BY OD Research Report
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
CONTENTS
About GovLoop Executive Summary Summary of Survey Findings Do You Have a BYOD Policy? Should Your Agency Provide a Device for You? Do You Use Your Personal Phone for Work? How Important is Ease of Use and Functionality in Your Work Devices? What Are the Benefits of BYOD? Would BYOD Help to Recruit and Retain Employees? What Are Your Roadblocks to Adoption?
Challenges and Best Practices for Bring Your Own Device Challenge: Providing Employee Reimbursement Challenge: Maintaining Security in Diverse Network Best Practice: Assess Network
In Focus: How to Build Trust in Your Network Challenge: Anticipating Legal and Policy Challenges Best Practice: Best Practice: Best Practice: Best Practice:
Create Transparent Security Processes Establish Ownership of Data – Silo Personal and Professional Data Regulate User Applications Provide Device Support Guidelines
2
4 5 6 7 8 9 10 10 12 12 13 13 14 15 15 16 17 17 18 19
A RESEARCH REPORT FROM GOVLOOP AND CISCO
In Focus: Minneapolis App Store Challenge: Blurring Lines Between Personal and Private Best Practice: Promote Work / Life Balance Best Practice: Lead By Example
GovLoop Resources Overview of White House BYOD Toolkit BYOD in Brief: Expert Insights with Cisco’s David Graziano Conclusion Top 5 Next Steps for BYOD at Your Agency Step 1: Meet With Key Stakeholders to Develop Pilot Plan Step 2: Meet with Legal Team Step 3: Craft Internal Policy for BYOD Step 4: Announce Program to Employees Step 5: Iterate, Review Outcomes, Improve BYOD Strategy
About the Authors Pat Fiorenza:GovLoop Research Analyst Lindsey Tepe: GovLoop Fellow Jeff Ribeira: GovLoop Content and Community Coordinator Vanessa Vogel: GovLoop Design Fellow
3
19 20 21 21 21 22 24 26 27 27 27 27 27 27 28 28 28 28 28
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
ABOUT GOVLOOP GovLoop’s mission is to “connect government to improve government.” We aim to inspire public sector professionals by serving as the knowledge network for government. GovLoop connects more than 60,000 members, fostering government collaboration, solving common problems and advancing government careers. The GovLoop community has been widely recognized across multiple sectors as a core resource for information sharing among public sector professionals. GovLoop members come from across the public sector; including federal, state, and local public servants, industry experts, as well as non-profit, association and academic partners. In brief, GovLoop is the leading online source for addressing public sector issues. In addition to being an online community, GovLoop works with government experts and top industry partners to produce valuable resources and tools, such as guides, infographics, online training, educational events, and a daily podcast with Chris Dorobek, all to help public sector professionals do their jobs better. GovLoop also promotes public service success stories in popular news sources like the Washington Post, Huffington Post, Government Technology, and other industry publications. Thank you to our sponsor, Cisco, for sponsoring this research report. Location GovLoop is headquartered in Washington D.C., where a team of dedicated professionals share a common commitment to connect and improve government.
GovLoop 734 15th St NW, Suite 500 Washington, DC 20005 Phone: (202) 407-7421 Fax: (202) 407-7501
4
A RESEARCH REPORT FROM GOVLOOP AND CISCO
EXECUTIVE SUMMARY
For years, people have been using their own laptop, computer, or phone for work. Now, more than ever before, people desire to work on the device of their choice, anywhere and at any time. In this mobile environment, public sector agencies are challenged to find new and innovative ways to connect employees across multiple devices.
Public Sector at Cisco. Kimberly was one of the early adopters of BYOD in the federal government, her perspectives in this report provides insights on the evolution and challenges of BYOD programs in the federal government. Kimberly states, “The BYOD policy is our first to be issued and it will be revised as we evolve the program, we are currently in a beta pilot. We started out with rules of behavior, privacy, and expectations for people who bring their personally owned device.”
With these new expectations, government agencies are challenged to manage multiple users, develop policies, and retain security in a versatile and diverse network. Additionally, public sector entities must provide the right IT infrastructure and support for numerous devices and operating systems.
This report is by no means a finished project. It is our sincere hope that after reading this report, you will work to improve how BYOD operates in your agency, drive innovation in government, and share your newfound knowledge on GovLoop. In doing so, you will help facilitate knowledge sharing across the public sector, helping colleagues tackle similar BYOD challenges they are facing.
The GovLoop Research Report, Exploring Bring Your Own Device in Government, will provide expert insights from those in the trenches of BYOD policy. This report also provides a summary of a recent survey conducted by GovLoop in 2012, administered to 103 members from the GovLoop community.
In today’s mobile environment, BYOD is becoming more and more a reality. Now is the time for agencies to embrace BYOD, and learn how to make BYOD work at their agency. “Stop talking and start doing it, you can talk about it forever, you just need to get started,” stated Kimberly.
For this report GovLoop Research Analyst, Pat Fiorenza, recently spoke with Kimberly Hancher, Chief Information Officer (CIO) at the U.S. Equal Employment Opportunity Commission (EEOC) and David Graziano, Director, Security and Unified Access, US 5
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
SUMMARY OF SURVEY FINDINGS
This section provides an overview and key findings from GovLoop’s online survey. Throughout the report we have addressed several of the key challenges of bring your own device initiatives identified from the survey. The GovLoop survey was conducted from June 8 to July 2, 2012, and had a total of 103 participants. The survey was developed to explore common trends regarding BYOD from the GovLoop community, with the goal of better understanding the common challenges and roadblocks for BYOD in the public sector.
