CYB_250_BYOD_Policy_Update
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
250
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
6
Uploaded by DrTree1894
BYOD Policy
This policy is intended to protect the security and integrity of the organization’s data and
technology infrastructure. Limited exceptions to the policy may occur due to variations in devices and
platforms.
Employees must agree to the terms and conditions set forth in this policy in order to be able to
connect their devices to the company network. Acceptance of this policy is required as part of new
employee orientation.
The organization acknowledges the growing trend of employees using personal devices for work-
related purposes and recognizes the need to ensure the security of company data while accommodating
this practice. In response to this, the organization has implemented a segmented network specifically for
employees to use for their personal devices. This policy update outlines the guidelines and rules for the
use of personal devices on the company network. Please pay particular attention to the highlighted
sections as these represent policy updates.
Acceptable Use
The organization defines acceptable use as activities that are personal in nature and do not
involve any business function.
The organization defines acceptable personal use during business hours as reasonable and
limited personal communication or recreation, such as reading or game playing. Acceptable
personal use during business hours should only occur during break or lunch times.
Employees are blocked from accessing certain websites during work hours and while connected
to the network at the discretion of the organization.
Devices’ camera and/or video capabilities are not disabled while connected to the network.
Devices may not be used at any time to:
o
Store or transmit any information belonging to the organization
o
Conduct regular business for the organization during normal business hours
o
Engage in activities in performance of duties for another organization
Personal devices may be used to access organizational email, calendars, and contacts.
The organization will provide a segregated network for employees to connect their personal
devices. This network will be separate from the main company network and will be specifically
designated for personal device use.
Access to certain company resources may be restricted on the personal device network.
Employees should only access resources necessary for their job functions, and any unauthorized
access or sharing of access credentials is strictly prohibited.
Devices and Support
Smart devices and tablets such as iPhone, Android, iPad, or any other smart devices are
permissible for use.
Connectivity issues may be supported by IT on a limited basis.
1
Devices must be presented to IT before they can access the network.
Security
In order to prevent unauthorized access, devices must be password protected using the features
of the device at all times.
A strong password is required to access the company network. Passwords must be at least six
characters and a combination of upper- and lowercase letters, numbers, and symbols.
The device will have security software, owned by the organization, installed for use in multifactor
authentication.
After eight failed login attempts, the device’s access to the network will be suspended. IT must
be contacted to have access to the network reinstated.
Smart devices and tablets that are not presented to IT for clearance will not be allowed to
connect to the network: no exceptions.
The employee’s device may be remotely wiped if 1) the device is lost, 2) the employee
terminates his or her employment, 3) IT detects a data or policy breach, a virus, or similar threat
to the security of the organization’s data and technology infrastructure.
All personal devices used for work-related tasks must adhere to the organization's security
standards. This includes maintaining up-to-date antivirus software, enabling encryption, and
implementing password protection. Employees should also ensure that their devices are locked
when not in use.
All data transmitted and received on the personal device network will be encrypted to ensure
the security and privacy of company data. Employees should not bypass or disable encryption
mechanisms.
Employees must immediately report any security incidents or concerns related to their personal
devices or the personal device network to the IT department.
Risks/Liabilities/Disclaimers
While IT will take every precaution to prevent the employee’s personal data from being lost in
the event it must remote wipe a device, it is the employee’s responsibility to take additional
precautions, such as backing up email, contacts, etc.
The company reserves the right to disconnect devices or disable services without notification.
Lost or stolen devices must be reported to IT within 24 hours.
The employee is expected to use their devices in an ethical manner at all times and adhere to
the organization’s acceptable use policy as outlined above.
The employee is personally liable for all costs associated with their device.
The employee assumes full liability for risks including, but not limited to, complete loss of
personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other
software or hardware failures, or programming errors that render the device unusable.
The organization reserves the right to take appropriate disciplinary action up to and including
termination for noncompliance with this policy.
The organization reserves the right to monitor network traffic and device usage for security and
compliance purposes. Employees should be aware that their use of personal devices on the
company network may be subject to monitoring. Failure to comply with this policy may result in
disciplinary action.
2
Employees using personal devices for work-related tasks are responsible for the security and
maintenance of their devices. The organization is not responsible for personal device hardware
or software issues.
Organizational Impacts:
The introduction of a segmented network for personal devices will have several impacts on
the organizational culture:
3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
1.
Increased Security Awareness:
Employees are likely to become more aware of the need
for proper security measures on their personal devices, which can contribute to a culture
of cybersecurity awareness and best practices.
2.
Privacy Considerations:
Employees may be more cautious about using personal devices
for personal matters on the segmented network if they are aware of monitoring. This
could lead to a shift in behavior toward using personal devices primarily for work-related
tasks while on the company network.
3.
Improved Data Protection:
The culture will likely be positively impacted by a stronger
commitment to data protection, reducing the risk of data breaches or incidents involving
personal devices.
Additional Policy Update Recommendation:
In line with a systems thinking approach and to further enhance security and data
protection, the organization should consider implementing the following additional policy
update:
Multi-Factor Authentication (MFA) Requirement:
To enhance security on both the main company network and the segmented personal
device network, the organization should mandate the use of multi-factor authentication (MFA)
for all employees accessing company resources. This additional layer of security will help
protect against unauthorized access, even in cases where login credentials may be compromised.
MFA is a crucial security measure that helps prevent unauthorized access to company
resources, even if login credentials are stolen. Implementing MFA can significantly reduce the
4
risk of security breaches, further safeguarding company data and systems. This update aligns
with a holistic approach to security, addressing not only personal device usage but also
enhancing security across the entire organization.
References
Center for Internet Security. (n.d.). Southern New Hampshire University. https://snhu-
media.snhu.edu/files/course_repository/undergraduate/cyb/cyb250/cis_controls_v7.pdf
5
Human error is to blame for most breaches
. Tech News. (2016, June 6).
https://technews.tmcnet.com/cybersecuritytrend/topics/cyber-security/articles/421821-human-error-
to-blame-most-breaches.htm
The human factor in IT security: How employees are making businesses vulnerable from within
. Daily
English Global blogkasperskycom. (n.d.). https://www.kaspersky.com/blog/the-human-factor-in-it-
security/
Lucas, J., & Moeller, B. (2004).
The Effective Incident Response Team
. Addison-Wesley. October 8, 2023,
https://learning.oreilly.com/library/view/effective-incident-response/0201761750/?
sso_link=yes&sso_link_from=SNHU
Shostack, A. (2014).
Threat modeling designing for security
. Wiley. October 8, 2023,
https://learning.oreilly.com/library/view/threat-modeling-designing/9781118810057/?
sso_link=yes&sso_link_from=SNHU
Thompson, E. C. (2018).
Cybersecurity incident response: How to contain, eradicate, and recover from
incidents
. Apress. October 8, 2023, https://learning.oreilly.com/library/view/cybersecurity-incident-
response/9781484238707/?sso_link=yes&sso_link_from=SNHU
Wu, C.-H. (JOHN)., & Irwin, J. D. (2017).
Introduction to computer networks and cybersecurity
.
ROUTLEDGE. October 8, 2023, https://learning.oreilly.com/library/view/introduction-to-
computer/9781466572133/?sso_link=yes&sso_link_from=SNHU
6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help