What: The BYOD Policy establishes the rules for employees working remotely, using their own devices (computer, cell phone, etc.), and using public or unsecured Wi-Fi.
Approx. time: This policy can be formulated in a two-hour meeting. Plan an additional few hours to formally write out the policy.
Who: The entire team so as to make all the decisions that suit everyone and understand their importance together.
Prerequisite: This meeting should be held after the Security and Access Policies have been established. The decisions taken during those meetings will affect this policy.
This policy seeks to set up a simple structure to help your employees and partners to work remotely and securely on their personal devices.
It has two parts
PART 1: Using open Wi-Fi
As mentioned in the chapter about this topic, open (or public) Wi-Fi is a network that is not password protected. While this makes it easier for users to connect, it’s important to keep in mind that your browsing activity travels in cleartext on the network. You therefore need to avoid transmitting confidential or sensitive data.
Here are some questions to consider in order to agree on the rules for using this type of network as a team:
- In what situations do you need to access information outside of your home or organization?
- Here are some examples of situations: in transit at the airport, during a conference, while working in a café, during meetings taking place at the offices of other organizations, members, or partners, etc.
- Depending on the situation, would it be useful to use a VPN? If yes, which one?
- Are the private Wi-Fi networks of the organization and employees secure?
- Do the browsers of the employees have the necessary extensions for providing secure connections?
- Which documents should not be consulted on an unsecured network?
PART 2: BYOD Policy (Bring Your Own Device)
If your organization works with people who use their own devices, you need to establish certain rules. The goal of this policy is to have employees work in a way that is secure and trustworthy.
Three points to clarify
First and foremost, in setting up a BOYD policy, it is important to clarify three basic principles:
- Who is the owner (or who are the owners) of the information on the employee’s personal device?
- Who is responsible is case of loss or theft of the material?
- What happens to the organization’s data when a staff member leaves the organization?
Here you will find a more complete guide on implementing a BYOD policy.
We also suggest some questions to consider when establishing this policy:
a. Are the devices used protected by passphrases?
- Try to include your passphrase management policy in your BYOD policy.
b. Is the list of the roles and their access compiled and up to date?
- Make sure that the established access levels are in effect and being rigorously applied on the personal device used to work remotely, as well as on the cloud computing accounts.
c. How to ensure the security of the Wi-Fi networks used?
- Plan access to a VPN, if needed.
- Make sure the browsers have the necessary extensions (HTTPS Everywhere) to securely go online.
- Make sure that the Wi-Fi networks (at the office and at home) are secure.
d. In what vulnerable situations could an employee find themself when working remotely? What should we pay attention to?
- Assess the risks. This could be done with the Security Policy.
e. Is the personal device being shared by several people? Is it secure in this sense?
- Set up different user sessions.
f. How is the sensitive data being protected?
- Maintain an up-to-date inventory.
- Make sure to address the security breaches or the risky situations identified in the Security Policy.
g. Are the work-related documents properly organized and easy to identify in case of an employee departure?
Useful links:
- Guide for establishing your policy
- BOYD guide from the Barreau du Québec (FR only)
- Acceptable Use Policy from FAVA
Checklist
- Explain to all the employees and partners the risks associated with using an open Wi-Fi network.
- Establish a policy of secure connection on open Wi-Fi networks.
- Establish a policy for securing the organization’s networks.
- Define the best practices for securing the employees’ browsing activities as well as their Wi-Fi connections at home.
- Clarify the responsibilities of different parties in terms of using personal devices.
- Formalize a BOYD policy.
- Establish the procedure in case of departure (in connection with the Access Policy).
- Write out the policy and have all the employees concerned sign it.
Useful links:
Example of a protocol to adapt from the National Health Service (UK)
Guide for establishing your policy
BOYD guide from the Barreau du Québec (FR only)
Acceptable Use Policy from FAVA