Bring Your Own Device

Issues Identification
Incompatible devices – There is a distinct possibility that employees may choose to utilize devices which are incompatible with an organization’s network and security infrastructure.
Personal Usage – If employees are allowed to use their personal devices in work settings, there is the potential to use them for personal use during allotted work time. They may have specific programs on these devices conducive to doing so.
Maintenance – There can become pecuniary disputes between management and employees regarding the maintenance of personal devices used for work. Employees may want to subsidize battery replacements and other maintenance.
Outside of Firewall – The primary security issue is that these devices are unprotected once they leave the physical confines of an organization and its firewall, rendering organizational data vulnerable.
Theft – Theft is a principal concern with BYOD policies, since if personal devices are stolen users may be able to access sensitive workplace data, compromising an organization’s security.
Loss – Loss of a device is a similar concern. If employees were to lose mobile devices with workplace data, their business may lose valuable information for operations or analytics purposes.
Additional Overhead – There can be an number of expenses associated with BYOD, including “more security and tool management costs” and “more licenses” (Karnacus).
Regulatory Compliance – Depending on the vertical an organization operates in, there are strict mandates about where data is stored and kept. Extra workplace use may violate these.
Loss of Privacy – Strict measures for securing and managing personal devices used in the workplace may make employees feel as though their privacy and personal lives are becoming compromised (Phifer).
Distractions – The incorporation of personal devices for work use may prove distracting to users.
Bring Your Own Device (BYOD) Policy
Introduction
The purpose of this policy is to create a harmonious environment in which employees can optimize both convenience and productivity by utilizing their own mobile devices for work purposes. This policy, then, will identify the parameters to which employees must adhere in terms of managing those devices. The policy will encompass aspects of the usage of these devices within and outside of the workplace. Necessarily, it will address certain facets of the personal lives of employees in relation to their devices.
Effective Date
The effective date of this policy is the first of the year—which will give adherents plenty of time to make the necessary adjustments for compliance.
Audience
The audience for this policy is broad. It will include employees as well as individuals who are part of upper level management. Essentially, it is applicable to all those with computing needs at this organization.



Background 
It is necessary to establish a BYOD policy because of the risks that are inherent in such an undertaking. These risks include data loss, security issues, device compatibility, overhead costs, and ongoing maintenance—among many others identified in the preceding issues identification document. In order to have this policy benefit the organization instead of harm it, there needs to be a formalization of the parameters for its use.
Provide some background to the reader on why the organization is establishing this policy (mention the risks that would be associated with allowing users to bring in their own devices and attach them to the network).




Definitions
Include necessary definitions (define all acronyms and technical terms as the readers may not be that computer literate)
· BYOD – This acronym stands for Bring Your Own Device, a policy for mobile computing in which employees utilize their own devices (typically tablets and cell phones) for work purposes, both inside and outside the work place.
· CYOD – This acronym is for Choose Your Own Device, a policy for mobile computing in which employees leverage an assortment of mobile options defined by their organization for the purpose of computing inside and outside the workplace.






Bring Your Own Device (BYOD) Policy
· The right to use personal devices for work usage is a privilege. Any failure to adhere to the other mandates of this policy will result in disciplinary action.
· Users are required to back up data from their personal devices—which pertains to the company—every two days.
· All device maintenance will be shared equally between the organization and the users. The latter will pay for costs upfront prior to getting reimbursed.
· IT will install software allowing oversite into user’s personal devices. While at work, IT will randomly monitor devices to ensure appropriate usage.
· Applications on devices deemed unsuitable for work, or which might cause a distraction for employees, must be removed when management deems so.
· The BYOD policy will be reinforced by a CYOD policy in which employees will select from Android and i-phones, in addition to tablet devices determined later.
· Management reserves the right to disable network access in the event that employees are using their devices for unsuitable purposes.
· Other than maintenance, management will only subsidize the general service plan for mobile devices (Kanaracus)—particularly phones—including data usage.
· Employees must take adequate measures to secure their devices physically, such as install a two-factor password process.
· Management will consider adding new devices to the CYOP allotted list every six month to keep pace with changing technology.




Disciplinary Actions 56
Users who fail to comply with this policy will lose the right to use their own personal mobile devices for work. Initially this punishment will last for a month before users get their BYOB privileges returned. Any further issues of non-compliance will result in permanent suspension of this privilege on the part of the individual employee.



References
Works Cited
Kanaracus, Chris. Half of companies will require BYOD by 2013, Gartner says. www.pcworld.com 2013. Web. https://www.pcworld.com/article/2036980/half-of-companies-will-require-byod-by-2017-gartner-says.html
Phifer, Lisa. BYOD Security Strategies: Balancing BYOD Risks and Rewards. www.techtarget.com 2013. Web. http://searchsecurity.techtarget.com/feature/BYOD-security-strategies-Balancing-BYOD-risks-and-rewards
Whittaker, Zach. BYOD: From Optional to Mandatory by 2017, says Gartner. www.zdnet.com 2013. Web. http://www.zdnet.com/article/byod-from-optional-to-mandatory-by-2017-says-gartner/







He wants to allow users to use their own laptops and cell phones for work purposes. Research issues associated with BYOD.
1) The first is a one-page issues identification paper for your boss. Write a minimum of a one-page (double-spaced) paper on the issues (most papers will be two-pages in length) identifying at least 10 potential security and other concerns associated with BYOD. Be certain that this paper is properly cited and do not address just mobile security issues - address issues associated with BYOD.

2) As you know that your boss is going to do whatever he wants, regardless of your concerns, prepare a BYOD policy for the organization that identifies at least 10 controls to the concerns that you raise in the paper (be certain to use "strong" policy language) to which you expect users to adhere. Use the template provided to you in the Course Content section and be certain that you address all of the sections in the template (remove the yellow highlights). Additional sample policy template can be found on the SANS website here: https://www.sans.org/security-resources/policies/

Note that these are checked for plagiarism with SafeAssign, so cite your sources and do NOT copy material in from other policies that you find online. This assignment is due on Sunday, 24 September by 11:59pm. Late papers will be marked down 25% per day. A rubric has been provided that will be used to grade these papers.