Creating BYOPC policies: A win-win for IT and users

Defining BYOPC policies lets users know what they can and can't do when their PCs are connected to the network. With policies in place, employees won't have excuses not to comply.

The first step in developing a BYOPC strategy is to create BYOPC policies, and for this you need to understand the scope of your strategy. Jumping into implementation without knowing what you are implementing will likely waste time. You should consider acceptable use, liability, privacy, governance and enterprise-supported device policies.

Create and define BYOPC policies

When a company purchases, provisions and supports a computer, the company understandably expects to have full control over how employees use that computer. In a bring your own PC (BYOPC) environment, the lines of responsibility around proper use are blurred.

For example, a business may decide that employees shouldn't use company-owned desktops for personal tasks, such as tracking a family budget. This is precisely the kind of thing many employees would do with their own PCs, and they may not think that using a corporate device is any different.

Balancing the family budget with a company PC is unlikely to cause any problems, but devices with inappropriate material, such as illegally downloaded media or pornography, could become a human resources issue. Your organization should also clearly state BYOPC policies governing topics such as harassment with respect to personally owned devices.

One of the most important BYOPC policies is an acceptable use policy, which should specify the device owner's responsibility for protecting corporate information. For instance, employees should take care to protect personal devices that store sensitive data from loss or theft. If users install unauthorized applications on the same PCs that access corporate systems, IT must mitigate the risk of a user's PC eventually transmitting malware to company computers or data leaking through an inadequately secured PC.

IT can implement security controls in various ways, including verifying that anti-malware and personal firewall software are installed and up to date. When an employee's device does not meet minimal BYOPC security requirements, you can deny it access to the corporate network. Network administrators can require virtual private network use to further protect communications between business systems and the employee's PC.

IT professionals may determine that the best way to balance protecting the business while allowing BYOPC is to use virtual desktops and applications. With this approach, an employee connects to an access gateway to reach a centrally managed virtualized application or desktop. This allows IT admins to maintain control over corporate apps and data without implementing substantial controls on employee-owned PCs. In such a scenario, you'd need to define policies describing how to use the virtualized desktops, establish access restrictions and describe how users would be grouped according to their roles and responsibilities.

Comprehending the intricacies of liability will no doubt require legal advice. Some instances that may raise liability questions include a private or confidential data leak from a personal device and personal data loss because of a business application error, or as a result of poor advice from technical support.

User agreements can capture company policies, but employees should understand the details of those policies. Having an employee click through an end-user agreement may meet legal requirements for consent, but it does not mean employees understand the scope of the policies.

It's better for an employee to know up front that the business retains the right to alter a device connected to the corporate network -- including erasing personal data -- than to find out unexpectedly that the family photos are gone for good. When you describe key provisions of end-user agreements, it is also a good time to review best practices for protecting personal data, such as performing regular backups.

Clearly state your BYOPC policies and your privacy policy. Will the business download data from the employee's personal computer? For example, some mobile device apps download contact lists from mobile devices after installation. Users may have agreed to this by clicking through the end-user agreement, but it was a surprise to many and created a public backlash in at least one data-mining case. If you intend to perform operations on a personally owned computer, such as scanning for malware or checking security configurations, tell employees before you do it. Employees who do not wish to have required operations performed on their devices should be denied access to the corporate network.

About the author:
Dan Sullivan, who holds a master's degree in computer science, is an author, systems architect and consultant with over 20 years of IT experience, with engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence.

This was first published in July 2012

Dig deeper on Mobile policy and enforcement for consumerization

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchEnterpriseDesktop

SearchVirtualDesktop

SearchVMware

SearchCIO

SearchSecurity

Close