Running Head: ALLY FINANCIAL BYOD POLICY 1
Bring Your Own Device (BYOD) Policy
Introduction |
Ally Financial is the bank whose headquarters are based in Detroit, Michigan although it is organized in Delaware. The purpose of this policy is to protect information of the company on the employee's personal electronic devices and also safeguarding the company from liabilities emerging from a data breach or when employees leave. |
Effective Date |
1-April-2019 |
Target Audience |
|
Delegate your assignment to our experts and they will do the rest.
Background |
Our company has very sensitive information about the market and when leaked to our competitors we may suffer financial losses. Therefore, it is a good idea to allow employees to access company critical data through their electronic devices and at the same time it is possible to result in critical privacy and security threats to the company. Alternatively, malware and virus attacks are very common with multiple devices which may affect systems of the company leading to clogging. Employees may also leak sensitive trade secrets to unauthorized personnel in cases where their devices get stolen or used by friends, family members or any other person other than themselves. |
Definitions |
|
Bring Your Own Device (BYOD) Policy |
|
Acceptable Use
Ally Financial culture defines acceptable business use as the only activities that indirectly or directly support the operation and business goal of Ally Bank. Also, it defines acceptable personal use on company time as limited and reasonable personal communication or recreation, such as game playing or reading.
Not all websites that are accessible to employees especially during work hours or at the discretion of the company while connected to the corporate network. Examples of these websites are but not limited to:
Social Networking
Gambling
Hacking
Pornography
-
Video capabilities or devices’ camera are or are not disable while on site.
Devices may not be used at any time to:
-
Store or transfer of illicit materials
-
Store or exchange of proprietary information owned by another company
-
Harassing others within and outside the company
-
Taking part in outside business activities Etc.
-
Some of the apps allowed include: (general use apps such as weather, productivity apps, Facebook, etc., which will not be denied access)
-
Some of the apps not allowed include: (apps not retrieved and verified through iTunes or Google Play, etc.)
-
Some of the company-owned resources which may be accessed by the employee’s device include email, calendars, contacts, documents, etc.
-
Ally Financial policy does not tolerate behaviors such as texting or emailing while talking with customers, counting money or doing any other business related activity.
Devices and Support
-
Smartphones which are allowed include Blackberry, Android, iPhone, and Windows (the IT department should a detailed list of other features such as models, operating systems, and versions).
-
Tablets including iPad and Android are allowed (the IT department should a detailed list of other features such as models, operating systems, and versions).
-
IT will deal with all the connectivity issues. With this, employees will not be allowed to contact either their device carrier or manufacturer for hardware or operating system related issues.
-
IT should take all the devices for proper configuration and job provisioning of standard apps such as office productivity software, browsers, and security tools before they can access the network.
Reimbursement
-
Ally Financial will not be liable for employee reimbursement for any percentage of the device (indicate the amount of the company’s contribution), alternatively Ally Financial will contribute $X towards the overall device cost.
-
Employees will not be reimbursed for the charges such as plan overages and roaming.
Michigan Data and Privacy Protection Act
-
Request or require an employee to disclose access information to gain access to or operate.
-
Discipline or discharge an employee for transferring the employer’s proprietary or confidential information or financial data to an employee’s personal internet account without the employer’s authorization.
-
Restrict or prohibit an employee’s access to certain websites while using an electronic communications device paid for, in whole or in part, by the employer or while using an employer’s network or resources, in accordance with state and federal law.
-
View, access, or utilize information about an employee or applicant that can be obtained without any required access information or that is available in the public domain.
Security
-
In preventing unauthorized access, the future of the device, they must be password protected and also a strong password for the company network.
-
Ally Financial password policy will be: Passwords must be at least a mix of upper-case, numbers, lower-case, 8 or more characters in length, and symbols.
-
A feature shall be enabled on the device for automatic lock either with PIN or password if the device stays idle for more than 10 minutes.
-
Also, after making five logins fail attempt, the device will lock automatically. To regain access, the employees must contact the IT.
-
Jailbroken (iOS) or Rooted (Android) devices will strictly be denied from accessing the network.
-
The company network system will have a list of approved apps. Employees will be automatically prevented from installing or downloading an app that is not on the list.
-
Smartphones and tablets that are not approved and configured by the IT are not allowed to connect to the network.
-
Employees personal use Smartphones and tablets not allowed to connect to the network.
-
IT will provide an automatically enforce user profile to each employee to limit access to company data.
-
IT may remotely wipe the employee’s device if: 1. the device is lost, 2. the employee terminates his or her employment with the company.
-
IT will detect a policy or data breach, and other similar security threat to the company’s data security and technology infrastructure.
Risks/Liabilities/Disclaimers
-
In the event where the employees' device is lost or stolen, IT will take precaution by wiping remotely to protect personal data. however, each employee is responsible to take further precautions such as backing up contacts and emails.
-
The company reserves the right to or disable services or disconnect devices without notification.
General Data Protection Regulation in Banking Sector
GDPR requires the banks to:
-
Design, implement and document privacy impact assessments and train respective persons in the relevant BYOD processes.
-
Review and adapt current IT architecture regarding data storage, transformation, and processing of personal data to fulfill GDPR requirements.
-
Perform a personal data inventory the creation of a harmonized business glossary and mapping of all personal data.
Disciplinary Actions |
Disciplinary action against the employees will result from failure to comply with the company's policy statements. The actions will depend on the risk level of the violated statement. The company may terminate an employee in extreme cases of the violation or apply fines in the wages. |
References |
Bradley, T. (2013). Study Finds Most Mobile Apps Put Your Security and Privacy at Risk. CIO. Retrieved 13 February 2017, from http://www.cio.com/article/2380399/mobile-security/study-finds-most-mobile-apps-put-your-security-and-privacy-at-risk.html Berry, M. BYOD Policy Template. IT Manager Daily. Retrieved 13 February 2017, from http://www.itmanagerdaily.com/byod-policy-template/ Gwava, T. (2014). Top 10 Bring Your Own Device (BYOD) Business Concerns. Gwava.com. Retrieved 13 February 2017, from https://www.gwava.com/blog/top-10-byod-business-concerns Weber, L. (2014). BYOD? Leaving a Job Can Mean Losing Pictures of Grandma. WSJ. Retrieved 13 February 2017, from https://www.wsj.com/news/articles/SB10001424052702304027204579335033824665964?KEYWORDS=BYOD |
