What is your policy and process for handling a lost or stolen device?
What is your policy and process for handling the decommissioning of a device (e.g., if user switches to new device, change in user’s role/title deems them no longer eligible for access, user leaves or is terminated by company, etc.)?
Will your company wipe the entire device, corporate data and apps only, or both?
Will you allow user to initiate wipe action(s) themselves (e.g., through self-service portal)?
Will your company set and enforce use of a whole device password?
Will your company ever wipe the whole device?
Will your company require limits on the use of cameras, browsers, Bluetooth or other applications and services?
Will you require users to acquire and install anti-malware as a condition for access to corporate data and apps? Will you provide such anti-malware? Will you require particular vendors or versions?
What is your policy and process for a user device that has been infected with malware?
Policy should expressly prohibit: (i) device “jailbreaking,” “rooting” or the equivalent; and (ii) making any other modifications to device hardware and/or OS software beyond routine installation of updates as directly provided by the applicable device maker or mobile operator. Performing such actions or making such unauthorized modifications is essentially an “inside attack” on device, application and data security, and should be treated very seriously.
Policy should be clear on process and timing requirements for reporting lost or stolen devices, changing to a new device and actions to be taken when an employee leaves the company.
Policy should be clear on whether or not you will require use of whole device password and associated requirements for frequency of change, minimum strength, etc.
Policy should be clear on whether or not you will wipe whole device and conditions under which you would do so (e.g., lost or stolen device, change to new device, move to new role, departure from company).
Policy should clearly state that you always reserve the right to wipe either company data and applications and/ or the whole device if deemed necessary in your sole discretion to secure company data or applications.
Policy should be clear that wiping company data and applications may impact other applications and data (e.g., including but not limited to native address book data).
Policy should disclaim any liability for loss of personal applications or data, whether directly or indirectly resulting from the usage of company apps or data, and/or the wiping of such apps or data, or the whole device.
User should be encouraged to minimize the risk of losing personal applications and/or data.
Policy should be clear on any restrictions on the usage of cameras, browsers, Bluetooth, or other applications and services. The ability to enforce such restrictions may be dependent on device capabilities, which in turn may become an eligibility consideration).
Policy should be clear on any requirements for the use of anti-malware (including specific vendors or versions as applicable) and process and timing requirements for reporting any suspected instances of malware infection.
As more companies embrace the broad usage of individually-owned mobile devices for access to corporate applications and data, Good Technologyis often asked for guidance on the establishment of an associated device usage policy. This slideshow, as outlined by Good Technology, is intended to provide guidance on questions that companies should ask themselves when establishing their own policies and related considerations.
Only your combined information technology (IT), human resource (HR), finance and legal teams — working closely with your executive team and business unit managers — can determine the exact corporate liable and/or individual liable policy that best fits your company, meets its financial goals and objectives, and takes into account security, legal, regulatory, tax or other requirements and considerations that may uniquely apply to your company and its operations.