FEDERAL 62% LOCAL 20% STATE 18%
WHAT LEVEL OF GOVERNMENT DO YOU WORK FOR??
Survey respondents were predominantly from the federal level of government (62%) with the rest of the respondents being closely divided between the state (18%) and local (20%) levels. Respondents represented public sector entities across all levels of government, and many different kinds of municipalities across the United States, including City and County of Broomfield, WA; City of Coral Gables, FL; the Departments of Commerce, Energy, and Defense; and several other federal agencies or departments. 6
A RESEARCH REPORT FROM GOVLOOP AND CISCO
DOES YOUR CURRENT ORGANIZATION HAVE A BRING YOUR OWN DEVICE POLICY? NO 80% YES 20%
The survey questions asked respondents to answer several multiplechoice questions as well as rank statements on a scale of 1 to 5, with 5 representing the highest score and 1 representing the lowest.
HOW DESIRABLE WOULD A BRING YOUR OWN DEVICE POLICY BE FOR YOUR AGENCY?
DO YOU HAVE A BYOD POLICY?
1 12% 2 5%
Results indicate that the majority of respondents’ organizations do not currently have a BYOD policy (80%), while only 20% stated their agency currently has a policy.
3 17% 4 19% 5 43%
When asked how desirable a BYOD policy is at their agency, 62% of respondents indicated that it would be desirable or extremely desirable. Of the remaining respondents, 17% selected 3, 12% selected 1, 5% selected 2; 5% responded that this question was not applicable.
NOT APPLICABLE 5% Please use a 5-point scale, where 5 is Extremely Desirable and 1 is Not Desirable.
7
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
IS IT NECESSARY FOR GOVERNMENT TO PROVIDE A DEVICE FOR EMPLOYEES?
56%
44% HOW IMPORTANT IS IT FOR AN ORGANIZATION TO PROVIDE YOU WITH A DEVICE? 1 9%
NO
2 14%
YES
3 23% 4 24%
SHOULD YOUR AGENCY PROVIDE A DEVICE FOR YOU?
5 27% NOT APPLICABLE 3% Please use a 5-point scale, where 5 is Extremely Desirable and 1 is Not Desirable.
Respondents were asked if it is necessary for government to provide a device to employees. Fifty six percent of respondents said “Yes,” and 44 percent said, “No.” Below are some examples from reExpanding upon their answers, par- spondents who do not believe govticipants who responded “yes” gave ernment should provide a device to these specific reasons: employees:
Additionally, respondents were asked to rank how important it is for their organization to provide devices to employees.
t i*U JT OFDFTTBSZ UP IBWF UIF PQUJPO of government supplied IT equipment” t i*G SFRVJSFE GPS DFSUBJO QPTJUJPOTw t i4PNF QPTJUJPOT SFRVJSF DPOTUBOU availability” t iɨFSF BSF UPP NBOZ MFHBM JTTVFT that could arise with bring your own device”
The majority of participants (51%) responded with a 4 or 5. Of the remaining respondents, 23% chose 3, 14% chose 2, 9% chose 1, and finally, 3% indicated the question was not applicable.
t i*G QSPWJEFE UIF PQUJPO * XPVME use my personal device” t i.PTU FNQMPZFFT BMSFBEZ IBWF a device suitable for government work” t i/PU BCTPMVUFMZ OFDFTTBSZ CVU there should be a limit as to how much an employee must be asked to contribute” 8
BY
A RESEARCH REPORT FROM GOVLOOP AND CISCO
DO YOU USE YOUR PERSONAL PHONE FOR WORK PURPOSES?
21%
13%
YES- EMAIL
YES- SOCIAL NETWORKS
YES-READING & WRITING
YES- ENTERING TIME/EXPENSES/ RELATED BUSINESS FUNCTIONS
NO
OTHER
DO YOU USE YOUR PERSONAL PHONE FOR WORK? Survey participants were asked how they use their personal phone for work purposes, with the option to check all responses that apply and report additional uses.
(21%); entering time, expenses and calls, occasional emails and texting, related business functions (13%); and receiving business-related notiand reading and writing (30%). fications from customer mobile applications. The same question was Thirty-three percent (33%) of re- asked regarding tablets, with the spondents reported they do not majority of respondents stating they Respondents indicated that they use their personal phone for work do not use their personal tablet for utilized their personal phones functions. For those who reported work. For those who do, the main for email (41%); social networks additional uses, they listed phone reason was for reading and writing.
9
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
HOW IMPORTANT IS FUNCTIONALITY AND EASE OF USE OF DEVICE? 3 5% 4 24% 5 70% NOT APPLICABLE 1% Please use a 5-point scale, where 5 is Extremely Important and 1 is Not Important.
HOW IMPORTANT IS EASE WHAT ARE THE BENEFITS OF BYOD? OF USE AND FUNCTIONALITY IN YOUR WORK When asked what the benefits of DEVICES? BYOD, respondents were able to When asked how important functionality is and the ease of use of devices, respondents overwhelmingly selected 5 (70%), followed distantly by 4 (24%) and 3 (6%).
select all that applied from cost savings, allowing people to work on the most comfortable device, and improved productivity. Respondents were also provided the opportunity to report additional benefits. 10
Of the provided responses, 71% believed that “allowing people to work on most comfortable device,� was the greatest benefit, followed by improved productivity (58%), and cost savings (55%). Respondents submitted additional benefits such as not having to carry multiple devices, more modern equipment, facilitating telework, and improved usability. The survey also found other benefits for BYOD policies. For instance, the survey finds that 79 percent of respondents believe that BYOD could have a positive impact on employee satisfaction, productivity and employee engagement.
