× This is not the latest version. This is version 3 from 8 years ago. View latest or show what's different from the latest version.

Bring Your Own Device Policy Sample - Version 3

This is sample of a BYOD policy created by the U.S. Chief Information Officer as part of a broader analysis of BYOD policies for organizations. While the document specifically addresses Federal agencies, it provides a high-resolution view of BYOD policies including the conceptual framework and alternative models for implementation. The full document is available as a .pdf at https://cio.gov/wp-content/uploads/downloads/20...

Sample #2: Bring Your Own Device – Policy and Rules of Behavior
[AGENCY NAME]
(Version X, [DATE])

This document provides policies, standards, and rules of behavior (ROB) for the use of personally-owned
smart phones and/or tablets by [AGENCY NAME] employees (herein referred to as users) to access
[AGENCY NAME] network resources. Access to and continued use of network services is granted on
condition that each user reads, signs, respects, and follows the [AGENCY NAME]’s policies concerning
the use of these devices and services.

The Office of Information Technology (OIT) is piloting a “Bring Your Own Device” (BYOD) program to
permit agency personnel to use personally-owned smart phones and tablets for business purposes. The
policy and ROB vary depending on service usage, as outlined below.

Current Devices Approved for Use During BYOD Pilot:
Android Smart Phones & Tablets
Blackberry Smart Phones & Playbook
iOS iPhones & iPads

Expectation of Privacy: [AGENCY NAME] will respect the privacy of your personal device and will only request access to the device by technicians to implement security controls, as outlined below, or to respond to legitimate discovery requests arising out of administrative, civil, or criminal proceedings (applicable only if user downloads government email/attachments/documents to their personal device). This differs from policy for government-provided equipment/services, where government employees do not have the right, nor should they have the expectation, of privacy while using government equipment or services. While access to the personal device itself is restricted, [AGENCY NAME] Policy and Rules of Behavior regarding the use/access of government e-mail and other government system/service remains in effect. If there are questions related to compliance with the below security requirements, the user may opt to drop out of the BYOD program versus providing the device to technicians for compliance verification.

I. Overall Requirements for all BYODs Accessing [AGENCY NAME] Network Services:
• User will not download or transfer sensitive business data to their personal devices.
Sensitive business data is defined as documents or data whose loss, misuse, or unauthorized access can adversely affect the privacy or welfare of an individual (personally identifiable information), the outcome of a charge/complaint/case, proprietary information, or agency financial operations. This excludes government e-mail that is protected through the various security controls listed below;
• User will password protect the device;
• User agrees to maintain the original device operating system and keep the device current with security patches and updates, as released by the manufacturer . The user will not “Jail Break” the device (installing software that allows the user to bypass standard built-in security features and controls);
• User agrees that the device will not be shared with other individuals or family members, due to the business use of the device (potential access to government e-mail, etc);
• User agrees to delete any sensitive business files that may be inadvertently downloaded and stored on the device through the process of viewing e-mail attachments. [AGENCY NAME] OIT will provide instructions for identifying and removing these unintended file downloads. Follow the premise, “When in Doubt, Delete it Out.”

II. Accessing [PRODUCT NAME] (e-Mail/Calendar) Services on BYOD
A. Use [PRODUCT NAME] or [PRODUCT NAME]
With the use of [PRODUCT NAME] (standard [PRODUCT NAME] access via Internet/Web
Browser) and/or [PRODUCT NAME] Products, business e-mails are accessed across the Internet and are NOT downloaded to the device; therefore, there are no additional security requirements other than the Overall Requirements noted in Section I .
B. Use of [PRODUCT NAME]
The [PRODUCT] is a cloud based mobility solution that provides secure, real-time synchronization of email, calendar, and contacts to and from the Apple/Android devices . With [PRODUCT], users have the ability to compose, reply, forward, or delete their email while mobile, as well as open a variety of email attachment formats . With the use of [PRODUCT] , business e-mails and appointments are downloaded and stored on the device, so additional security requirements are necessary .
• As a default, [PRODUCT] will be enabled to perform an e-mail wipe on the phone after 25 password failed attempts (please be advised that only e-mail on the device will be deleted);
• If the device is lost or stolen, the user will notify the [AGENCY NAME] Help Desk ([AGENCY HELPDESK PHONE] or [AGENCY HELPDESK EMAIL]) within one hour, or as soon as practical after you notice the device is missing . [AGENCY NAME] OIT will lock the device, e-mail on the device will be deleted, and [PRODUCT] services will be deactivated;
• Users must comply with all [AGENCY NAME] password policies, including use of strong passwords, password expiration (6 months), and password history (3).
[AGENCY NAME] reserves the right to terminate government-provided [PRODUCT] services for non-use. The policy for terminating [PRODUCT] services in 30 days.

USER ACKNOWLEDGMENT AND AGREEMENT
It is [AGENCY NAME]’s right to restrict or rescind computing privileges, or take other administrative or
legal action due to failure to comply with the above referenced Policy and Rules of Behavior. Violation
of these rules may be grounds for disciplinary action up to and including removal. I acknowledge, understand and will comply with the above referenced security policy and rules of behavior, as applicable to my BYOD usage of [AGENCY NAME] services. I understand that addition of government-provided third party software (such as [INSERT EXAMPLE PRODUCT NAMES HERE]) may decrease the available memory or storage on my personal device and that [AGENCY NAME] is not responsible for any loss or theft of, damage to, or failure in the device that may result from use of third-party software and/or use of the device in this program. I understand that contacting vendors for trouble-shooting and support of third-party software is my responsibility, with limited configuration support and advice provided by [AGENCY NAME] OIT. I understand that business use may result in increases to my personal monthly service plan costs. I further understand that government reimbursement of any business related data/voice plan usage of my personal device is not provided. While this document doesn't provide for reimbursement, most policies do stipulate some formula for covering employee costs related to business usage. Should I later decide to discontinue my participation in the BYOD Program, I will allow the government to remove and disable any government provided third-party software and services from my personal device.

Employee Name: _________________________________
BYOD Device(s):__________________________________________________________
Services to be Used:__________________________________________________________
Employee Signature: _________________________________ Date: ___________

Public Document

Number of times Signed
0
Number of Saves
3
Number of Downloads
3.2k
Number of Views
23.5k

This is version 3, from 8 years ago.

Suggest changes by making a copy of this document. Learn more.

Create Branch

Love this document

They love this document: