LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Policy for using employee owned hardware on the job
From:	Angela Fares <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Wed, 16 May 2012 15:25:08 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (81 lines)

Use of personally owned devices to access company owned information depends 
on the risk appetite of your organization.  Allowing use of personally owned 
devices to access company information can significantly increase security 
risks if the personally owned devices are not maintained and regularly 
updated  in terms of security, compatibility with company owned software, 
etc.  Personally owned devices that contain personal information comingled 
with company information also creates a great deal of legal headache in 
terms of whether or not the item is subject to search or seizure with 
reasonable cause.  Many organizations simply do not allow this to occur 
because of the liability issues at stake or, if allowed, it is because the 
device is necessary in order to perform the job.  In some states, terminated 
employees have filed suit over business use of personally owned devices in 
order to recover what they term as "unreimbursed business expense" and that 
could also be an ugly issue.  Also, personal devices may be shared or 
borrowed by employee family members who are not using a unique user sign-on, 
so if a breach of company information occurs...what then?

I do know of some organizations that allow limited If use of employee owned 
devices.  The employee is usually (but not always) to sign an agreement 
limiting use of the device, understanding that the device is not covered as 
an employee expense, and is made aware that the device may be subject to 
search and seizure in the event of an adverse event that requires surrender 
of the hard drive or adverse event (the user is responsible for backup of 
personally owned information).  It is best to limit use of personally owned 
(or "public" terminals) to VPN access and/or web access where content exists 
on the network and cannot be downloaded except to a "recognized" company 
owned device.  It is even more desirable for network information to be 
restricted to company-owned devices only.

In the event of a termination where downloads could have occurred, it would 
desirable to have the employee sign an agreement to remove any and all 
company owned data from personally owned devices.  Depending on your state 
rules, you may not be permitted to inspect personally owned devices without 
reasonable cause, so you are taking chances if you permit storage of 
company-owned information on personal devices.

Of course, always consult the lawyers, auditors, risk managers, and 
information security advisors.  A well informed ad hoc team can determine 
whether the risks identified are worth allowing use of personal devices. 
Personally, if someone has a personal device that is not necessary to the 
job role, why would you want to let them use it to access company 
information?  And, if the device is required, why wouldn't the company 
provide the proper tools for the employee to perform the job?

In other words, why take on more risks than necessary so that an employee 
can use "their" favorite phone or the latest electronic toy?  It certainly 
is interesting to think about...and scary too!

----- Original Message ----- 
From: "Mariani, Carolyn" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Tuesday, May 08, 2012 2:10 PM
Subject: Policy for using employee owned hardware on the job


I'd like to know if any companies allow their employees to use their own
hardware, i.e., PCs, laptops, iPhones, iPads in place of company owned
ones.  If so, is there a form policy or procedure  statement that
explains the company's right of access to this hardware(and information)
in case of litigation or audit, or when the employee leaves the company?

Carolyn Mariani, CRM
Director, Records Management
Warner Music Group
75 Rockefeller Plaza
New York, NY 10019
[log in to unmask]
212-275-2410


List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, 
place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask] 

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US