This is sample of a BYOD policy created by the U.S. Chief Information Officer as part of a broader analysis of BYOD policies for organizations. While the document specifically addresses Federal agencies, it provides a high-resolution view of BYOD policies including the conceptual framework and alternative models for implementation. The full document is available as a .pdf at https://cio.gov/wp-content/uploads/downloads/20...
Bring Your Own Device – Policy and Rules of Behavior for Agency Name
(Version Enter version number, Date)
This document provides policies, standards, and rules of behavior (ROB) for the use of personally-owned smart phones and/or tablets by Agency Name employees (herein referred to as users) to access Agency Name network resources. Access to and continued use of network services is granted on condition that each user reads, signs, respects, and follows the Agency Name’s policies concerning the use of these devices and services.
The Office of Information Technology (OIT) is piloting a “Bring Your Own Device” (BYOD) program to permit agency personnel to use personally-owned smart phones and tablets for business purposes. The policy and ROB vary depending on service usage, as outlined below.
Current Devices Approved for Use During BYOD Pilot:
Android Smart Phones & Tablets
Blackberry Smart Phones & Playbook
iOS iPhones & iPads
Expectation of Privacy: Agency Name will respect the privacy of your personal device and will only request access to the device by technicians to implement security controls, as outlined below, or to respond to legitimate discovery requests arising out of administrative, civil, or criminal proceedings (applicable only if user downloads government email/attachments/documents to their personal device). This differs from policy for government-provided equipment/services, where government employees do not have the right, nor should they have the expectation, of privacy while using government equipment or services. While access to the personal device itself is restricted, Agency Name Policy and Rules of Behavior regarding the use/access of government e-mail and other government system/service remains in effect. If there are questions related to compliance with the below security requirements, the user may opt to drop out of the BYOD program versus providing the device to technicians for compliance verification.
I. Overall Requirements for all BYODs Accessing Agency Name Network Services:
• User will not download or transfer sensitive business data to their personal devices.
Sensitive business data is defined as documents or data whose loss, misuse, or unauthorized access can adversely affect the privacy or welfare of an individual (personally identifiable information), the outcome of a charge/complaint/case, proprietary information, or agency financial operations. This excludes government e-mail that is protected through the various security controls listed below;
• User will password protect the device;
• User agrees to maintain the original device operating system and keep the device current with security patches and updates, as released by the manufacturer . The user will not “Jail Break” the device (installing software that allows the user to bypass standard built-in security features and controls);
• User agrees that the device will not be shared with other individuals or family members, due to the business use of the device (potential access to government e-mail, etc);
• User agrees to delete any sensitive business files that may be inadvertently downloaded and stored on the device through the process of viewing e-mail attachments. Agency Name OIT will provide instructions for identifying and removing these unintended file downloads. Follow the premise, “When in Doubt, Delete it Out.”
II. Accessing Product Name (e-Mail/Calendar) Services on BYOD
A. Use Product Name or Other Product Name
With the use of Product Name (standard Product Name access via Internet/Web
Browser) and/or Product Name Products, business e-mails are accessed across the Internet and are NOT downloaded to the device; therefore, there are no additional security requirements other than the Overall Requirements noted in Section I .
B. Use of Product Name
The Product Name is a cloud based mobility solution that provides secure, real-time synchronization of email, calendar, and contacts to and from the Apple/Android devices. With Product Name, users have the ability to compose, reply, forward, or delete their email while mobile, as well as open a variety of email attachment formats . With the use of Product Name, business e-mails and appointments are downloaded and stored on the device, so additional security requirements are necessary .
• As a default, Product Name will be enabled to perform an e-mail wipe on the phone after 25 password failed attempts (please be advised that only e-mail on the device will be deleted);
• If the device is lost or stolen, the user will notify the Agency Name Help Desk (Enter Help Desk Phone or Enter Help Desk Email) within one hour, or as soon as practical after you notice the device is missing . Agency Name OIT will lock the device, e-mail on the device will be deleted, and Product Name services will be deactivated;
• Users must comply with all Agency Name password policies, including use of strong passwords, password expiration (6 months), and password history (3).
• Agency Name reserves the right to terminate government-provided Product Name services for non-use. The policy for terminating Product Name services in 30 days.
USER ACKNOWLEDGMENT AND AGREEMENT
It is Agency Name’s right to restrict or rescind computing privileges, or take other administrative or legal action due to failure to comply with the above referenced Policy and Rules of Behavior. Violation of these rules may be grounds for disciplinary action up to and including removal. I acknowledge, understand and will comply with the above referenced security policy and rules of behavior, as applicable to my BYOD usage of Agency Name services. I understand that addition of government-provided third party software (such as Enter Example Product Name) may decrease the available memory or storage on my personal device and that Agency Name is not responsible for any loss or theft of, damage to, or failure in the device that may result from use of third-party software and/or use of the device in this program. I understand that contacting vendors for trouble-shooting and support of third-party software is my responsibility, with limited configuration support and advice provided by Agency Name OIT. I understand that business use may result in increases to my personal monthly service plan costs. I further understand that government reimbursement of any business related data/voice plan usage of my personal device is not provided. While this document doesn't provide for reimbursement, most policies do stipulate some formula for covering employee costs related to business usage. Should I later decide to discontinue my participation in the BYOD Program, I will allow the government to remove and disable any government provided third-party software and services from my personal device.
BYOD Device(s): Enter BYOD Device Name
Services to be Used: Enter Services Anti-Virus and Other Security Software: Enter Anti-Virus and Security Software