Main Nav

I have noticed corporations have pursued the path of security policies for the BYOD environment much more that higher ed environments. I would welcome word from higher ed institutions that have developed, or are currently working on developing, BYOD security policies.

Kind regards,

Dr. Jacques du Plessis
Interim Chief Information Officer
University of Wisconsin, Milwaukee

"Fluidity is the way to life. Fixation is the way to death. This is something that should be well understood." 
-Miyamoto Musashi, the Book of Five Rings

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at




I’m pleased to see this question come up on the CIO Listserve because ECAR has relevant information to share about current BYOD policy and practices related to security. In research published earlier this year (2013), we found that though formal policies for BYOD are scarce, they are common where they matter most – like for security issues. Below (and attached) are two figures from the full ECAR BYOE report (we titled it BYOE – bring your own everything, rather than BYOD – which is device-centric) about what higher education leaders say about their policy customs for security-related issues.


This is just a snippet of our findings, and more information about BYOE in higher education can be accessed via the ECAR Research Hub: In addition to covering BYOE security policies and practices in the final ECAR report on this hub, we published a separate, stand-alone report titled, “IT Security in the BYOE Era.” This is where we introduced the notion that risk management and raising user awareness are the foundations of good BYOE security practices.


Since the ECAR work cited here is currently available to ECAR subscribers only, I’ll direct your attention to the publically available EDUCAUSE Review Online for March/April 2013 that has a BYO focus. In particular, the article on “The Policy of BYOD: Considerations for Higher Education” by Stephen diFilipo is rather insightful when it comes to considering the cost-to-benefit ratio for establishing BYO policies.


Please feel free to contact me directly if you have comments or follow up questions about the ECAR work on BYOE issues.




Eden Dahlstrom  Senior Research Analyst

Data, Research, and Analytics
Uncommon Thinking for the Common Good
1150 18th Street, NW, Suite 900 Washington, DC 20036
direct: 303.939.0330 | mobile: 530.903.2305 |




I am beginning to look at formulating such a policy at the institutional level, have consulted with Gartner, and have also begun conversations with certain stakeholders.

In the meantime, we have updated our AUP ( to mention security requirements for personally-owned computers. We are also actively educating our end users on best data security practices and reminding them not to place sensitive information in the cloud. Internally within my IT division, we taken a certain BYOD position and issued the following position statement for IT employees:

"As a business practice, Information Technology (IT) provides each of its employees with a suitable computer to use in the performance of his/her work at Pepperdine.  To ensure optimal performance, IT refreshes all IT-owned computers every 3 to 4 years.  Therefore, there is no reason for an IT employee to use a personally-owned computer for Pepperdine work; and IT management will never ask an IT employee to do so.  Those IT employees that receive telephone allowances are responsible for the repair and replacement of their telephones.  Any IT employee that chooses to use a personally-owned computer or other electronic device for Pepperdine work assumes sole responsibility for any damage the equipment may suffer during the course of Pepperdine work.  IT will not be responsible for any support or replacement of any personally-owned computer or electronic device.  Furthermore,  it is absolutely prohibited to store restricted information on a personally-owned computer or other electronic device."

What we have found at Pepperdine (and I'm sure this is shared by many of you) is that many individuals bring in their own personal devices either because their work computer is too old/slow or their department does not provide a work computer. For the latter, one of our schools requires its adjuncts to use their personally-owned devices; hence, a position statement like ours will not work for them.

Hope this helps. Happy to discuss more offline.


Jonathan See
Chief Information Officer
Pepperdine University