Use of personally owned devices to access company owned information depends
on the risk appetite of your organization. Allowing use of personally owned
devices to access company information can significantly increase security
risks if the personally owned devices are not maintained and regularly
updated in terms of security, compatibility with company owned software,
etc. Personally owned devices that contain personal information comingled
with company information also creates a great deal of legal headache in
terms of whether or not the item is subject to search or seizure with
reasonable cause. Many organizations simply do not allow this to occur
because of the liability issues at stake or, if allowed, it is because the
device is necessary in order to perform the job. In some states, terminated
employees have filed suit over business use of personally owned devices in
order to recover what they term as "unreimbursed business expense" and that
could also be an ugly issue. Also, personal devices may be shared or
borrowed by employee family members who are not using a unique user sign-on,
so if a breach of company information occurs...what then?
I do know of some organizations that allow limited If use of employee owned
devices. The employee is usually (but not always) to sign an agreement
limiting use of the device, understanding that the device is not covered as
an employee expense, and is made aware that the device may be subject to
search and seizure in the event of an adverse event that requires surrender
of the hard drive or adverse event (the user is responsible for backup of
personally owned information). It is best to limit use of personally owned
(or "public" terminals) to VPN access and/or web access where content exists
on the network and cannot be downloaded except to a "recognized" company
owned device. It is even more desirable for network information to be
restricted to company-owned devices only.
In the event of a termination where downloads could have occurred, it would
desirable to have the employee sign an agreement to remove any and all
company owned data from personally owned devices. Depending on your state
rules, you may not be permitted to inspect personally owned devices without
reasonable cause, so you are taking chances if you permit storage of
company-owned information on personal devices.
Of course, always consult the lawyers, auditors, risk managers, and
information security advisors. A well informed ad hoc team can determine
whether the risks identified are worth allowing use of personal devices.
Personally, if someone has a personal device that is not necessary to the
job role, why would you want to let them use it to access company
information? And, if the device is required, why wouldn't the company
provide the proper tools for the employee to perform the job?
In other words, why take on more risks than necessary so that an employee
can use "their" favorite phone or the latest electronic toy? It certainly
is interesting to think about...and scary too!
----- Original Message -----
From: "Mariani, Carolyn" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Tuesday, May 08, 2012 2:10 PM
Subject: Policy for using employee owned hardware on the job
I'd like to know if any companies allow their employees to use their own
hardware, i.e., PCs, laptops, iPhones, iPads in place of company owned
ones. If so, is there a form policy or procedure statement that
explains the company's right of access to this hardware(and information)
in case of litigation or audit, or when the employee leaves the company?
Carolyn Mariani, CRM
Director, Records Management
Warner Music Group
75 Rockefeller Plaza
New York, NY 10019
[log in to unmask]
212-275-2410
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present,
place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]
|