Skip to content

Remote Work and BYOD Policy

Document Information
Version {{version}}
Effective Date {{effective_date}}
Document Owner {{document_owner}}
Next Review {{next_review_date}}
Approved By {{approved_by}}

Purpose

The purpose of this Remote Work and Bring Your Own Device (BYOD) Policy is to outline the standards and procedures for employees who work remotely or wish to use their personal devices for work purposes. This policy is designed to safeguard {{company_name}}\'s (\"the company\") data and technology infrastructure while enabling flexibility and efficiency in modern work environments, including work-from-home and distributed workforce scenarios.

Scope

This policy applies to all employees, interns, contractors, and third parties who:

  • Work remotely from locations outside company premises
  • Access company systems, data, or networks from remote locations
  • Use personal devices (BYOD) for work purposes
  • Require remote access to company information systems and networks

Policy Statement

The company supports flexible work arrangements including remote work and, in limited circumstances, the use of personal devices for work purposes. All remote access and device usage must comply with the company's security protocols and standards to safeguard company data and IT infrastructure.

Remote Work Security

Remote Workspace Security

Employees working remotely must maintain a secure work environment:

  • Establish a dedicated workspace that provides privacy for confidential conversations and work
  • Ensure physical security of company equipment and data when working remotely
  • Lock computers when stepping away from the workspace
  • Prevent unauthorized individuals from viewing company information on screens
  • Store company devices and sensitive materials securely when not in use

Remote Access Controls

All remote access to company systems must be secured through approved methods:

  • Multi-Factor Authentication (MFA): MFA is mandatory for all remote access to company systems, applications, and data. This includes but is not limited to:

  • VPN connections

  • Cloud service access (email, file storage, business applications)
  • Remote desktop connections

  • Administrative access to any company systems

  • Approved VPN: Remote employees must use the company-approved VPN solution when accessing company networks and resources from remote locations

  • Secure Connections: Employees must only access company systems through encrypted connections. Direct exposure of company systems to the internet without VPN protection is prohibited

  • Public Wi-Fi: Use of public Wi-Fi networks for company business is strongly discouraged. If unavoidable, employees must:

  • Use company VPN at all times
  • Avoid accessing sensitive company information
  • Ensure MFA is enabled on all accounts
  • Report any suspicious activity immediately

Home Network Security

Employees working from home must maintain basic security standards for their home networks:

  • Change default passwords on home routers and Wi-Fi access points
  • Use WPA2 or WPA3 encryption for Wi-Fi networks
  • Keep home router firmware up to date
  • Disable remote management features on home routers unless specifically required
  • Use separate guest Wi-Fi networks for visitors when possible

Remote Work Device Management

Company-Provided Devices for Remote Work

  • All company-provided devices must comply with the security standards outlined in the Physical Asset Environment Security Policy
  • Devices must have endpoint protection software installed and maintained by {{it_provider}}
  • Operating system and application updates must be applied within the timeframes specified in the Cyber and Information Security Policy
  • Lost or stolen company devices must be reported to {{it_provider}} immediately

Personal Devices for Remote Work

See BYOD Policy sections below for requirements when personal devices are used for work purposes.

BYOD (Bring Your Own Device) Policy

BYOD Exceptions and Approval

The company does not generally permit the use of personal devices for work-related activities. However, limited exceptions may be granted on a case-by-case basis, provided that such use does not compromise the security of company data and IT infrastructure.

The following staff have been approved to use BYOD:

{{privacy_officer_name}} -- Mobile Phone -- Internet Banking

BYOD Device {{management_team}}

  • Employees must register their personal devices with {{it_provider}} before using them for work purposes.

  • The {{it_provider}} will install necessary security software and configurations on registered devices.

  • Regular updates and maintenance of the personal devices for security purposes are mandatory.

BYOD Security Requirements

  • Devices must be password protected with strong passwords and, where available, biometric authentication.

  • Devices must have up-to-date antivirus software, firewalls and OS Patches.

  • Lost or stolen devices must be reported to {{it_provider}} immediately.

  • Multi-Factor Authentication (MFA): MFA must be enabled on all personal devices used to access company systems and data

BYOD Acceptable Use

  • Downloading or storing sensitive company information on personal devices is strictly prohibited unless explicitly authorized.

  • Employees must avoid using public Wi-Fi networks for conducting company business. If required, VPN must be used at all times when on public networks.

BYOD Privacy Considerations

  • The company reserves the right to monitor, access, and review data on personal devices if they are used for business purposes.

  • Employees should have no expectation of privacy regarding their usage of company resources on their personal devices.

BYOD Incident Reporting

  • Employees must immediately report any security incidents or breaches involving their personal devices to {{it_provider}}.

Staff Responsibilities

  • All staff must read, understand, and comply with all components of this policy and all laws and regulations that apply to their role.

  • Employees are responsible for the security of their personal devices and must adhere to the best practices outlined in this policy.

Review

This policy will be reviewed at least annually or as needed based on changes to our business, technology, or regulatory environment.

Enforcement & Waivers

Violation of this policy may result in disciplinary action, up to and including termination of employment. Only by consent of the {{company_name}}'s {{managing_authority}} can a provision of the policies for a staff member be waived.

Essential Eight Alignment

This policy directly supports Essential Eight Maturity Level requirements:

  • E8 #7 - Multi-factor Authentication: This policy mandates MFA for all remote access to company systems, including VPN connections, cloud services, and remote desktop access. MFA is also required on all personal devices (BYOD) used to access company data.

Target Maturity: {{e8_target_maturity}}

Implementation Check

  1. Who owns this? {{policy_owner}}
  2. Are we doing it? {{implementation_status}}
  3. When will we check again? {{next_review_date}}