<agency>
Bring your Own Device (BYOD)
Policy
December 2013
<agency> BYOD Policy
CONTENTS
1.
2.
3.
OVERVIEW
3
1.1
Introduction and purpose
3
1.2
Scope and application
3
1.2
Reference documents
3
POLICY
4
2.1
Definitions
4
2.2
Terms and conditions of use
4
REQUIREMENTS
5
3.1
Bring your own device minimum requirements
5
3.2
Device Registration, Configuration and Management
6
3.3
Device Usage, Support and Costs
7
3.4
Protection of Agency data on your BYOD
9
3.5
Device Deregistration
DOCUMENT CONTROL
10
11
2
<agency> BYOD Policy
1.
OVERVIEW
1.1
Introduction and purpose
Technology is part of the everyday life of the modern public sector worker. Consumer technology is
evolving quickly and is often more advanced than the technology available in the workplace.
Employees increasingly prefer to use their own smartphones, tablets and other devices to access
corporate information. Empowering them to do so supports greater workplace mobility and
flexibility.
The purpose of this policy is twofold. Firstly, it aims to allow you ‘bring your own device’ (BYOD) for
business purposes. If your device is registered as a BYOD, you will be able to access <agency>’s
programs when and where you need to do so. Secondly, the policy aims to ensure that <agency>’s
systems and data are protected from unauthorised access, use or disclosure.
This BYOD Policy has been informed by the NSW Government Mobility Solutions Framework. The
Framework assists NSW Government agencies to define their agency specific mobility strategy and
approach.
1.2
Scope and application
This document sets out the terms of use for BYOD within <agency>. The policy applies to all
employees of <agency>, including permanent and temporary staff, contractors and employees of
<agency>’s partner organisations.
It affects any device or accompanying media that you may use to access the systems and data of
<agency>, whether they are used within or outside your standard working hours.
1.2
Reference documents
This policy supplements the <agency>’s <acceptable use policy name>.
You should also have regard to the following statutory rules, policy documents and standards. They
provide direct or related guidance for the use of technology and the collection, storage, access, use
and disclosure of data by NSW public sector agencies:
















AS/NZS ISO 31000 Risk management - Principles and guidelines
Electronic Transactions Act 2000
Government Information (Information Commissioner) Act 2009
Government Information (Public Access) Act 2009
Health Records and Information Privacy Act 2002
M2012-15 Digital Information Security Policy
NSW Government Open Data Policy
NSW Government Cloud Services Policy and Guidelines
NSW Government ICT Strategy NSW Government ICT Technical Standards – Mobility Framework
NSW Government Social Media Policy and Guidelines
TPP 09-05 - Internal Audit and Risk Management Policy for the NSW Public Sector
Privacy and Personal Information Protection Act 1998
Public Finance and Audit Act 1983
Public Interest Disclosures Act 1994
NSW Procurement: Small and Medium Enterprises Policy Framework
State Records Act 1998
3
<agency> BYOD Policy
2.
POLICY
2.1
Definitions
Application – Computer software designed to assist end users to carry out useful tasks. Examples of
applications may include the Microsoft Office suite of products or smartphone applications such as
Google Maps.
Bring Your Own Device (BYOD) - Any electronic device owned, leased or operated by an employee
or contractor of <agency> which is capable of storing data and connecting to a network, including
but not limited to mobile phones, smartphones, tablets, laptops, personal computers and
netbooks. The accepted types of BYOD are listed in the Acceptable Device Types document
attached to this policy.
Data - Any and all information stored or processed through a BYOD. <agency’s> data refers to data
owned, originating from or processed by <agency>’s systems.
Device hygiene - BYOD must have appropriate and up-to-date ‘hygiene’ solutions installed. Device
hygiene includes anti-virus, anti-spam and anti-spyware solutions. Minimum requirements - The
minimum hardware, software and general operating requirements for a BYOD.
Mobile Device Management (MDM) – Solution which manages, supports, secures and monitors
mobile devices. <Note: <Agency> will conduct risk assessments to determine whether their
environment requires the implementation or not of such a solution. Implementation should ideally
be done ‘as a Service’ in accordance with NSW Government policy>.
Mobility Framework – The NSW Government Mobility Solutions Framework. The Framework
provides information and technical guidance to agencies when procuring mobility solution services.
Personal information – ‘Personal information’ is defined by s 6(1) of the Privacy and Personal
Information Protection Act 1988 (NSW):
Information or an opinion (including information or an opinion forming part of a database and
whether or not recorded in a material form) about an individual whose identity is apparent or can
reasonably be ascertained from the information or opinion.
Wipe – A security feature that renders the data stored on a device inaccessible. Wiping may be
performed locally, via an MDM product, or remotely by a network administrator.
2.2
Terms and conditions of use
The purpose of this policy is to allow you to use a BYOD if you wish to do so, while also ensuring you
take steps to minimise the risk of unauthorised access to <agency>’s systems or unauthorised use
or disclosure of the data held by <agency>.
You must review and accept this policy before using any BYOD. Your agreement to the
requirements of this policy is indicated by your <signature/acceptance> of the
<attached/electronic> BYOD Acceptance Form.
Acceptance indicates agreement to the following standard terms:

Acceptable BYOD: Any device may be considered for use as a BYOD providing it meets the
minimum requirements set out in this document. In general, an acceptable BYOD would be one of
the devices listed in the document referenced in the definition at part 2.1 of this policy.
4
<agency> BYOD Policy

Minimum requirements: The burden of proof for meeting minimum requirements rests with you,
the requestor. The final decision on whether your device meets our requirements is subject to the
approval of <title of approver>.

Matching our requirements and your work needs: BYOD capabilities and device profiles must
match <agency>’s requirements as well as the scenarios where you need to use a device for work.
For example, if you are usually a consumer of information when mobile, the profile of a tablet or
smartphone would be a good match. If you are a “creator” of information, a laptop or desktop
profile would be a better match.

Authority: You agree to provide limited authority over the device for the sole purpose of protecting
agency data and access on the device. This authority includes permission to wipe the device in the
event of loss or disposal. This may include personal data, address books and e-mail depending on
the data classification of information locally stored, the device and whether an MDM tool is used.
The authority is to remain in place from the time the device is registered until it is deregistered.
<Non MDM option> You should also provide your device to <relevant ICT contact> for a manual
check when you cease employment. You may be present at the time the device is manually
checked. >

Security: You are responsible for ensuring that your personal device is adequately secured
against loss, theft or use by persons not authorised to use the device.

Support: You are responsible for replacing, maintaining and arranging technical support for your
BYOD. <Agency> will only provide hardware, operating system or application support for the
applications that <agency> has provided.

Access at <agency>’s discretion: Access to <agency>’s systems and data is provided at the sole
discretion of <agency>. Your access may be revoked at any time and for any reason.

Enforcement: All breaches of this policy will be treated seriously. If you are found to have been in
breach you may be subject to disciplinary action.
3.
REQUIREMENTS
3.1
Bring your own device minimum requirements
The table below summarises <agency>’s minimum requirements for BYOD. You should read this
table with the explanatory text in the rest of this section (3.1).
Function
Minimum requirement
Configuration management
Operating systems

Your device must use a legitimate operating system that
meets the defined minimum standards (i.e. you may not
use a ‘jail broken’ device).
Network
authentication

The minimum network authentication is subject to agency’s
local requirements, e.g. the agency’s End User Environment
Directory Service with a minimum two factor
authentication required for external, 3G or internet access.
Password protection/
User authentication

Your device will support password authentication and
automatic locking that must be used at all times.
5
<agency> BYOD Policy
Automatic device lock

Your device must have the automatic lock enabled.
Device hygiene

Your device must have appropriate and up to date
‘hygiene’ solutions installed.
Lost and stolen
devices

If your device is lost or stolen you must report the loss or
theft immediately to the ICT Service Desk.
Mobile device
disposal

Any agency data on your device will be removed from the
device at the end of its use within the agency environment.
Software licensing

Operating systems and applications running on or required
by BYOD will be your sole responsibility as the device
owner.

<Agency> will conduct a risk assessment of the nature of
services to be offered to mobile devices and specifically to
BYOD. A risk assessment needs to be undertaken by
<Agency> to determine whether an MDM platform is
required to meet its security requirements. Note: If an
MDM platform is to be used, insert details in this section
BYOD authority

If your device is registered and used for BYOD, you agree to
surrender limited authority over the device for the sole
purpose of protecting agency data and access on the
device.
Mobile device
application control

If <Agency> has implemented a MDM solution, it has the
ability to push and remove our supplied applications from
your device to enhance its security or manageability.
Device support

You and the device issuer are responsible for supporting
your device.
Security management
Mobile device
management
Service management
3.2
Device Registration, Configuration and Management

Your BYOD must be registered before connecting to any <Agency> internal IT service.

A limit will apply to the number of devices that can be registered. <MDM option> The device must
be registered by connecting to <Agency> BYOD management service

<Non-MDM option> The device must be registered in accordance with <Agency> BYOD
requirements
MDM option

The device must be registered by connecting to <Agency> BYOD management service.
Non-MDM option

The device must be registered in accordance with <Agency> BYOD requirements.
6
<agency> BYOD Policy

You acknowledge that <Agency> will <non MDM option> directly and or <MDM option> remotely
change security configurations of the device to protect <Agency> data and software stored on the
device. These changes may include but are not limited to:
o
Refusal to register a device that fails minimum requirements (outlined above) or that
currently has installed banned software and services listed at <web link>.
o
Configuring certain security settings
o
<MDM option> Preventing the user from changing certain security settings
o
Applying a login code with an acceptable level of complexity to enable secure access to the
device
o
Automatically locking the device after an inactive timeout period (you will need to re-enter
the login code)
o
Installing software and digital certificates necessary to maintain security
o
Encrypting data stored on the device
o
<MDM option> Automatically wiping (either all code and data OR all agency code and data)
depending upon Agency MDM, device capabilities and specific requirements from the
device after a specific number of failed login attempts
o
<MDM option> Should any <Agency> configurations be removed that are required for
proper use of the device with Agency systems, these will be re-applied or access to
<Agency> systems, information and data will be prevented if the configurations cannot be
maintained.

You acknowledge that any <Agency> data stored on the BYOD remains the sole property of
<Agency and/or NSW Government> and that you have an obligation to protect the security of the
data.

You acknowledge that <Agency> has a right to inspect <Agency> data held on your personal BYOD.
MDM Option

The device must be registered at: <weblink to Agency MDM solution>
Non-MDM Option

The device must be registered in accordance with <Agency> BYOD requirements.

<MDM option> You understand that <Agency> may remotely monitor your device to ensure
security and software configurations are maintained.

<MDM option> You will not be prevented from installing the software or applications of your
choice on your device. However, <Agency> may block your access to <Agency> internal IT services if
any software/applications/data present a threat to <Agency> IT services, information or data.
3.3
Device Usage, Support and Costs

The service and its use are at your sole discretion and risk.
7
<agency> BYOD Policy

<Agency> does not impose a charge on you for registering your device.

You are responsible for supporting your device. <Agency> will only provide support for the
applications <agency> has provided.
Support
BYOD
Physical provisioning
Device owner
Replacement of defective/damaged device
Device owner
Operating system support including licensing
Device owner
Application support of device including licensing
Device owner
Agency provided/supported mobile applications
Agency service desk
Agency provided/supported thin-client applications
Agency service desk
Device connectivity / access
BYOD
Mobile internet
Device owner
Home internet / broadband
Device owner
VPN client
Agency service desk
Agency wireless
Agency service desk

<Subject to agency requirements/internal policy: <Agency> is not responsible for any costs incurred
by your use of your BYOD. <Agency> will not reimburse any voice or data charges, software or
application acquisition fees, support or insurance costs associated with your device except in
exceptional circumstances such as excessive business requirements.

<Agency> is not responsible for any inconvenience that you may experience in connection with
using <Agency> internal IT services on your BYOD.

You have sole responsibility for ensuring no other person has access to <Agency> software or data
stored on your BYOD.

<Agency> will not monitor the phone call or text message history of a BYOD. Where needed (for
example, in the case of a disciplinary matter) the call and text messages may be requested.

<Agency> will not monitor the web browser history on your BYOD when not connected to
<Agency> network(s).

<Agency> may restrict access to internet websites, services or other elements for operational or
policy reasons while your BYOD is connected to <Agency> networks including either wireless or
cabled connections.
 <Agency> may monitor your use of your BYOD while it is connected to <Agency> network. This
information may be collected and archived and may be subject to public access.
 You are responsible for abiding by all licence terms and conditions applicable to any software, apps,
data or information provided by <Agency> to your BYOD.
 You acknowledge that your use of a BYOD may involve <Agency>:
o
Preventing you from accessing <Agency> internal IT services
8
<agency> BYOD Policy
o
Locking your device
o
Wiping personal data from your device in accordance with the following circumstances:

Your BYOD is reported as being lost/stolen to <Agency> <MDM option>

You cease employment/contract with <Agency>

There is a suspected security breach, examples include but are not limited to,
modification of the device’s operating system, breaching <Agency> policies, or
detection of viruses or malware on the device <MDM option>

<Agency> may lock your device to prevent access to <Agency> information or data.

Preventing your device from connecting to <Agency> internal IT services.

Applying either a full or selective wipe of your BYOD <MDM option>.

Applying a manual selective wipe of your BYOD <non MDM option>.

Should you fail <number> times in a row to enter a correct login password for your
BYOD, a full wipe may be performed automatically on the device <MDM option>.
 While <Agency> will make all reasonable effort to ensure service is available <agency> does not
guarantee that access to <Agency> internal IT services, information or data will be available at all
times.
 If your BYOD is lost or stolen, you are responsible for reporting the event as soon as practicable to
<Agency> Service Desk on <phone number>. You must also:
o
undertake a device wipe as soon as practicable via <Agency MDM portal> <MDM option>
or via personal configuration utility <non MDM option>.
o
take reasonable steps to ensure that it is replaced as quickly as possible.
 <Subject to agency requirements> <Agency> will also provide you with a loan device so that you are
able to carry out your normal work activities.
3.4
Protection of Agency data on your BYOD
 <Agency> information, documents, and data classified as <insert> or that are subject to legal or
professional privilege must not be stored on BYODs and/or unapproved cloud-based services.
 <Agency> data must only be backed up to approved locations either within agency systems or
approved cloud service locations or providers.
 <Subject to agency requirements> You should check your device to ensure that automated cloud
backup is disabled.
 <Subject to agency requirements> You should take reasonable steps to reduce the risk of losing
your personal data. You may, for example, store your personal data separately from <Agency> data
through file partitions or using a separate memory card.
 You are responsible for backing up and restoring the data and configuration settings of your BYOD.
Personal data is not to be backed up to or stored by <Agency>. <Agency> is not responsible for any
personal loss or damage you may suffer by actions undertaken by <Agency> to protect <Agency>
data stored on your BYOD.
9
<agency> BYOD Policy
3.5
Device Deregistration
 <Agency> at its own discretion, may deregister any BYOD at any time without warning.
 <Agency> may deregister a BYOD that has not consumed <Agency> internal IT services for more
than <insert> months.
MDM Option

You can deregister your BYOD at any time by visiting <MDM portal>.
Non-MDM Option

The device must be de-registered in accordance with <Agency> BYOD requirements.
 You acknowledge that by deregistering your BYOD:
MDM Option
o
<Agency> will remove all <Agency> data, applications and security controls.
Non-MDM Option
o
You will need to present your BYOD to <Agency> Service Desk for inspection and
removal of all <Agency> data, applications and security controls.
 You will no longer be able to connect to <Agency> internal IT systems and data, unless the device is
re-registered.
 You are encouraged to remove any personal data if you are intending to dispose of your BYOD. If
you intend to sell or gift the device to another person you should ensure that it is wiped.
10
<agency> BYOD Policy
DOCUMENT CONTROL
Document history
Status: Draft
Version: 0.3
Approved by: <governance/approval body>
Approved on:
Contact: John Thomas, Director, ICT Services, Department of Finance and Services
Email: john.thomas@services.nsw.gov.au
Telephone: (02) 9372 8286
Review date
This Policy will be reviewed in six months from the date of this version and on an annual basis thereafter.
11