BRING YOUR

OWN DEVICE
(BYOD) POLICY

1
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Document Information

Mobile Device Policy

Version Control
Owner Version Edited By Date Change History
IS Rep 0.1 Assent 30/01/2017 First Draft

Distribution
Held Format Location Comments
By
User Digital / Physical

Status
X Status Approved By Date
X Working DD/MM/YYYY
Draft
Provisional Approval
Publication

Classification
Please refer to ISMS 02 Information Handling & Classification Procedure
X Confidential
Restricted
Unclassified

Relevance to Standard

Standard Clause Title

[ISO 27001:2013] [A6.2.1.] [Mobile Device Policy]

License

Licensed by Assent Risk Management via Resilify.io Under a Creative Commons Share Alike License.

2
© Distributed by Resilify.io under a Creative Commons Share Alike License.
3
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Contents

Document Information_____________________________________________________________________________2
Mobile Device Policy________________________________________________________________________________2
Contents_______________________________________________________________________________________________3
Bring Your Own Device (BYOD) Policy__________________________________________________________4
1.0 Overview______________________________________________________________________________________4
2.0 Policy______________________________________________________________________________________________4
2.1 Registering Mobile Devices (and (BYOD)________________________________________________________________4
2.2 Securing the Device________________________________________________________________________________________4
2.3 Physical Security___________________________________________________________________________________________5
2.4 Software & App Installation_______________________________________________________________________________5
2.5 Network Connections______________________________________________________________________________________6
2.6 Malware Protection & Security Controls_________________________________________________________________6
2.7 Remote Administration____________________________________________________________________________________6
2.8 Backup______________________________________________________________________________________________________7
2.9 iCloud & Other Device Accounts__________________________________________________________________________7
2.10 Removing Organisational Data & Apps_________________________________________________________________7

3.0 Data & Apps_______________________________________________________________________________________7

3.1 Audit & Monitoring________________________________________________________________________________________7
3.2 Ownership__________________________________________________________________________________________________8
The device remains the property of the employee.__________________________________________________________8

4.0 Related Policies__________________________________________________________________________________8

4
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Bring Your Own Device (BYOD) Policy

1.0 Overview

With technology and working lifestyles changing, many organisations are

embracing the concept of employees using their own devices for work purposes.

The organization permits use of personal devices to access, store or process its
information assets on the following basis only.

2.0 Policy

2.1 Registering Mobile Devices (and (BYOD)

All devices shall be registered with the IT Department before being used to access
the organisation’s information assets.

The following information may be recorded and retained by the IT Department for
support and security purposes:

 Make and Model of Device

 MAC Address
 Network / Mobile Service Provider
 OS Version
 Strength of Authentication (PIN Length, Biometrics)

2.2 Securing the Device

The user will be required to apply a PIN Number or Password that

conscribes to the minimum complexity as defined in the password policy.

Where a biometric security option exists, this should be used in preference

to mitigate against PIN Numbers or Passwords being overlooked.

To access the organisation’s services and/or information assets, the user

may be required to install third party apps from reputable developers.  The
organization accepts no responsibility for any loss or damage caused by
such apps and the user installs and uses the apps at their own risk.

5
© Distributed by Resilify.io under a Creative Commons Share Alike License.
 The user may be required to install security apps that permit remote
erasure or control of the device. The organization accepts no responsibility
for any loss or damaged caused by such apps and the user installs and
uses the apps at their own risk.

Where devices have a memory card capability, the user will ensure that
the memory card is encrypted and so far, as possible, ensure
organizational data is NOT stored on removable media.

2.3 Physical Security

The user’s own device should be protected as a minimum to the level

expected of a company device, see the Mobile Device Policy. Devices
should be stored and carried securely at all times. Careful consideration
should be given before leaving a mobile device in a car, on a table, or in
visible sight in a public place. 

When using a mobile device, the user should always consider the
environment they are working in and be aware of opportunities to be
overlooked or overheard.

Mobile devices should not be left unattended in public at any time, and the
loss or theft of devices will be reported to the IT Department immediately.

2.4 Software & App Installation

The user undertakes to take reasonable steps to evaluate the integrity of

other apps installed on their device, to prevent as far as possible the
interception, corruption or other interference with the organisation’s app
and information assets.  

The user will seek advice from the IT Department before installing any
apps where they are not confident in the above. 

Any security notification or warning that may affect the organisation’s apps
or information assets will be reported to the IT Department immediately.  

All software and apps installed on a mobile device shall be kept up to date
by the user to avoid any security vulnerabilities.

The underlying operating system of the device shall be kept up to date by

the user to avoid any security vulnerabilities.

6
© Distributed by Resilify.io under a Creative Commons Share Alike License.
2.5 Network Connections

Users will exercise caution when connecting mobile devices to public WIFI
hotspots, or other connections, and this should be avoided as far as
possible.

For internet access, users should use the organisation’s authorized

network connection.

Remote access to the organisation’s network shall be via a secure VPN

connection only.  

When using web-based services to carry out transactions or transfer

information, the user will ensure that a trusted SSL certificate is available
for the website in use.  This is usually denoted by a pad-lock symbol
located somewhere in the browser window.

Security alerts and warnings should never be ignored, and where one
occurs the user should cease their activity immediately and report it to the
IT Department.

2.6 Malware Protection & Security Controls

Any applied Malware protection and any other security software should not
be disabled or removed from the device.

If the user believes that the software is not functioning correctly, it should
be reported to the IT Department at the earliest opportunity.

2.7 Remote Administration

The user understands that mobile devices may be remotely controlled,

disabled, locked out, tracked or erased by the IT Department to prevent
unauthorized access to data on the device.

The IT Department will not seek personal data such as photographs,

messages or music, however the user understands that while providing IT
Support, personal information may become visible to the IT Technician.

The IT Department will not access or store your personal information.

7
© Distributed by Resilify.io under a Creative Commons Share Alike License.
2.8 Backup

Data and/or the mobile device settings will be backed up subject to the
data backup policy.

2.9 iCloud & Other Device Accounts

It may occasionally be necessary to access administrator or other device

accounts, including iCloud accounts to administer the device.  

The user agrees to assist the IT Department where these accounts are
required and where these passwords must be entered to administer the
device.

The IT Department will NEVER ask for your password or account details to
be disclosed to them directly, however you will be required to enter the
details into your device in a reasonable time.

2.10 Removing Organisational Data & Apps

The user agrees NOT to sell or otherwise dispose of their personal device
before the organisation’s information assets have been removed and
securely erased by the IT department.

3.0 Data & Apps

Data and Apps include, but are not limited to:

 Email messaging apps and messages.
 Photos & Screenshots (related to the company).
 Voice Memos and Text Notes.
 Stored passwords for Cloud services and other apps.
 Cloud drives and service apps.
 VPN Settings

3.1 Audit & Monitoring

The organisation reserves the right to audit and monitor devices in line with
the policy above, and the user will make the device available within a
reasonable time frame.

8
© Distributed by Resilify.io under a Creative Commons Share Alike License.
3.2 Ownership

The device remains the property of the employee.

The organisation will not be liable for any data charges, in-app purchases or other
charges resulting from using the device.

4.0 Related Policies

Mobile Device Policy.

Cryptography Policy.
Password Policy.
Malware Policy.
Data Backup Policy.

9
© Distributed by Resilify.io under a Creative Commons Share Alike License.