ThorTeaches.com is implementing a new Bring Your Own Device (BYOD) policy to allow employees to access corporate resources from their personal devices. During a risk assessment, concerns are raised about data leakage and device security. What should the information security manager prioritize to address these risks?