Developing a BYOD or MDM Policy for Your Firm
The Bring Your Own Device (BYOD) trend is certainly nothing new, but with growing cybersecurity concerns across the alterative investment industry, it is imperative for firms to have a thorough BYOD policy to ensure data privacy and help employees understand the processes and policies around bringing their own device to the office.
Some items to keep in mind when developing your firm’s policy include:
Company-owned mobile devices should be issued to – and personal devices approved for – only those employees who require immediate and frequent contact with co-workers, clients or partners regardless of whether they are physically located at their desks.
Devices should only be approved in situations where the productivity gains outweigh the costs incurred by the organization to support and manage the device.
A BYOD Policy should be integrated with your firm's Acceptable Use Policy.
As you set out to establish your firm’s BYOD and mobile device management strategies, be sure to consider each of the following areas in order to ensure your policies are comprehensive and the firm is protected from potential security incidents.
Consider what types of data employees should be allowed to store locally on their mobile devices. For instance, you may want to ban users from keeping confidential or sensitive information on their devices unless it’s protected by robust encryption tools. Additionally, make it clear in this section that the firm has the right to remotely or physically wipe all data, including their own personal information, from mobile devices at any time.
Another important aspect of the data policy is social media usage. Nearly 80% of social media time is spent on mobile devices so while your firm may block social media websites, employees can still access them via their smart phones. How do you want to govern this? Be sure to consider pertinent industry regulations regarding archiving and retention of online communications to ensure compliance.
Mobile Device Management (MDM) Policy
MDM is a critical aspect of the BYOD policy. Be sure to directly state which rights the firm will retain with regard to provisioning mobile devices. Provisioning may include carrier activation, as well as installation of encryption technologies, various software tools, security certificates, anti-virus and more. Other items to consider within this section are:
Password and screensaver policies
Blocking or removal of specific applications
Process and timing of security scans
Procedures for taking inventory of mobile device data and applications
Mobile Device Support Policy
How will the firm go about supporting employees’ personal mobile devices for business use? Some companies prefer to have users submit expense reports each month, detailing usage and the costs associated with work-related activities. Others offer a stipend to users in a predetermined amount, depending upon the individual’s role and responsibility level within the firm. Determine which method works best for your organization, and be sure to state that explicitly in this section.
Policies Regarding Company-issued Devices
For those employees who will continue to use company-issued mobile devices, consider items such as international travel (When are roaming charges permitted? Can users make international calls on their devices?). Make sure these policies are clearly outlined for all users.
Loss & Theft
Who is responsible for charges associated with repair to a damaged mobile device or replacement of a lost device? Make it clear in this section that any lost or damaged devices need to be immediately reported to the appropriate firm personnel so that sensitive data does not fall into the wrong hands.
Employee Termination Policy
This section addresses the process for returning company-owned devices or deactivating access to business applications from a personal device in the event of an employee’s termination. In most cases, the employee will be required to turn in any devices that are company-issued, and allow the firm to wipe all necessary data from those that are owned by the individual.
At Eze Castle Integration, we regularly work with our clients to discuss mobile device management and BYOD best practices, and help design policies to meet each firm’s unique needs. Contact us to learn more.