Recommendations and privacy requirements for a bring-your-own-device user policy and agreement

Abstract

The purpose of a bring-your-own-device (BYOD) program is to increase productivity as it allows individuals to access and manipulate data from non-traditional workplaces to support mission requirements. The United States Marine Corps(USMC) has started a pilot BYOD program, but a user policy for the USMC BYOD program has not yet been identified, despite the driving force that policy has on final implementation and potential acceptance. Therefore, this thesis answers the question, is it possible to develop a BYOD user policy for the USMC that minimizes risk for all parties while allowing for the intended flexibility? Three case studies were conducted on organizations that have implemented BYOD programs, comparing user policies and best practices to mitigate risks and address user privacy concerns. The case studies were also compared with governing Department of Defense instructions and National Institute of Standards and Technology guidance to identify a baseline of applicable security controls to formulate a viable user policy and agreement to support USMC security requirements. This thesis found that a clearly articulated user agreement tailored to the USMC’s technological solution can be written to support the successful implementation of its BYOD program to ensure the benefits outweigh the potential risks.