This is sample of a BYOD policy created by the U.S. Chief Information Officer as part of a broader analysis of BYOD policies for organizations. While the document specifically addresses Federal agencies, it provides a high-resolution view of BYOD policies including the conceptual framework and alternative models for implementation. The full document is available as a .pdf at https://cio.gov/wp-content/uploads/downloads/20...
Sample #2: Bring Your Own Device – Policy and Rules of Behavior
(Version X, [DATE])
This document provides policies, standards, and rules of behavior (ROB) for the use of personally-owned
smart phones and/or tablets by [AGENCY NAME] employees (herein referred to as users) to access
[AGENCY NAME] network resources. Access to and continued use of network services is granted on
condition that each user reads, signs, respects, and follows the [AGENCY NAME]’s policies concerning
the use of these devices and services.
The Office of Information Technology (OIT) is piloting a “Bring Your Own Device” (BYOD) program to
permit agency personnel to use personally owned smart phones and tablets for business purpose. The
policy and ROB vary depending on service usage, as outlined below.
Current Devices Approved for Use During BYOD Pilot:
Android Smart Phones & Tablets
Blackberry Smart Phones & Playbook
iOS iPhones & iPads
Expectation of Privacy: [AGENCY NAME] will respect the privacy of your personal device and will
only request access to the device by technicians to implement security controls, as outlined below,
or to respond to legitimate discovery requests arising out of administrative, civil, or criminal
proceedings (applicable only if user downloads government email/attachments/documents
to their personal device). This differs from policy for government-provided equipment/services,
where government employees do not have the right, nor should they have the expectation, of privacy
while using government equipment or services. While access to the personal device itself is restricted,
[AGENCY NAME] Policy and Rules of Behavior regarding the use/access of government e-mail and
other government system/service remains in effect. If there are questions related to compliance with
the below security requirements, the user may opt to drop out of the BYOD program versus providing
the device to technicians for compliance verification.
I. Overall Requirements for all BYODs Accessing [AGENCY NAME] Network Services:
• User will not download or transfer sensitive business data to their personal devices .
Sensitive business data is defined as documents or data whose loss, misuse, or unauthorized access can adversely affect the privacy or welfare of an individual (personally
identifiable information), the outcome of a charge/complaint/case, proprietary information, or agency financial operations .This excludes government e-mail that is protected
through the various security controls listed below;
• User will password protect the device;
• User agrees to maintain the original device operating system and keep the device current with security patches and updates, as released by the manufacturer . The user will
not “Jail Break” the device (installing software that allows the user to bypass standard
built-in security features and controls);
• User agrees that the device will not be shared with other individuals or family members,
due to the business use of the device (potential access to government e-mail, etc);
• User agrees to delete any sensitive business files that may be inadvertently downloaded
and stored on the device through the process of viewing e-mail attachments. [AGENCY
NAME] OIT will provide instructions for identifying and removing these unintended file
downloads. Follow the premise, “When in Doubt, Delete it Out .”
II. Accessing [PRODUCT NAME] (e-Mail/Calendar) Services on BYOD
A. Use [PRODUCT NAME] or [PRODUCT NAME]
With the use of [PRODUCT NAME] (standard [PRODUCT NAME] access via Internet/Web
Browser) and/or [PRODUCT NAME] Products, business e-mails are accessed across the Internet
and are NOT downloaded to the device; therefore, there are no additional security requirements
other than the Overall Requirements noted in Section I .
B. Use of [PRODUCT NAME]
The [PRODUCT] is a cloud based mobility solution that provides secure, real-time synchronization
of email, calendar, and contacts to and from the Apple/Android devices . With [PRODUCT], users
have the ability to compose, reply, forward, or delete their email while mobile, as well as open
a variety of email attachment formats . With the use of [PRODUCT] , business e-mails and
appointments are downloaded and stored on the device, so additional security requirements
are necessary .
• As a default, [PRODUCT] will be enabled to perform an e-mail wipe on the phone after
25 password failed attempts (please be advised that only e-mail on the device will be
• If the device is lost or stolen, the user will notify the [AGENCY NAME] Help Desk
([AGENCY HELPDESK PHONE] or [AGENCY HELPDESK EMAIL]) within one hour, or
as soon as practical after you notice the device is missing . [AGENCY NAME] OIT will
lock the device, e-mail on the device will be deleted, and [PRODUCT] services will be
• Users must comply with all [AGENCY NAME] password policies, including use of strong
passwords, password expiration (6 months), and password history (3) .
• [AGENCY NAME] reserves the right to terminate government-provided [PRODUCT]
services for non-use . The policy for terminating [PRODUCT] services in 30 days .
USER ACKNOWLEDGMENT AND AGREEMENT
It is [AGENCY NAME]’s right to restrict or rescind computing privileges, or take other administrative or
legal action due to failure to comply with the above referenced Policy and Rules of Behavior. Violation
of these rules may be grounds for disciplinary action up to and including removal.
I acknowledge, understand and will comply with the above referenced security policy and rules of
behavior, as applicable to my BYOD usage of [AGENCY NAME] services. I understand that addition of
government-provided third party software (such as [INSERT EXAMPLE PRODUCT NAMES HERE])
may decrease the available memory or storage on my personal device and that [AGENCY NAME] is
not responsible for any loss or theft of, damage to, or failure in the device that may result from use of
third-party software and/or use of the device in this program . I understand that contacting vendors for
trouble-shooting and support of third-party software is my responsibility, with limited configuration
support and advice provided by [AGENCY NAME] OIT. I understand that business use may result in
increases to my personal monthly service plan costs. I further understand that government reimbursement of any business related data/voice plan usage of my personal device is not provided. Should I later decide to discontinue my participation in the BYOD Program, I will allow the government
to remove and disable any government provided third-party software and services from my personal
Employee Name: _________________________________
Services to be Used:__________________________________________________________
Employee Signature: _________________________________ Date: ___________