How am I going to protect corporate data not only on an employee’s personal mobile device but also when it’s traveling between devices?

• Require that any data movement must happen within secure services provided by the organization, such as backup and IT-managed file sharing. This means that data is not sent to consumer applications such as Dropbox or Google Drive. Any organizational services should support encryption of data when in transit.
• Require that any devices are protected by a corporate DLP service, ensuring that data on the device is encrypted.

How am I going to make sure corporate data isn’t lost when an employee leaves the organization or a device is lost?

• Require that users install the organization’s corporate backup service on any endpoint devices that will access/create corporate data, ensuring that a copy of all corporate endpoint data is stored centrally.
• Provide collaboration tools such as IT-managed file sharing to make sure corporate data stays within the reach/protection of the organization and require users to use them. Blacklist consumer services (again, such as Dropbox) that are not approved to make sure corporate data doesn’t leak out through those services.
• Provide IT with controls to limit access to data on a per-user, per-device, and per-medium basis.

How am I going to enforce company policies and external regulations regarding data access and retention?

• Create a written policy that all employees must agree to and sign if they want to BYOD. Keep policy up-to-date and revisit as necessary with employees.
• Educate employees on policy requirements and on why policy compliance matters. Provide clear information on expectations and responsibility in case of data breach or loss.
• Provide mechanism for IT to have visibility into how data moves around the organization. This provides the ability to verify that data is protected and if weaknesses are revealed, to adjust policy/controls as needed.
• Use a tool(s) that allows IT to implement company policies related to user/group access of data, single sign-on procedures, etc.

How am I going to protect data while also recognizing that this is a personal device with sensitive/personal non-corporate data on it?

• Set policy specifying what personal data can be backed up by the organization’s corporate endpoint backup service. Some organizations may choose to disallow backup of any personal folders, music, etc.
• Make sure that data loss prevention measures have the ability to remotely wipe what’s in the corporate container but not the personal information unless designated.