A RESEARCH REPORT FROM GOVLOOP AND CISCO
WHAT ARE THE BENEFITS OF BRING YORU OWN DEVICE?
71% 58%
55%
29.7% 29%
COST SAVINGS
ALLOW PEOPLE TO WORK ON MOST COMFORTABLE DEVICES
OTHER
IMPROVED PRODUCTIVITY
Respondents elaborated on their many ways to look at how BYOD answers by stating: can potentially save costs within an agency. t i*U XJMM POMZ IFMQ FOHBHFNFOU and satisfaction for those who have Our survey found that 55 percent more current devices that they can of respondents believed cost savuse in lieu of the federally-provided ing was a benefit. Generally, cost equipment. Those who do not will savings can be found reduced demost likely be angrier at the change vice costs, shared data plans, and in policy and disparity in equip- increased productivity. By allowing employees to work on their desired ment� t i.BOZ FNQMPZFFT XPVME CF BCMF platform, they will become more to perform work wherever they efficient using the tools they know best. Employees may use a PC for wanted� t i)BWJOH BO BMM JO POF TPMVUJPO XPSL QVSQPTFT CVU B .BD GPS QFSsonal use. By allowing the employee aids productivity� to select which tool to use, they are t i4VQQPSUT ÏFYJCMF XPSL IPVSTw t i4VQQPSUT UFMFXPSL BOE PUIFS NP- able to work on systems they are most comfortable in. bility initiatives�
employee standpoint, I think that smartphones and tablets have become an extension of an individual’s personality and personal productivity. One of the benefits is that if a person is very proficient on a device, they should take that proficiency into the workplace, rather than learning how to be minimally proficient with the government provided device. I can’t overemphasize how important personal productivity is across the enterprise.�
Similar to efficiency, by enabling employees to work on the tool they feel most comfortable with, employees will be able to accomplish The three core benefits, cost sav- Kimberly Hancher stated in an in- tasks quicker and easier since they ings, efficiency and productivity terview with GovLoop Research IBWF IJHIFS ĂŹVFODZ PO UIF UPPMT are typically contested. There are Analyst, Pat Fiorenza, “From an they are using. 11
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
DO YOU BELIEVE THAT BRING YOUR OWN DEVICE CAN SERVE AS A RETENTION AND RECRUITMENT TOOL?
WHAT IS THE LARGEST ROADBLOCK YOU HAVE SEEN TO IMPLEMENTING BRING YOUR OWN DEVICE WITHIN YOUR AGENCY/DEPARTMENT?
57%
55%
47%
56% 44%
19% LACK OF ORGANIZATIONAL SUPPORT
NO IT INFRASTRUCTURE TO SUPPORT MULTIPLE DEVICES
COSTS
OTHER
NO
WHAT ARE YOUR ROADBLOCKS TO ADOPTION? Finally, when asked what the largest roadblocks to developing a BYOD policy were, respondents were able to select all that apply from the following options: lack of organizational support, no IT infrastructure support, or costs. The biggest roadblock was perceived to be lack of organizational support (57%), followed by no IT infrastructure to support multiple devices (55%) and costs (19%). Respondents also had the opportunity to submit other roadblocks
YES
WOULD BYOD HELP TO RECRUIT AND RETAIN EMPLOYEES? or challenges for implementing BYOD. Respondents commonly stated “security” as a concern. Further, some respondents cited laws in their home states, in which any device used for work purposes becomes part of the public record and subject to disclosure. One respondent summed up these roadblocks by listing, “lack of policy, no clear way to reimburse staff for data plans on own devices, [and] inconsistent IT policies to support personal devices.” 12
When asked if they believed a BYOD policy could serve as a retention and recruitment tool, 56% of respondents said, “Yes.” and 44 percent said, “No.” Survey participants commented, “This is too small an issue to make the difference if someone chooses to work here or not;” “It may appear that agencies are shifting costs to employees”; “This is especially true for millennials and teleworkers”; “increased ìFYJCJMJUZ JT BUUSBDUJWF w BOE ëOBMMZ that “It shows your office is forward thinking, savvy, and efficient.”
A RESEARCH REPORT FROM GOVLOOP AND CISCO
CHALLENGES AND BEST
Practices for Bring Your Own Device
Although there are many potential benefits to BYOD, there are also challenges to fully leverage these benefits. Guided by the results of the GovLoop survey, this section will serve as a roadmap to help you navigate through common challenges while considering implementing a BYOD policy.
coverage and related expenses has been shifted to the employee. If government employees are using their personal phone for work purposes, there should be an expectation that they are not personally incurring the cost of increased data usage from work related activities.
CHALLENGE: PROVIDING EMPLOYEE REIMBURSEMENT
Currently, the federal government has provided little direction on how best to reimburse government employees for their mobile device. Kimberly stated, “I would love to be able to offer some kind of reimbursement for business use for their personal device, but there is no precedent for that. This should be done on a government wide scale, to help agencies understand how to provide a reimbursement to employees.”
One of the main cost drivers to provide a cell phone is the cost of data plans. Kimberly Hancher stated, “With government provided devices, the cost is voice and data. With regard to BYOD program, we are looking to reduce these government costs.”
(PW-PPQ $PNNVOJUZ .BOBHFS "OESFX ,[NBSzick provides one insightful solution for employee reimbursement, “One way to address this issue is to look at other ways in which government reimburses its employees. For instance, many agencies already
As more and more agencies are looking to implement BYOD, decreasing costs is the core goal of the initiative. One of the areas of concern for BYOD is that by facilitating work on personal devices, the cost of data 13
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
reimburse or defray the cost of using public transportation for work-related travel. Could BYOD determine the average cost of an employee voice and data plan both on the enterprise and personal levels - and include an allowance for employees to cover the cost of using their own device while reducing the agency’s expenses?” Terry Hill also stated on GovLoop, “We could build on what many agencies already do for teleworkers and share the cost of services for phone, internet, and e-mail up to a maximum of $50 a month or so. This is less than agencies are typically paying just for the blackberries (about $70) a month, for a net savings of $20 per month per employee. Additional savings would be in eliminating landline phones and Ethernet systems. I don’t think there is much risk in using personal smart phones for calls and for email/internet. That way, agencies would not feel they have to block access to sites and monitor usage. Agencies would focus on keeping their operational systems secure and would no longer have to worry about office software upgrades.”
CHALLENGE:MAINTAINING SECURITY IN DIVERSE NETWORK With an increase in the number and variety of devices available to consumers, agencies with a BYOD policy are challenged to identify and retain security in a more diverse network. To manage the proliferation of personal devices being utilized for work functions, BYOD policies have moved to the forefront for IT professionals. Users want seamless access to corporate resources, no matter which device they use or where that device is connected. In addition, users are connected wirelessly to numerous network devices; printers, fax machines, and copy machines that can be accessed from employees’ personal devices.
At the top of the list for the EEOC is retaining security. “Security is at Ultimately, BYOD reimbursement the top of our list that is why we is something an agency will have to are still doing a pilot. We will condevelop, working closely with the tinue to pilot until we feel we have legal team. the appropriate level of security and 14
have a history of dealing with the appropriate risks.” Cisco has many great resources and case studies addressing how to provide security with a diverse network on their BYOD Smart Solution page. The resources provide some best practices and strategies for getting started with BYOD. As smartphones continue to become more commonplace, the use of a work phone and personal phone has become blurred. The desire for a seamless work experience has led many to using phones for both personal and work. With this phenomena happening, agencies need to train employees on the cybersecurity threats that can compromise an agency’s mission and educate them on how to protect themselves and the organization while using multiple devices.
A RESEARCH REPORT FROM GOVLOOP AND CISCO
To properly assess the network, one strategy agencies can employ is to profile devices as they enter the Government agencies should start network. By profiling devices on by identifying what devices already the network, agencies will be able access their network, as well as the to make better decisions on securights, privileges, and the informa- rity, identify issues, and understand tion of each device. what protocols they need to make for certain devices accessibility. This will provide valuable insights for the organization on what kind of information is readily available to I N F O C U S : H O W T O B U I L D network members, and how to pro- T R U S T I N Y O U R N E T W O R K tect the most critical information. Cisco published a fascinating white Further, agencies should not show paper entitled, Cybersecurity: Build preference to certain devices and Trust, Visibility, and Resilience, TPGUXBSF "HFODJFT OFFE UP CF ĂŹFY- that addresses security issues across ible with different makes and mod- the Internet, and what government els, as well as diverse platforms for leaders and IT staff need to know in order to keep systems safe. The devices. report focuses on five areas: Being agile also means agencies should have all the latest software t 6OEFSTUBOEJOH UIF QSPMJGFSBUJPO installed to protect the network. of risks.
Best Practice: Assess Network
15
t "DIJFWJOH B USVTUFE OFUXPSL t $SFBUJOH OFUXPSL USBOTQBSFODZ and visibility to assess risks. t &TUBCMJTIJOH OFUXPSL SFTJMJFODF when security incidents do occur . t 8PSLJOH XJUI $JTDP UP BEESFTT trust, visibility, and resilience in the network. Cybersecurity is often cited as one of the main concerns for organizations, the Cisco report states: “The uses of multi-vector attacks are growing. Cyber criminals remain intent on targeting legitimate websites, with strategically timed; multi-vector spam attacks in order to establish key loggers, back doors, and bots. Criminals plan their malware to arrive unannounced and stay resident for long periods. Regardless of your market sector, the threat is growing.�
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
P
A
S
S
W
O
To address this concern the report pays particular focus to “trust,â€? which Cisco says is typically overused in cyber security discussions but is a fundamental practice that needs to be established within an organization. Cisco asks pointed questions about trust, including: t 8IPN DBO ZPV USVTU XJUIJO ZPVS network? t $BO ZPV USVTU IPX EFWJDFT BSF connected to your network? t $BO ZPV USVTU UIBU ZPV BSF OPU exposed to unnecessary risks? Cisco then provides three steps to provide trust within your network: t "TTFU %JTDPWFSZ BOE .BOBHFment: Validating user and device identity at the system point of entry and maintaining a state of trust t $POĂŤHVSBUJPO .BOBHFNFOU BOE Remediation: Identifying misconfiguration and vulnerability so that corrective actions can occur to as-
R
D
sure policy compliance and risk reduction t "SDIJUFDUVSBM 0QUJNJ[BUJPO %Fsign and feature application combined with best practices to create a threat-resistant and risk-tolerant infrastructure
have a conversation with your agencies attorneys. Enabling employees to use their personal phone may open Pandora’s box for the legal team. Here are some questions you should be working through with agency attorneys:
This is an important white paper to view. By implementing a BYOD program, your agency is opening the door to more threats and needs to prepare by taking the proper security precautions.
t 8IP PXOT UIF EFWJDF t 8IP JT SFTQPOTJCMF GPS EBNBHFT lost equipment, and periodic maintenance? t )PX XJMM JOTUBMMBUJPO PG TPGUXBSF occur on devices? t 8IP JT SFTQPOTJCMF UP VQHSBEF equipment’s software? t 8IBU LJOE PG BQQT DBO CF JOstalled on the device? If this is a personal device, what kind of control does the employer have? t 8IBU GVODUJPOT PG UIF QIPOF NBZ be banned from use? t $BO UIF FNQMPZFF VTF UIF DBNera to take photos or record video, when and where? t )PX DBO UIF SVMFT CF FOGPSDFE
CHALLENGE: ANTICIPATING LEGAL AND POLICY CHALLENGES There are a handful of legal and policy challenges that arise from BYOD. For managers and executives in government, the best place to start with BYOD is crafting your policy, and prior to publishing, 16
A RESEARCH REPORT FROM GOVLOOP AND CISCO
and data files in case the device is lost or stolen and a full wipe needs to be performed.
t )PX EPFT #:0% ëU XJUI FYJTUJOH simple password settings on many policies, i.e., social media? devices can easily be adjusted to accommodate more complex passThe answers to some of these ques- words. Required length and charactions may seem obvious, but ad- ter variety should be consistent with dressing them in your agency’s general user policy. Guidelines for BYOD policy is necessary. While the frequency of password changes thinking through what works best should also be provided. Dependfor your agency, these best practices ing on security needs, devices may may guide your thinking. also be equipped with biometric security. Although expensive, voice Best Practice: Create Transpar- recognition or fingerprint scans can be installed on smart devices. ent Security Processes .PTU #:0% QPMJDJFT BMTP SFRVJSF devices to be equipped with remote wiping capability. As Kimberly Hancher from the EEOC told Chris Dorobek on the DorobekINSIDER, “[the EEOC] enforce[s] password complexity and history First, personal devices should have [...], and we also have a policy password settings enabled if they where if a phone is lost or stolen, we have access to work-related in- have the ability to do a full wipe of formation. Guidelines should be the device.” Kimberly recommends provided for password length. The that users back up their personal As most users have experienced, mobile devices are often lost or stolen. For users on the go, therefore, the convenience of access to private information on personal devices requires additional security measures.
17
One of the key elements to having a transparent security policy is engaging key stakeholders from the very beginning of the process. In doing so, an organization will be able to gather feedback, understand needs; addresses concerns, and build support for BYOD initiatives. Kimberly Hancher stated, “Include key stakeholders, legal support, your HR group and your end users. I put together an advisory group of legal, HR, finance, and also put together an end user group to give feedback of features and what their reactions are to security measures we set up, to make sure that BYOD is really usable.”
Best Practice: Establish Ownership of Data – Silo Personal and Professional Data While the personal device may belong to the employee, they will not own all data on that device. To avoid potential ownership issues, it is important to establish ownership upfront, and make sure there is a clear process for removing agency data from the device that is differ-
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
entiated for diverse circumstances. Likewise, a best practice is to “silo� personal and professional data. Work information accessed and stored on a personal device clearly still belongs to the organization, not the individual. Personal devices are also used, however, to store music, photos and other personal data that is created or purchased by employees. This combination of personal and private data can create issues in the event that a device is lost or stolen, if there is a security concern, or when an employee exits the organization. One approach to dealing with the blurring of personal and private data is containerization. This approach to data management would enable users to compartmentalize personal and work data, utilizing virtual desktop infrastructure and cloud computing. If data is separated along these lines, containerization of data can allow for a selective wipe to specifically target work-related information. As Kimberly Hancher from the EEOC explained to Chris Dorobek on the DorobekINSIDER, “[The EEOC is] experimenting during this phase of the pilot with something we’re calling selective wipe which means that it removes only the business portion of the data from the device. So if, for example,
it is recovered, just the business data work security. There are three ways would have been eliminated.� to mitigate this risk: In the event that an individual leaves the organization, there should be a process laid out for wiping enterprise information from that device. Agencies should carefully consider their policy for remote wiping in the event that an employee leaves unexpectedly.
1) Employee Education
Helping users understand the data risks created by downloading and using questionable applications is the most effective method to manage applications. While policies may set parameters for what types of applications users can download Jerry Rhoads on GovLoop stated, and forbid some outright, educat“Technically speaking, the govern- ing employees about security risks ment should, in my opinion keep will result in a higher level of comthe biz side of the phone separate or pliance. “siloed out� from the “Angry Birds� part of the phone.� Jerry continued 2) Application Store to provide more insights, stating, i.BZCF XF TIPVME DIBOHF UIF QBSB- To moderate what kinds of apdigm of managing the user/device plications users download, some and change to managing the user’s agencies have set up an applicaFYQFSJFODF .Z UIPVHIUT BSF XIFO tion store with company-approved at work, put the smart phone into applications. This approach to ap“work� mode, when on a break or at plication management allows agenhome --switch to personal mode.� cies to choose specific work-related Best Practice: Regulate User Appli- applications for employees to use, cations and can also be utilized to approve personal applications if an agency decides to strictly regulate personal Best Practice: Regulate User apps. Applications There are a steadily increasing number of applications available for users of any device, and keeping up with these applications is a daunting task. It is important for an agency to think through their policy toward work-related and personal applications, as all device applications may have an impact on net18
3) Acceptable Use Agreements .BOZ PSHBOJ[BUJPOT BMSFBEZ IBWF Acceptable Use Agreements (AUA) for employees regarding social media use. An organization’s BYOD policy for social media applications should be consistent with existing AUAs.
A RESEARCH REPORT FROM GOVLOOP AND CISCO
Best Practice: Provide Device document for government owned for BYOD services and support. mobile devices, to be able to dis- (City Website Source) Support Guidelines tinguish between two sets of rules if you are given a government owned device. We clearly outline what the expectations and the guidance that we give you, so that way people can see what the differences are.� This is a great best practice to help clarify any uncertainty about what kind of support will be provided to employees.
With employees purchasing their own devices and service plans, it is necessary for organizations to decide whether or not they will provide service and support. Some company software may require inhouse tech support, but issues with call service, reception, and connection most likely should be left for service providers to address. Less technically savvy employees may be I N F O C U S : M I N N E A P O L I S less inclined to use their own devic- A P P S T O R E es for work if they are aware of their responsibility for any problems or ɨF DJUZ PG .JOOFBQPMJT JT MFBEJOH repairs. the way as early adopters and supporters of BYOD. They have innoKimberly Hancher and the EEOC vated a unique approach to support created two working documents Apple products. to clarify how employees can use government commissioned phones While an ideal BYOD policy would and personal devices under BYOD, support a variety of products, in“Along with the BYOD rules of be- cluding Android devices, this examhavior, we also created a separate ple provides a possible framework 19
The city offers Apple users two service packages to accommodate the needs of users. t #BTJD 4FSWJDF ɨFJS CBTJD TFSWJDF provides access to work email, calendar, tasks and contacts. There is no cost associated with the basic service, and is available to all employees. t 1SFNJFSF 4FSWJDF ɨJT TFSWJDF QSPvides access to work email, calendar, tasks and contacts, as well as access to VPN, CityTalk and City network drives and folders. The Premiere Service also offers acDFTT UP UIF OFX .JOOFBQPMJT "QQ Store, which offers work-related productivity apps and training material. There is a one-time enrollment fee of $100 for this service.
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
The city has also innovated an application store where work-related productivity applications can be found. The applications are available with the premiere service, and enable users to access and manipulate documents. This approach to application management provides several advantages. The applications employees utilize to access the network and manipulate documents are provided by the city, which allows for additional data security. This also simplifies tech support by selecting the best applications for each process. Establishing software support parameters is also clearer – if an application is available through the City app store, user
support is provided. 4PNF BQQT QSPWJEFE JO UIF .JOneapolis app store include: t $JTDP "OZ$POOFDU 71/ TPGUware to connect to the City network t 'JMF #SPXTFS 0ODF DPOOFDUFE to the City network, this tool facilitates browsing drives t J"OOPUBUF "MMPXT BCJMJUZ UP SFBE and edit .pdf documents t 2VJDL0ĂŻDF 1SP )% .JDSPTPGU office productivity tool With this range of applications, iPads have the same utility as a desktop computer or laptop. Expanding this model to support all tablets will increase the appeal and effectiveness of their BYOD policy. (Source Interview) 20
CHALLENGE: BLURRING LINES BETWEEN PERSONAL AND PRIVATE The lines between personal and private lives have progressively blurred as technology has evolved. Implementing a BYOD policy allows employees to access their work from any location. While this can be liberating for some, it also means that unanswered work emails and voice mails, uncompleted tasks and to-do lists, and unfinished documents are readily available. As employees are bringing their own devices home as well, with BYOD it is no longer possible to physically leave work at work.
A RESEARCH REPORT FROM GOVLOOP AND CISCO
GOVLOOP RESOURCES How Do You Retain Security With BYOD? BYOD and Beyond EEOC Cuts Costs With BYOD Pilot Program What Would You Put in a Bring Your Own Device Strategy 5SFOET PO 5VFTEBZ (SFBU "NFSJDBO 4NBSUQIPOF .JHSBUJPO Trends on Tuesday: Smartphone Separation Anxiety
Since work is readily available, it is important to establish expectations and boundaries. Without an organization-wide approach, employees may feel pressure to do more at home.
tions will benefit from establishing clear expectations regarding work hours. While 24/7 responsiveness can sound appealing in theory, in practice this often leaves employees feeling less satisfied with their work and less productive in the long run.
Having guidelines that accommodate a work/life balance is impor- Organizations can benefit from tant, but just as important is setting establishing a culture that values an example from the top down. time off and respects the work/life balance of employees. Establishing this kind of work culture involves Best Practice: Promote Work/ discouraging unnecessary afterLife Balance hours emails, phone calls, and text Constantly having a device con- messages. Also, agencies should set nected to work may allow for great- reasonable expectations regarding er responsiveness, but organiza- response time for communication 21
not during the organization’s hours of operation.
Best Practice: Lead By Example The best-intentioned organization can still fail to create an environment that promotes work/life balance if leadership does not model these behaviors. If managers are texting and sending emails timestamped at 1:00 a.m., employees may feel pressure to work around the clock as well. For managers who have adopted BYOD, it is important to consider the impact your work hours may have on organizational culture.
