Frequently Asked Question

B.Y.O.D. Policy (Bring Your Own Device)
Last Updated 2 years ago

The department has created this brief guide in response to the need for guidance of when it is appropriate to use your personal BYOD as it relates to work practices in the Grado Department of Industrial Systems and Engineering at Virginia Tech.

Bring Your Own Device (BYOD) refers to the use of personal devices to perform work-related tasks. ISE understands the need for its users to have the freedom to communicate and access departmental information and services using their personal devices.

In an effort to comply with security standards and university policy the department offers the following guidance of when to and not to use your BYOD. Note that you are not asked or required to use your personal devices for work-related tasks. Use of a BYOD is for your individual benefit and convenience. If you find that your job role requires the use of a device that is not supplied to you, please discuss the need with your supervisor.

What is acceptable use of BYOD?

  • Monitoring and responding to email.
  • Messaging, chats, and video conferencing.
  • 2-factor, web-based interaction with non-restricted content.
  • Requests for IT Support of your departmental devices.
  • Performing publicly accessible research.
  • General training materials and videos.

What uses are restricted and should not use a BYOD?

  • Accessing P.I.I. (Personally Identifiable Information) or other protected data.*
  • Storing copies of P.I.I.
  • Using personal software to access or manipulate data that is classified as medium-risk and higher.**
  • Accessing departmental hardware such as file and print servers.
  • BYOD should not be used to circumvent or otherwise bypass security controls or restrictions that would normally be placed on state-owned hardware.

*Personal Identifiable Information (PII) is defined as:

Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.

From <https://www.dol.gov/general/ppii>

** Asset Risk Classification. Use the following tables to determine which Risk Classification is appropriate for a particular type of university data or information asset/technology resource: endpoints, servers, applications, and network infrastructure. When mixed data falls into multiple risk categories, use the highest risk classification across all. Note: This is not an exhaustive list of all possible scenarios.

image

From < https://it.vt.edu/content/dam/it_vt_edu/policies/Virginia-Tech-Risk-Classifications.pdf >

Please Wait!

Please wait... it will take a second!