IT-1015 Bring Your Own Device (BYOD) Policy

Effective Date Jan 1, 2018

1.0   Overview

Bring your own device (BYOD) is the act of using a personal computing device (computer, tablet, phone, etc.) for work or business related activities. Florida Institute of Technology does not require employees to use personal equipment for business operations. Those employees who wish to use their personal devices must abide by the policy below. Florida Institute of Technology is not responsible for the purchase or costs associated with use of personally owned devices. In response to an increase in personally owned devices being used in the work environment, Florida Institute of Technology has established an official Bring Your Own Device (BYOD) policy.

2.0   Purpose

This policy defines the appropriate use and procedures for using personally owned computing devices on the Florida Tech network and the storage of intellectual property, sensitive data or University licensed software.

3.0   Scope

This policy applies to employees, faculty, students, guests and any other user that utilizes the network or computing resources provided by Florida Institute of Technology for business related activities with a personally owned device such as:

• Portable computers; e.g.; laptops, notebooks, netbooks
• Portable storage media; e.g.; USB storage devices, flash memory cards, CD/DVD ROM
• Mobile devices; e.g.; cellular smartphones, tablet computers

In some cases, these restrictions may be lifted by other official policies pertaining to certain staff, systems, or processes.

4.0   Policies

Faculty, staff and students who choose to participate in BYOD must abide by this policy and all University policies while using a personally owned device on the Florida Institute of Technology network.  Additional key mandatory policies when using personally owned devices include but are not limited to: IT-1001 Acceptable Use Policy, IT-1003 Transmission and Use of Sensitive Information, IT-1004 Securing Sensitive Information, IT-1005 Unsupported Operating Systems, IT-1008 Software Installation Policy and IT-1009 Support of Faculty and Staff Personal Computer Equipment. All Information Technology policies are available on the IT website: https://policy.fit.edu/.

Employees who participate in the BYOD policy must:

• Not store FIT’s Personally Identifiable Information or Sensitive Information on personally owned devices.
• Not access FIT’s Personally Identifiable Information or Sensitive Information from personally owned devices; unless authorized by the Executive Vice President.
• Destroy, remove or return all data, electronic or otherwise belonging to FIT, once their relationship with FIT ends or once they are no longer the owner or primary user of the device. (e.g. the sale or transfer of the device to another person)
• Remove or return all software application licenses belonging to FIT when the device is no longer used for FIT business.
• Notify the Information Technology Department of any theft or loss of the personal device containing data or software application licenses belonging to FIT.
• At no time may the personal device be connected to the secure FIT networks without prior authorization.
• Employees are expected to refrain from using their personal computing devices to conduct FIT-related business communications while operating a vehicle.  This prohibition includes using a personal computing device to place or receive calls or voicemail messages, read or respond to e-mails, text messages, or instant messages, surf the Internet, or for any other purpose related to FIT’s business while operating a vehicle. Employees who are charged with traffic violations resulting from the use of their person computing device while driving will be solely responsible for all liabilities resulting from such actions.

5.0   Devices and Support

All devices connected to the Florida Institute of Technology network are required to adhere to the Acceptable Use Policy. Devices must be registered under the users account and be current on all software updates and anti-virus solutions. Users are also required to follow the Policy on Digital Millennium Copyright Act (DMCA). IT may, without notification, prevent or ban any personally owned device which disrupts any University Computing resource or are used in a manner which violates any University policy.

Technical support for personally owned computing devices is limited to the following:

• Troubleshooting network connection issues while on the campus network.
• Troubleshooting and installation of approved University software resources.
• Configuration of email clients for connection to the FIT email system.
• Configuration of the SSL VPN client to allow access to secure resources with approval.
• Providing software application support if the software is required to perform job functions as determined by the Information Technology department. Note: It is the responsibility of the device owner to have and provide authentic, individually owned and registered software before assistance is provided.

Examples of support services that will not be provided, but not limited to:

• Troubleshooting device performance or hardware problems
• Installation of new or replacement hardware
• Troubleshooting software applications or cloud services
• Installing Operating system updates, patches or software applications not required for job functions
• Backing up device data or migration to another device
• Third party email clients/accounts
• Removal of malware, spyware or virus

 6.0   User Responsibilities

As a user of Information Technology resources you have the following responsibilities:

• You are responsible for registering your network devices in the network registration database in order to maintain access to the Florida Institute of Technology network.
• You are responsible for all traffic originating from your networked devices whether you generate the traffic, or not.
• You are responsible for abiding by all applicable laws set forth by Federal, State and Local Governments.
• You are responsible for protecting your privacy.
• You are responsible for not violating the privacy of others.
• You are responsible for keeping your network devices up to date with current security patches.
• You are responsible for using anti-virus software and ensuring that such software is at the most current release.
• You are responsible for protecting any and all sensitive data for which you have access to.
• You are responsible for following all applicable university policies relating to your use of Information Technology resources. These policies may be viewed at: https://policy.fit.edu/ 
• You are responsible for ensuring the security of Information Technology resources under your direct control.
• You are responsible for securing your granted access privileges and passwords for Information Technology resources.

7.0   Risk, Liabilities and Disclaimers

Employees who elect to participate in BYOD accept the following risks, liabilities and disclaimers:

• At no time does the University accept liability for the maintenance, backup, or loss of data on a personal device; nor personal data. It is the responsibility of the equipment owner to backup all software and data to other appropriate backup storage systems before requesting assistance from IT.
• IT provides limited security for the PanthAir wireless networks and at no time does the University accept liability for the security of the personal device when accessing the wireless networks.
• If determined that the use of the personal device is no longer required for job functions, the University may elect to discontinue providing computing resources to the device.
• The personally owned computing device is subject to the search and review as a result of litigation that involves the University.
• No employee or student should expect a guarantee of privacy in communications over the Internet and FIT’s network.
• Violations of this Policy may be discovered by routine maintenance and monitoring of FIT’s electronic communication systems and network, any method stated in this BYOD Policy, or pursuant to any legal means.  The employee and student consents to FIT monitoring, accessing, investigating, preserving, using and/or disclosing any electronic communications that utilize FIT’s networks in any way, including data, voicemail, telephone logs, Internet use, network traffic, etc., to the extent permitted by law.  FIT reserves the right to review, retain or release personal and FIT-related data on personal computing device to government agencies or third parties during an investigation or litigation. 

7.1   Reimbursement

Computer technology purchased for personal use will not be reimbursed by the University. This includes all hardware, software, licenses, and technology services, including repair or technical support services purchased with personal funds, regardless of intended use.

8.0   Enforcement

Employees and other persons employed by the university found to have violated this policy will be subject to disciplinary action based on the nature of the offense up to and including termination of employment.

Students and guests that are found to have violated this policy will be subject to disciplinary action based on the nature of the offence including but not limited to loss of network and computing access, and other actions the university administration deems appropriate.

9.0   Definitions and additional policies

Term	Definition
Up-to-date Anti-virus Protection	Virus Protection with definitions that are no more than 10 days old
Personally Identifiable Information	Defined by the NIST Special Publication 800-122: “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information”
Sensitive Information	Any information that can be used to identify you or another person. Examples include: personal information, medical records, financial information, University administrative computer data (employee records, student records, electronic documents that contain confidential information), passwords and account details, and research data.

 

Additional Policies referenced and related to the Bring Your Own Device (BYOD) Policy:

• IT-1010 Account Termination/Suspension
• IT-1012 Supported Web Browsers
• IT-1001 Acceptable Use Policy for Campus Information Technology Services
• IT-1003 Transmission and Use of Sensitive Information
• IT-1004 Securing Sensitive Information
• IT-1005 Unsupported Operating Systems
• IT-1006 Policy on Digital Millennium Copyright Act Violations
• IT-1008 Software Installation Policy
• IT-1009 Support of Faculty and Staff Personal Computer Equipment

10.0   Updates and Changes

Changes to this policy must be reviewed by the Information Technology Vice President. Once the Information Technology Vice President approves the wording and contents of the policy, this document must be reviewed and approved by the Information Technology Executive Committee before being put into effect.

Once approved, faculty, students and staff will be notified that the IT Bring Your Own Device (BYOD) policy is changing through postings to Fitforum and Facforum and the staff/faculty distribution lists. This posting does not need to contain the entire text of the IT Bring Your Own Device Policy, but the notice must indicate where copies of the policy may be reviewed.

New versions of this policy will take effect no sooner than 21 days after the approval of the policy by the Information Technology Executive Committee.