Original policy

Module Six Activity

BYOD Policy

This policy is intended to protect the security and integrity of the organization’s data and technology
infrastructure. Limited exceptions to the policy may occur due to variations in devices and platforms.
Employees must agree to the terms and conditions set forth in this policy in order to be able to connect
their devices to the company network. Acceptance of this policy is required as part of new employee
orientation.

Acceptable Use
· The organization defines acceptable use as activities that are personal in nature and do not involve
any business function.
· The organization defines acceptable personal use during business hours as reasonable and limited
personal communication or recreation, such as reading or game playing. Acceptable personal use during
business hours should only occur during break or lunch times.
· Employees are blocked from accessing certain websites during work hours and while connected to
the network at the discretion of the organization.
· Devices’ camera and/or video capabilities are not disabled while connected to the network.
· Devices may not be used at any time to:
o Store or transmit any information belonging to the organization
o Conduct regular business for the organization during normal business hours
o Engage in activities in performance of duties for another organization
· Personal devices may be used to access organizational email, calendars, and contacts.

Devices and Support

· Smart devices and tablets such as iPhone, Android, iPad, or any other smart devices are permissible
for use.
· Connectivity issues may be supported by IT on a limited basis.
· Devices must be presented to IT before they can access the network.

Security
· In order to prevent unauthorized access, devices must be password protected using the features of
the device at all times.
· A strong password is required to access the company network. Passwords must be at least six
characters and a combination of upper- and lowercase letters, numbers, and symbols.
· The device will have security software, owned by the organization, installed for use in multifactor
authentication.
· After eight failed login attempts, the device’s access to the network will be suspended. IT must be
contacted to have access to the network reinstated.
· Smart devices and tablets that are not presented to IT for clearance will not be allowed to connect
to the network: no exceptions.
· The employee’s device may be remotely wiped if 1) the device is lost, 2) the employee terminates
his or her employment, 3) IT detects a data or policy breach, a virus, or similar threat to the security of
the organization’s data and technology infrastructure.

1
Risks/Liabilities/Disclaimers
· While IT will take every precaution to prevent the employee’s personal data from being lost in the
event it must remote wipe a device, it is the employee’s responsibility to take additional precautions,
such as backing up email, contacts, etc.
· The company reserves the right to disconnect devices or disable services without notification.
· Lost or stolen devices must be reported to IT within 24 hours.
· The employee is expected to use their devices in an ethical manner at all times and adhere to the
organization’s acceptable use policy as outlined above.
· The employee is personally liable for all costs associated with their device.
· The employee assumes full liability for risks including, but not limited to, complete loss of personal
data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or
hardware failures, or programming errors that render the device unusable.
· The organization reserves the right to take appropriate disciplinary action up to and including
termination for noncompliance with this policy.

Revised BYOD Policy:

At our organization, we take the security and integrity of our data and technology infrastructure
seriously. This policy is designed to ensure that all personal devices used by employees comply with our
standards for security and acceptable use.

Acceptable Use:

We define acceptable use as any activity that is personal in nature and does not involve any business
function . Reasonable and limited personal communication or recreation, such as reading or game
playing, is allowed during break or lunch times . However, employees must understand that certain
websites are blocked during work hours and while connected to the network at our discretion. The
camera and/or video capabilities of personal devices are not disabled while connected to the
network. Personal devices may be used to access organizational email, calendars, and contacts.

Devices and Support:

Smart devices and tablets, such as iPhone, Android, iPad, or any other smart devices, are permitted
for use . However, devices must be presented to our IT department before they can access the
network. Connectivity issues may be supported by IT on a limited basis.

Security:

2
Our organization takes the security of our data and technology infrastructure seriously, and as such, we
require all devices connecting to our network to be password protected using the device's built-in
features at all times. We also require a strong password that is at least six characters long and
includes a combination of upper- and lowercase letters, numbers, and symbols to access the
company network. Our devices come equipped with security software owned by the organization for
multifactor authentication purposes, further enhancing our security measures.
We have also implemented a policy that after eight failed login attempts , a device's access to the
network will be suspended , and IT must be contacted to have access reinstated . Any smart devices
and tablets that have not been presented to our IT team for clearance will not be permitted to
connect to our network under any circumstances.
In the unfortunate event of a lost or stolen device , or if IT detects a data or policy breach, a virus, or
a similar threat to our data and technology infrastructure, the employee's device may be remotely
wiped . Additionally, if an employee terminates their employment, their device will also be wiped. We
understand the importance of securing our data and technology infrastructure, and these measures
help us to maintain a safe and secure environment for our organization.

Emerging Workplace Trend Requirement:

We prohibit employees from using personal devices for work-related activities outside of normal
business hours unless explicitly approved by their supervisor. If an employee does use their personal
device for work-related activities outside of normal business hours, they must ensure that their device
is secure and complies with this policy.

Risks/Liabilities/Disclaimers:

While IT will take every precaution to prevent the employee’s personal data from being lost in the
event it must remote wipe a device, it is the employee’s responsibility to take additional precautions,
such as backing up email, contacts, etc. The company reserves the right to disconnect devices or
disable services without notification. Lost or stolen devices must be reported to IT within 24 hours. The
employee is expected to use their devices in an ethical manner at all times and adhere to the
organization’s acceptable use policy as outlined above. The employee is personally liable for all costs
associated with their device , and they assume full liability for risks, including but not limited to,
complete loss of personal data due to an operating system crash, errors, bugs, viruses, malware,
and/or other software or hardware failures or programming errors .

The policy update outlined above would have a significant impact on the organizational culture. It sets
clear expectations for employee behavior regarding the use of personal devices, ensuring that they
comply with the organization's security standards and acceptable use policy. It also highlights the
importance of data security and the need for all employees to take responsibility for protecting the
organization's data and technology infrastructure.

One additional policy update that could be implemented from a systems thinking approach is the
requirement for all employees to undergo regular cybersecurity training. This training would help
employees understand the risks associated with using personal devices on the company network

3
JumpCloud. (2021, April 26). How to Create a BYOD Policy. https://jumpcloud.com/blog/how-to-create-
a-byod-policy

SHRM. (n.d.). Bring Your Own Device (BYOD) Policy., from

https://www.shrm.org/resourcesandtools/tools-and-samples/policies/pages/
bringyourowndevicepolicy.aspx

Dialpad. (2019, August 22). How to create a BYOD policy for your small business. Dialpad Blog.
https://www.dialpad.com/blog/byod-policy/