BYOD Participation Agreement


Published on

In this presentation, Dentons’ Timothy Banks discusses BOYD (Bring Your Own Device) Participation Agreements, key topics include:
- Administrative Issues
- Technical Controls
- Managing Day-to-Day Online Risk
- User Responsibilities
- Employer Access and Ownership
- Monitoring
- Employee Access
- Respect the Workday

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

BYOD Participation Agreement

  1. 1. Dentons Canada LLP BYOD Participation Agreement A framework Timothy M Banks, CIPP/C Partner T: 416-863-4424 follow: @TM_Banks Originally presented at the Canadian Institute’s 19th Annual Regulatory Compliance for Financial Institutions, November 14, 2013
  2. 2. Administrative Issues Prescribed Devices Service Level Standards • Limit suite of supported devices • IT/IS’s commitment • No unencrypted flash drives!! • Directory of supported devices • Caution against upgrades before testing Administrative Prerequisites • Who qualifies? What approvals? • Number of devices per individual • Financial support (or not) • Ready or not – IT/IS is now a service provider to employees • Employee’s commitment
  3. 3. Technical Controls IT/IS Controls • Device must be registered with IT • Inventory of devices • Encrypted storage • Digital Certificates • No manipulation • Strong authentication controls • No circumvention Mobile Device Management Software • Implement • Explain! • Audit of compliance with IT standards • Remote disabling, wiping • App / Software restrictions 3
  4. 4. Managing Day-to-Day Online Risk Maintenance Managing Online Risk • Update malware protection • Use malware protection • Applying operating system patches • Comply with authentication requirements • IT MUST cooperate Backups • User responsible for own data • IT – don’t frustrate with unnecessary controls Unsecured WIFI • Explain Risks • Policy against unsecured Restricted sites • Safe Apps & Software directory
  5. 5. User Responsibilities Physical Security • Device must not be left unattended • Examples: No vehicle trunks • Loss of possession reported immediately • No family-sharing of devices Responsibilities on termination of employment Data Control and Access • Data stored on network not device Segregation of Data • Work data in work apps • Personal data in personal apps • If you have a Gmail account on your phone, why are you using work email for personal business? 5
  6. 6. Employer Access and Ownership • Rights & Interest in Data • Rights of Employer Access • Waiver of ownership or rights in business data • Internal investigations • Responsibilities on termination of employment • Company litigation • Regulatory investigation • Compliance audits • Confidentiality to Employees • You are now a service provider 6
  7. 7. Monitoring Scope of Monitoring • Usage • Geolocation • Types of Apps • Attempts to jailbreak • Personal data Purpose of Monitoring • Policy enforcement • Productivity Consequences of Monitoring • Who gets the reports? • What are the consequences of violation? • Where is the monitoring data kept? • How long is the monitoring data kept? • Consider overtime issues Monitoring Methods • Automatic with reporting • Automatic with exception reports • Reasonable suspicion 7
  8. 8. Employee Access Employee Access Access by & Disclosure to Others • Access to the data • Stored in Canada? In U.S.? • What data will not be provided • How to get more information • Advise that laws of other jurisdiction may apply • Available to foreign corporate parent? • For what use? • Circumstances in which disclosed to law enforcement
  9. 9. Respect the Workday Work hours = Work • Doesn’t matter that it is “your” device • Two way street Restricted Site on Own Device • On a site that would otherwise offend code of conduct during work hours • Does it matter that it was lunch break? 9
  10. 10. Questions Timothy M Banks t: 416-863-4424 e: follow: @TM_Banks Dentons Canada LLP 10
  11. 11. The preceding presentation contains examples of the kinds of issues that corporations could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique. 11