As I indicated in an earlier post, before you can start planning to secure the influx of personal devices that will surely hit your environment you must have a policy so you understand what you will need to enforce.
The first item that must be addressed is the fact that the device you will be dealing with is owned by the individual.
When you own something, especially a mobile device, there is a sense of entitlement that the individual has. So it's critical that you establish the fact that using a personal device to do company business is a privilege, not a right, and that privilege can be taken away.
So make one of the top points of the policy is that if the associate is found to not be upholding the BYOD policy that right will be removed immediately.
Next, either reference or include the existing policies that govern the handling and protecting of corporate data. The associate must understand that just because they are using their personal device that this in no way relieves them of their responsibility to abide by the rules in place for securing corporate data.
Then comes the issue of having corporate data on a personal device and how that data will be stored and managed. The policy should state that all company data will be stored on a separate partition. This data must be confined to that partition and will never be shared or copied to the personal partition. You must do this so there is a clear dmarc between personal and company data.
Next specify that this partition must be accessible to the company for the purpose of review, including but not limited to audits, data management, and scans. This prevents any issues that may arise when it comes to accessing company data on a personal device. As a follow-on this item state that this company partition may be wiped by the company at any time and does not require the knowledge or consent of the individual.
Also include a statement that only approved devices will be eligible for the BYOD program. What that list is, is another topic in and of itself. However it needs to be clearly stated that this program is not an open door policy to any personal device. This allows the company to have some control of the devices that are now on their network.
As for the data itself, I would recommend stating that the company may require that the data be encrypted. Regardless if you are in position to actually do that or not, give yourself some room for future decisions.
In regards to other safeguards, I would include a statement that the device must have a recognized and company approved AV/Malware solution installed on the device. This software will cover all devices eligible for the BYOD program, and yes this would include 'i' devices. If there is not a compliant solution on the device then the associate must either install one of their choosing, as long as its approved, or allow the company to install a package of their choosing.
If backups are part of your culture then include only data on the company partition will be backed up and the device must be able to support the corporate backup software. This typically includes the installation of an agent. This could be an option, so if the device does not support the backup agent then the individual is responsible for backing up the data to an approved corporate storage server.
Additionally state that the company partition will require corporate credentials to be entered before the data can be accessed. Again even if you're not sure how you're going to do this you need to treat this company partition as separate entity on the personal device that is an extension of the company, and include this provision.
There may be other provisions that your company would like to include but this should supply an initial template. Next steps in the BYOD adventure coming soon.