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
OVERVIEW OF WHITE HOUSE BYOD TOOLKIT
Recently, the White House announced a BYOD tool kit for government agencies. The report is an important step to wider adoption of bring-your-own-device policies in government, and empowers leaders in government to explore if BYOD is feasible within their agency. The report has a few excellent case studies related to BYOD and template policies for BYOD implementa- lining key areas, providing strategic tion. guidance, and identifying that there is still a lot of work to be done. The The case studies and policy exam- BYOD toolkit states: ples can be found below: “Implementing a BYOD program is t Alcohol and Tobacco Tax and not mandatory. This document is inTrade Bureau (TTB) Virtual Desk- tended to serve as a toolkit for agentop Impl... cies contemplating implementation t U.S. Equal Employment Op- of BYOD programs. The toolkit is portunity Commission (EEOC) not meant to be comprehensive, but BYOD Pilot rather provides key areas for cont State of Delaware BYOD Pro- sideration and examples of existgram ing policies and best practices. In t Sample #1: Policy and Guidelines addition to providing an overview GPS (PWFSONFOU 1SPWJEFE .PCJMF of considerations for implementing Dev... BYOD, the BYOD Working Group t Sample #2: Bring Your Own De- members developed a small collection vice – Policy and Rules of Behavior of case studies to highlight the suct 4BNQMF .PCJMF *OGPSNBUJPO cessful efforts of BYOD pilots or proTechnology Device Policy grams at several government agencies. t Sample #4: Wireless Communi- The Working Group also assembled cation Reimbursement Program examples of existing policies to help t Sample #5: Portable Wireless inform IT leaders who are planning Network Access Device Policy to develop BYOD programs for their organizations.� The BYOD toolkit is a great starting point for government agencies. The The report also provides future report does an excellent job of out- NJMFTUPOFT TVDI BT UIF .PCJMF 4F22
curity Reference Architecture that intends to inform agency considerations on BYOD. Further, the National Institute of Standards and Technology (NIST), is drafting guidelines specifically for mobile. The BYOD Toolkit states: “GuideMJOFT GPS .BOBHJOH BOE 4FDVSJOH .PCJMF %FWJDFT JO UIF &OUFSQSJTF Security and Privacy Controls for Federal Information Systems and Organizations; and Personal Identity Verification (PIV) of Federal Employees and Contractors. Each of these documents should provide further insight into issues associated with the implementation of BYOD solutions.� One of the more compelling sections of the report is when the authors identify the trends and business case for BYOD. The BYOD working group identified several characteristics. One of the first characteristics that the report mentions is “BYOD is about offering choice.� The report states:
A RESEARCH REPORT FROM GOVLOOP AND CISCO
By embracing the consumerization of Information Technology (IT), the government can address the personal preferences of its employees, offering them increased mobility and better integration of their personal and work lives. It also enBCMFT FNQMPZFFT UIF ĂŹFYJCJMJUZ UP work in a way that optimizes their productivity. There is an ongoing trend that people want to work on the devices they desire and are most comfortable with. This is an important development, people will be most productive, effective and potentially improved morale by working on devices they are most comfortable with. A second characteristic is “BYOD can and should be cost-effective, so a cost-benefit analysis is essential as the policy is deployed.â€? The report is clear to identify that BYOD presents a shift of costs to employees. As less government devices are deployed, more services are being accessed on personal devices, in which the user is responsible for paying data fees. The report cites that this continues to be one of the challenges for BYOD. “Additionally, overall costs may significantly increase for personnel who frequently communicate outside of the coverage area of their primary service provider and incur roaming charges,â€? stated the tool-
kit. The report also acknowledges reasons for BYOD adoption, rethat security is a key challenge for duce costs, increase efficiency/proBYOD initiatives. Stating: ductivity, adapt to workforce, and improve user experience. “Implementation of a BYOD program presents agencies with a myri- The report also provides an extenad of security, policy, technical, and sive list of areas to approach while legal challenges not only to internal considering a BYOD plan. communications, but also to relationships and trust with business (Note: the report provides an even and government partners.� deeper look at each of the bullet points below, see complete list here) Another interesting aspect of the report is that the toolkit clearly t 5FDIOJDBM BQQSPBDI identifies three high-level means of t 3PMFT BOE SFTQPOTJCJMJUJFT implementing a BYOD program, t *ODFOUJWFT GPS HPWFSONFOU BOE virtualization, walled garden, lim- individuals ited separation. The report provides t &EVDBUJPO VTF BOE PQFSBUJPO a brief description of each: t 4FDVSJUZ t 1SJWBDZ t 7JSUVBMJ[BUJPO 1SPWJEF SFNPUF t &UIJDT MFHBM RVFTUJPOT access to computing resources so t 4FSWJDF QSPWJEFS T
that no data or corporate applicat %FWJDFT BOE BQQMJDBUJPOT BQQT
tion processing is stored or cont "TTFU NBOBHFNFOU ducted on the personal device; t 8BMMFE HBSEFO $POUBJO EBUB PS This is a great example of how the corporate application processing Digital Government Strategy, and within a secure application on the the leadership and vision by Steve personal device so that it is segreVanRoekel, is helping to facilitate gated from personal data; the improved use of technology in t -JNJUFE TFQBSBUJPO "MMPX DP government, to deliver improved mingled corporate and personal services to Americans. data and/or application processing on the personal device with poliI was super impressed with this recies enacted to ensure minimum port. The report provides a fantastic security controls are still satisfied. roadmap for agencies to follow if they are considering BYOD. Especially important for BYOD is making the business case for imple- Although there are still some chalmenting a BYOD program. The re- lenges to BYOD, this is a positive port identifies the commonly stated step in the right direction. 23
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
BYOD in Brief: Expert Insights with Cisco’s David Graziano
David Graziano, Director, Security and Unified Access, US Public Sector, Cisco, spoke with Pat Fiorenza of GovLoop on the state of BYOD in the public sector. David provided expert insights on how to best manage, control and implement a BYOD program for a public sector agency. This guide addressed numerous best practices and ways to overcome common challenges for public sector agencies looking to implement BYOD intitiatives. Graziano’s insights provide further evidence that although challenges still remain for BYOD, this is one of the most important trends occurring in government. During the interview, David was clear to highlight the benefits of BYOD, from optimizing business lines to workforce productivity and morale, BYOD clearly has the potential to transform how agen-
