Incident Response Sample Policy(BYOD)

Some major sections under BYOD Policy can be as:
  • Acceptable Use Policy
  • Supported Devices
  • It Staff & Support Provided
  • Costs & Reimbursements
  • Security Controls
  • Ownerships & Liabilities
  • Disclaimers

Acceptable Use Policy
  • Define activities acceptable on the Device eg.Reading,Surfing web.
    Unacceptable browsing vulnerable sites
  • Define activities acceptable during office hours of work.
    Any recreation can be unacceptable, relaxations must be specified
  • Block/Blacklist websites that cannot be accessed
    Blocking should be automated and specified
    The website must be specified as(not limited to though):
    Website1,Website2...
  • Media capture capabilities eg.camera/video must be limited and specified
    Not permitted within sensitive zones of company data displays
  • Device must at any time not be used for any storage,transfer,illegal activities of company data of any kind
  • Acceptable list of applications
    Specify the whitelisted list
    Specify the blacklisted list
  • Devices may use particular protocol to access any company resource
    Specify protocol and steps
    Any violations must be blocked automatically

Supported Devices
  • Device OS acceptable eg.Android,Apple i-OS,Blackberry
    Mention complete list
  • Samrtphones/Tablets/PDAs acceptable-eg.Apple,Blackberry etc.

IT Staff & Support Provided
  • Device hardening is mandatory before connecting to company network/other resourse
  • Support for any connectivity issues will be handled by IT staff
  • No third party can make changes to device without prior permission from IT staff
  • IT Staff shall provide all company acceptable business productivity apps or resources on device

Costs & Reimbursements
  • On loss of device/damage, the company is not liable of reimbursements.
    If company will reimburse, the amount or percentage of cost to be paid
  • Device data plans or allowances the company may want to pay
    Roles of employee to avail this facility
  • Reimbursements are not available for following:
    Specify list eg. Loss of device, Personal calls, Roaming etc.

Security Controls
  • Mandate password protection of device and autolock
  • Mandate strong password policy for access to Company Data and lock under any misuse
    Specify password details eg. 12character password with atleast 2 numbers and 1 special character
  • Jailbroken or Rooted devices are banned
    Specify full list for acceptable OS
  • Prohibition of any resource(apps) including downloads/installation for blacklisted resources
    Should be automated
  • Personal use only devices may never be connected to company networks
    Monitor and allow only devices that help business grow
  • Identify the device and access to company data should be role based
  • Remote wipe will be performed by IT staff, which may affect employee data under certain circumstances
  • Employee must be specified deadline to report loss of mishandling of device eg. 24hours

Ownerships/Liability
  • Remote wipe will be performed by IT staff, which may affect employee data under certain circumstances
  • Loss/damage of device must be reported within short notice eg. 24hours
  • Device damage and reporting to bank or service provider authorities is responsibility of employee
  • Any device not following user acceptable policy may be disconnected from company networks
  • Company at any time reserves rights to allow/disallow devices connecting
  • Company also reserves rights to ban the policy under any requirements

Disclaimers
  • Device owner remains liable of all the data (personal/company) and its loss or misuse

Policy Framework & Basics-
  • Specify every detail possible
  • Define the scope,authority and role of the policy
  • Should not be ambiguous or doubly interpretative
  • Clearly state the control the IT Staff have
  • Specify each step of control or response expected on any party
  • Specify Mandates
  • Clearly specify steps to recover
  • Train your staff to have a fair idea of the policies
  • Specify the steps of communication and reporting, also each authority & roles
  • Specify related legal stakes
  • Specify controls on Media & Data, access denied and allowed

Reference

1.Incident Response by Leighton R. Johnson

What are the critical areas incorporated in your BYOD Incident Response Policy? Share your thoughts in comments below
E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform