BYOD policy creation tips from Gartner

The methodology for BYOD policy creation that you follow may well decide how effective it is. Stephen Kleynhans of Gartner shares his recommendations.

Having a BYOD policy in place is the need of the hour for most organizations today. Given the rapid pace at which IT is getting consumerized, it is a safe bet that BYOD could be a game-changer in the future. Fragmented and ad-hoc policies can no longer been thought to sufficiently address the growing concerns raised by BYOD and its proliferation.

Organizations need to create a comprehensive set of well-defined policy guidelines in order to rein in the threat that an uncontrolled avalanche of BYOD devices can pose. Only by acknowledging BYOD and charting out a comprehensive set of policy guidelines can compliance, consistency, security and availability be ensured for all employees. Here are a few points you need to keep in mind when determining policy goals and instituting a BYOD policy.

BYOD policy goals

Prior to creating a BYOD policy, employee-owned hardware usage needs to be reviewed thoroughly. When creating a BYOD policy, focus on using a defensible, repeatable methodology that takes into account hands-on device deployment. Your BYOD policy needs to define clear expectations on what can and cannot be done. The company must define the norms around who owns the device, covers the voice/data services and who pays. Further you need to define what is supported and at what level, plus who pays for support. You need to determine the level of enterprise network access that will be available and the security procedures that will be involved.

Apart from these common sense considerations, make sure your BYOD policy does not miss trouble areas like exception management, legal liability, penalties for non-compliance and data transfer at end of employment. You need to balance flexibility with confidentiality and privacy requirements. It makes sense to have a contract for the BYOD policy in place that the employee signs up for when enrolling for the BYOD program. In terms of policies for non-employees accessing your networks (contractors, partners), your BYOD policy needs to be referenced in the terms and conditions of contracts.

BYOD policy creation methodology

As a rough road map, the following steps should be chalked out in creating a BYOD policy. Start by describing user types and use case so that users can determine which category they fall into. Second, define potential usage scenarios that your organization is willing to support and the applications that are going to be involved to support those usages. Third, decide appropriate responses to address the identified needs and what tools will be used to cover these needs. The final step is documenting these policy decisions.

Looking at specifics, the following methodology is a good starting point for any BYOD policy exercise:

  1. Avoid myopic decision making: Always consider BYOD policies for the long term. As far as possible, BYOD policies need to be endpoint-independent, allowing you to make sufficient allowance for newer and emerging platforms and devices. Make policies end-to-end and cross-platform. These policies can be extended to any other devices that may be running on your network (contractors, temporary employees, partners, etc.)
    Consolidate your existing company-owned PC policies to cover employee-owned devices. You need to review, revise and extend existing policies and ensure there is no duplication of effort by working closely with any existing or ad hoc mobile device policy.
  2. Bring all relevant stake holders on-board: When creating a BYOD policy, all interested parties need to be involved in policy creation to cover any business contingencies and comply with HR and legal requirements. This will include the relevant business units, HR and personnel, IT and Legal department. Also consult closely with the app designers, network/security staff and finally get end-user involvement.
  3. Avoid analysis paralysis - Don’t force-fit policies: Don’t try to come up with a perfect BYOD policy out of the shoe. The key idea here is to learn by doing. Trying to force-fit policies into ready templates will result in policy paralysis. A good way to avoid this is by setting up a pilot and recording what happens. Observations and improvement in polices can thus be added incrementally to keep things flexible and keep the policy evolving.
  4. More tips from Kleynhans' talk on BYOD

    Communicate policies effectively to appropriate audiences:  Ensure that you have a plan in place to communicate your BYOD policy to your end-users. If necessary you can target only those users that the policy applies to. However make sure that you target end users, support staff, managers, etc. separately. Remember to select specific policy issues that are relevant to each audience and communicate them separately.

This tip is based on a talk on challenges and issues surrounding BYOD adoption, by Stephen Kleynhans, Research VP, Gartner, at the Gartner IT Infrastructure Operations & Data Center Summit 2012 in Mumbai.

(Compiled by Varun Haran)

Read more on IT risk management