Transcription

White PaperSetting BYOD Policy:A New Partnership for IT and HRIntroductionAs the line between office and home life continues to blur, employeesincreasingly rely on their own smartphones, tablets, and laptop computers forwork-related tasks. Today, more than 70 percent of US employees routinely usepersonal devices whenever and wherever possible—at the office and at home,in airports and hotels, before their morning coffee, or while waiting for the train.But beware: the myriad demands of BYOD (bring your own device) usage affectthe entire organization and are most keenly felt by the IT and HR managers asthey are responsible for safeguarding your company’s data and infrastructure. Asa result, IT and HR departments must develop a more strategic relationship witheach other to properly manage BYOD usage.Current BYOD UsageAccording to IDC, as the US mobile workforce climbs above 75 percent , the worldwidemobile workforce will increase to more than 1.3 billion by 2015. IDC further projects thatthe enterprise mobility market will grow to US 174 billion by 2017. According to iPass,the average number of mobile devices per user expanded from 2.7 in 2011 to 3.5 in 2012.According to ESET and Harris Interactive: 41 percent of employees use personal laptops; 47 percent use personal desktops 24 percent of employees use a personal smartphone to access and storecompany information 10 percent of employees use a personal tablet to access and store companyinformation (this percentage will likely increase as tablets begin replacing laptops)A recent Gartner report encourages enterprises to minimize organizational risk bycreating strategies to protect mobile data and devices and control network access.www.evault.com 2012 EVault, Inc. All Rights Reserved.

White PaperSetting BYOD Policy:A New Partnershipfor IT and HRAccording to Gartner: 74 percent of companies allow some type of BYOD usage Less than 10 percent of organizations are “fully aware” of the devices accessingtheir network 81 percent of employees use at least one personal device for business useJuniper Networks released results of a survey of more than 4,000 mobile-device usersand IT professionals. One statistic in particular stands out: employees consistentlycircumvent official mobile-device policies, with 41 percent of all respondents usingpersonal devices without company permission.Minimize Risk and Maximize Opportunity with a Unified BYOD StrategyThe great advantage of BYOD is that it enables employees to work on tasks wheneverand wherever they want—not simply when office hours permit. Unfortunately, it alsointroduces an abundance of new data that crosses personal and corporate boundaries.The issues surrounding any BYOD adoption strategy impact organizations regardless ofsize or business focus. As a result, it’s in the best interest of all organizations to createtechnological and administrative safeguards that minimize BYOD risks—the loss ofcontrol in how data is accessed, stored, and retained.Organizational risk is three-fold:1. Unauthorized handling of corporate data—by employees2. Unauthorized access to private data—by non-employees using an employee’spersonal device3. Unauthorized access to personal data—by the corporationDespite its risks, BYOD usage offers tangible organizational benefits. For example,the recent iPass Global Workforce Study shows that worker productivity increasessignificantly with BYOD usage—by an average of 240 work hours a year. A shifttoward BYOD can bring cost savings in hardware and software—from 9 to 40 percent,according to Gartner—although this savings is often offset by additional support andpolicy requirements. BYOD can also drive greater job satisfaction, creating increasedemployee retention er4%None19%Source: ESET and Harris InteractivePersonal devices used for work—BYOD usage varies greatly by department and industry.

White PaperSetting BYOD Policy:A New Partnershipfor IT and HRGive ThemWhat They WantYour employees—likeall consumers—cannow access tools thatwere once too costly orspecialized for a massaudience. As a result,employees can moreeasily find products tofit their needs. Suchconsumerization,particularly in theIT sector, enablesemployees to createtheir own technologysolutions when one isnot readily available.Put another way:if your organizationdoesn’t provide thedevices and BYODusage policies thatemployees want,employees will createtheir own—and thatopens the enterpriseto risk.BYOD Policy CreationA successful BYOD policy protects your infrastructure as well as employee andcompany privacy; such a policy requires communication, training, expense justification,and collaboration between IT and HR. Both departments play a crucial role in creatingthis partnership. IT is becoming more essential as technology intersects with the wayorganizations are managed and run. And because BYOD is in part an organizationalliability, HR must educate the workforce on BYOD usage and help create policies thatminimize risk and maximize the benefits.First: Take InventoryPrior to embarking on a solution, it is critical that you take inventory of your company’sassets. A current snapshot will help you best address, integrate, or change existingbehaviors and understand the benefits employees are seeking. IT and HR need to workclosely with the relevant business unit managers to orchestrate a successful rollout ofthis phase.IT should begin its inventory process by finding all devices, access points, geographicalrequirements, and applications currently in use and then identifying solutions to addresscurrent behaviors, as well as determining appropriate security levels and wiping,blocking, and access controls. IT should then establish support requirements, identifyexpenses, and define practices and solutions that support IT in centralized policymanagement.HR will create policies to address legal liability—such as when passwords and personaldata are necessary to access personal devices. After HR has defined clear parameters,ask your legal department to review your BYOD policy and supply the appropriate legaldisclaimer that protects employees and the company. Legal counsel can also addressconcerns about corporate rights to data and define the circumstances in which datamay be deleted.Organizations will need to address a variety of other issues as well. For instance, whattype of internal assessments, investigations, audits, and security incident responsesshould employees expect? What is required of employees when they sell or sharedevices? How should devices and compliance be monitored and enforced? IT and HRcan answer these questions by crafting unified corporate policies that will pass auditsand minimize liabilities.Business unit managers should help develop rules, policies, and security requirementsfor their particular users.Caveat: If the risks and costs outweigh BYOD’s potential benefits, you may need to abandonyour BYOD strategy altogether. Risk assessment is an essential part of the process.Create Integrated Solutions that Empower EmployeesOnce the BYOD rules, roles, and policies have been defined, you are ready to createsolutions that leverage BYOD benefits. Generate awareness and ensure compliancethrough a corporate education campaign. HR must ensure employees acknowledge,and consent to, the BYOD policies and corporate standards. IT can then deploymanagement and monitoring tools for centralized oversight, integrate existing devices,and provide users with self-service management tools to avoid support “overload.”Finally, business managers can empower employees—and boost their productivity—by giving employees access to their favorite and most productive tools, devices, andapplications. With proper BYOD planning and policies, you can take the risk out ofmobile device usage and reap the benefits.

