna have to look a certain tool which will only wipe certain parts of that device are you're gonna have to work with the employees to have them understand. Listen, the only option we have

05:42

is to wipe the whole device. And so therefore, that's the only way we can do this.

05:46

And you have to accept that risk and so forth.

05:49

The employees expect to use his or her devices an ethical manner at all times

05:55

and employees personally liable for all costs associated with his or her device.

06:00

And then that the end company reserves the right to take appropriate

06:02

displaying action up to including termination for non compliance with the policy, the same thing you put in all of the policies.

06:12

So in summary, today's reflector, we talked about the B Y O D policy

06:16

and the acceptable use

06:18

the devices in support,

06:20

the reimbursement,

06:23

the security

06:24

and then the risk, the liabilities and the disclaimers.

06:30

So first recap question the company to find acceptable business use as activities are that directly or indirectly support the blank

06:38

of the company,

06:41

and that would be the business of the company.

06:46

Users should agree to blank protect their be wildy devices

06:53

that would be password protect their B Y o d devices.

06:57

Again, The B Y o d policy is gonna be something that you're going to have to modify

07:01

most probably a lot. And then it's gonna have to be reviewed, at least on an annual basis basis to make updates, especially for different things that come out in on the Internet that could affect the security posture of the organization.

07:16

Looking forward, our next lecture, we're gonna look at

07:19

remote access policy,

07:25

Russians or clarification. Reach me is always Tie Berry message. My user name is that Troy Lemaire