Approving mobile communication devices for employees
University Policy 317 sets the standards and conditions for requesting and authorizing an allowance for business use of an employee’s personal mobile communication device (MCD). This practice is part of a growing trend termed “Bring Your Own Device” (BYOD) environment.
According to Tom York, director of internal audit, promoting a BYOD environment can have positive implications for an organization including:
- Employees can be more productive. With their mobile device, they can access email and applications anytime, anywhere
- Workers can choose the device type to suit them, some employees are more comfortable on iOS or Android and would prefer a tablet, phablet or phone
- Entities can reduce time spent on mobile device management (MDM) for organization-issued devices, freeing up valuable ITS employee time for other tasks
“As with any program involving information systems, there are also significant risks to consider in allowing personal devices access to the University network,” said York. “Supervisors should regularly discuss some basic security practices with employees receiving an MCD allowance or accessing the university network with a personal MCD.”
Suggested topics for discussion are:
- Creation of a password or pass phrase for the device. This simple step may be a critical safeguard against data loss to the casual device thief
- Consider that mobiles devices and their data are subject to Public Records Act retention standards. All records created or used in transacting public business (including email and text messages) are subject to the Public Records Act, regardless of whether they were created or used on a personal or University-owned device. Business records on a personal device could be requested in response to public records requests
- Ensure applications are secure. Once the device accesses the University network, it brings its vulnerabilities with it. Malicious apps and other malware may be present on a device and could be passed onto the University network if an individual accesses websites indiscriminately away from work.
- Installation of remote wipe capability in case of loss. While an extreme measure, remote wiping can prevent sensitive personal and business data from falling into the wrong hands.
- Avoidance of playing games/watching video at work. The potential for a productivity drain is high with the temptation of social media, gaming, video and other sites and apps that consume a user’s time at home being brought into the workplace. What limits should be in place for these activities during the work day?
York added for employees who submit work hours each week, they should account for the time from work in which they conduct University business with their MCD. “You should not be checking or responding to work-related emails or text messages sent to your MCD during non-work hours unless your supervisor has approved the overtime/comp time and you include that time as time worked.”
BYOD is increasingly popular and can be a win-win for both employees and supervisors, but it is also up to both sides to mitigate the risks involved so that our network and its resources remain safe and secure, stated York.
Employees who have questions about the MCD allowance policy can contact the University Controller’s Office at 704-687-5756. Questions about mobile device security should be directed to the ITS Security Group through the Help Desk at 704-687-5500.
*Some of the content in this article is based upon an untangle.com story “BYOD Risks & Rewards.”