White PaperSetting BYOD Policy:A New Partnershipfor IT and HRBYOD Policy ChecklistStep One: Find Out How Employees Are Using Personal Devices for Work Survey and assess existing practices, applications, and devices—ask employeeswhat they’re actually doing and how it’s working for them. Establish user roles and requirements—ask business unit managers and employeeswhy they are using their personal devices for work; for example, what theyneeded to do and why they chose a personal device over a corporate device. Review current policies for provisioning or allowing personal devices, as well asexpense reimbursements. Compare actual behavior with existing policies—are employees aware of thepolicies and complying with them?Step Two: Define Needs, Roles, and RulesBased on information retained from the Level Set step [check this edit—is this what ismeant by “current reality”? If not, rephrase—“current reality” is too vague], make sureyour personal device policy accurately reflects: Activities and business unit needs that truly require corporate data access Data access requirements and privacy requirements Sharing requirements and collaboration Roles and rules requirementsStep Three: Define Levels of Support for Personal DevicesA complete BYOD policy includes clear definitions for support and a cost/benefitanalysis including: User roles and needs that qualify for personal device usage and support Geographic areas that qualify for support and access Expense and reimbursement policies Devices, versions, and operating systems that will be supported Minimum system requirements and configurationsStep Four: Legal Protection and TrainingAlways consult with your legal department before implementing your BYOD policy.Once you define clear parameters for usage and support, your legal department canreview the policy and provide the appropriate disclaimer to protect the company and itsemployees. Legal and training requirements should minimally include: Liability clause for damage, corruption, and data deletion Consent and waiver agreement Training on privacy trade-offs and expectations Training on support and update requirementsStep Five: Additional Policy Development ConsiderationsFollowing are some of the key risks and issues to consider finding a solution for: How to handle corporate access to personal email, chat, and social activity How to handle personal files such as music, movies, and financial information Risks of data transmission from personal devices and multiple operating systems Risks of key-logging on personal devices Meeting requirements of an encrypted VPN connection

White PaperSetting BYOD Policy:A New Partnershipfor IT and HR Setting up a “sandbox” for corporate information on a personal device Options for handling and accessing personal device passwords Wireless access policies Acceptable use policies, such as securing devices and closing downdevices if unattended Incident reporting practices and cooperation with corporate requirementsStep Six: Audits, Discovery, Investigations, and Litigation ConsiderationsTo meet regulatory requirements, your BYOD policy should clearly define and supportyour ability to do the following, at a minimum: Demonstrate consistency with corporate policies and applications securityon all personal or corporate devices— Anti-virus and anti-malware installations, encryption installation,updates and patches Demonstrate consistency in security software and applications installed on allpersonal and corporate devices Obtain and retain personal devices for audits— Clearly stated requirements for turnaround times and longevity Monitor device use to detect misuse, unauthorized applications, hacking,or malware Determine how the device connects to the company’s network Obtain rights to access the device for purposes of an investigation Integrate, terminate, or limit existing activities accordingly Wipe, brick, lock, or disable lost or stolen personal devices to securecorporate data Send notifications to wipe data if devices are sold, retired, or reassignedby an employeeTake the Next Step: Get More Information—or Start a Free TrialEVault Endpoint Protection offers all-in-one backup, recovery, and datasecurity to help you control data across your enterprisewide mobile workforce.To learn more about EVault backup and recovery services, call us at1.877.901.DATA (3282), email us at [email protected],or visit us at www.evault.com.For a free 30-day EVault Endpoint Protection trial,visit www.evault.com/EEP-free-trial.Headquarters 201 3rd Street Suite 400 San Francisco, CA 94103 877.901.DATA (3282) www.evault.comNetherlands (EMEA HQ) 31 (0) 73 648 1400 France 33 (0) 1 55 27 35 24 UK 44 (0) 1932 445 370EVault and the EVault logo are registered trademarks, and cloud-connected is a trademark, of EVault, Inc.All other trademarks or registered trademarks are the property of their respective owners.2012.09.0031 WP (updated 09/27/2012)

EVault and the EVault logo are registered trademarks, and cloud-connected is a trademark, of EVault, Inc. All other trademarks or registered trademarks are the property of their respective owners. Setting up a "sandbox" for corporate information on a personal device