In the first part of this blog series on BYOD (Bring Your Own Device), we covered the introductory and perfunctory (at least they rhyme) must-knows about BYOD. Today, we’re moving on to the next question we’re often asked: How comprehensive a strategy do we need?
We can tell you – it’s not one size fits all.
Assuming your company decides to embrace BYOD, it’s a good thing. Or, it can be with right approach. The right approach will set clear expectations and provide the tools to support and enforce them. The right approach may also differ in its details, taking into account your organization’s unique set of risks and requirements.
Building a BYOD Strategy: Where to Begin?
As a first step, we recommend our clients conduct a mobile risk assessment. As with any assessment, this one’s scope can be comprehensive or based on sampling. And whether internal or external resources carry it out, your assessment should include BYOD’s potential impacts to eDiscovery, records and information management, and security.
The assessment should include:
- Interviews with the internal experts who know the company’s information systems
- Discussion with stakeholders to identify needs
- An inventory of existing related policies
- An evaluation of potential risks and benefits
- An overview of the gap between existing infrastructure and policies and what would be needed to support BYOD
- An outline of estimated infrastructure costs
The results of the assessment provide the foundation for recommending whether or not the company should support BYOD.
BYOD Policy Considerations
If BYOD is a go, the second step is to analyze the options and alternatives for implementing BYOD. These include:
- Decisions about which devices to include in the program
- How much of the device enrollment and management process to automate and/or outsource
- Whether to subsidize the use of personal mobile devices
- Which applications and information to support
- How to roll out policy and controls and communicate impacts on employee personal device privacy
Seem tedious? We won’t lie – it is. That’s why developing an enterprise BYOD program typically requires a cross-functional team. Team make-up will differ from business to business, but representation is needed from many functions: IT, HR, Compliance, Risk Management, Security, and Legal.
Resources for Creating Effective BYOD Policies
While we don’t recommend fill-in-the blank adoption of any BYOD model or policy, our eDiscovery Assistant™ app for the iPad does offer a Checklist of Considerations for Developing a BYOD Program and a template to serve as a starting point in developing your own BYOD Policy.
There are also plenty of resources available online to help you in crafting your BYOD policy – both free and for-fee. Here are a few that we think are worth a look:
- The BYOD Policy Template from IT Manager Daily offers a succinct, business-oriented overview of everything that should be considered in building a BYOD policy
- The public domain BYOD Toolkit issued by the Federal CIO Council in August, 2012
- TechRepublic’s BYOD policy and other resources available by subscription only
- White papers, case studies, and other guides offered by vendors like Cisco whose comprehensive Bring Your Own Device (BYOD) Smart Solution Design Guide, is intended to help customers use Cisco products, but which is also a valuable general-purpose resource for making sure that all potential issues and questions have been considered.
Leveraging resources like these is one way to tackle designing a BYOD program that fits your business – or you can engage ESI Attorneys or other experienced outside resources to help you tackle the issue. If you’re interested in exploring how a firm like ours could help you explore the implications of BYOD on your eDiscovery obligations, we offer on-demand hourly consulting to help you make better decisions.
The best BYOD policies work backwards, starting with goals and then building towards desired outcomes. No matter how you go about building one for your organization, you can’t overlook the details and nuances that will affect your eDiscovery obligations and demands.