cies operate. Although the benefits organization create a simple user are clear, there are numerous best experience. David states: practices that David highlighted for agencies to consider. “You need to create a simple user experience. This involves guest acHe advised that agencies must start cess and on-boarding, this means by embracing BYOD, and accept potentially allowing people access that BYOD is a trend that they who do not work for you and limitmust act upon,“Embracing BYOD ing information they can access. If it is really important, because if they is an employee, it is simple onboarddon’t, then the agency is actually ing, managing the user experience of moving away from technology rath- getting on the network, establishing er than leveraging it to achieve their and confirming their identity and mission,” states Graziano. authenticate who they are and their device, just making this a very smooth Embracing BYOD is essential. process.” BYOD initiatives show a commitment to becoming an innovative Clearly, the intent is not to limit acworkplace and allowing people to cess or have challenges connecting work on the platform they desire. to a respective network. Although bringing in a tablet for work use can “If you embrace BYOD and make aid in productivity, David is sure to it very easy for people to get on the address the importance of setting network and enforce policies to policy to protect government data. protect data, that is the best thing,” David keenly acknowledges. Once Graziano advises that the right kind BYOD is embraced by agencies, he of policy needs to be developed, and advises that it is essential that the that if necessary, the agency has the 24
A RESEARCH REPORT FROM GOVLOOP AND CISCO
right to delete all data on the tablet. Further, David advises the use of Next Generation Encryption in any BYOD initiative. Cara Sioman recently described Next Generation Encryption in a Cisco blog post as: “The next generation of encryption technologies meets the evolving needs of agencies and enterprises by utilizing modern, but well reviewed and tested cryptographic algorithms and protocols. As an example, Elliptic Curve Cryptography (ECC) is used in place of the more traditional Rivest-Shamir-Adleman (RSA) algorithms. By upgrading these algorithms, NGE cryptography prevents hackers from having a single low-point in the system to exploit and efficiently scales to high data rates, while providing all of the security of the Advanced Encryption Standard (AES) cipher.” Security and protecting government data is the preeminent concern for any BYOD initiative, with the use of Next Generation Encryption, agencies can work to remain safe, and still implement a succesful BYOD intitiative. David highlighted four core challenges for BYOD, the loss of con-
trol, protecting government data, limited access, and changing work practices for new employees. The loss of control is absolutely one of the most critical concerns with BYOD. Graziano states, “Typically loss of control is related to policy, if you are going to let these things on your network, how do you possibly control where they are allowed to go, and what they are allowed to do?” These are important considerations to make while crafting a BYOD policy, and as David mentioned, the importance of a well-crafted policy is essential to the success of any government BYOD initiative.
that,” stated David. Beyond operational and efficiency gains, BYOD also may contribute to tackling the challenges to recruit and retain top talent in government. BYOD has the potential to shape how government entities recruit the next generation of public servants. BYOD is becoming a necessity for recruitment, as a new demographic of employees enter the workforce, entrants have expectations that information will be avaible at their fingertips. “They have expectations that they are gong to be able to access information on any device, any time anywhere,” David states.
Closely linked to the challenge of a loss of control, is the need to protect government data. David states, “If you are going to allow people access to data and in theory they could pull it down, you run the risk of losing that government data.”
David provided some great insights on BYOD and how it is shaping public sector entities. As the mobile boom continues, and agencies work towards delivering improved services, BYOD initiatives will be critical to improve how government operates.
Additionally, Graziano advises that policies will differ for government furnished devices and personal devices. “If the devices are government furnished, you can establish one set of policies, and if it is literally BYOD, then you have to establish a different set of policies for
David provided great insights how BYOD is shaping the public sector. As the mobile boom continues, and agencies work towards delivering improved services, BYOD initiatives will play a critical role transforming government operations and service delivery.
25
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
CONCLUSION
Government at all levels is looking to find new and innovative ways to save money, cut costs and deliver increased services to citizens. As budgets continue to tighten, initiatives like BYOD become more and more appealing to government agencies. Agencies must embrace new ways of thinking, and engage in new initiatives designed to cut costs and increase efficiency. BYOD is only one part of the solution. As government problems and system become more complex, so does the workplace. BYOD is one solution to help facilitate an increasingly mobile and active workforce, allowing people to work when and how they want. This report provided an overview of a recent survey and best practices to overcome common roadblocks to BYOD. If you are interested in more information, be sure to visit GovLoop and connect with like-minded professionals engaged in BYOD development. If you have any questions on this report or would like more information, please reach out to Pat Fiorenza, GovLoop Research Analyst at pat@govloop.com.
26
A RESEARCH REPORT FROM GOVLOOP AND CISCO
TOP 5 NEXT
Steps for BYOD at Your Agency With BYOD, there are many ways to bring BYOD into your agency. After reading through this report, here is the need to know information on next steps to initiate a bring your own device strategy at your agency.
STEP 3: CRAFT INTERNAL POLICY FOR BYOD After you have met with key stakeholders and the agency’s legal team, begin to craft the BYOD policy. This guide has dozens of best practices and tips of what should be included in the policy, but also be sure to incorporate feedback from the legal team and agency leaders.
STEP 1: MEET WITH KEY STAKEHOLDERS TO DEVELOPE PILOT PLAN At the very onset of developing your BYOD policy, agency leads should sit down with key stakeholders within the agency to discuss what a BYOD initiative looks like. Staff members from all functional areas should be present, to provide input and feedback. This will also help develop buy-in and create a unified vision for the agency’s BYOD program.
STEP 4: ANNOUNCE PROGRAM TO EMPLOYEES Like with any program, announcing and selling the program to employees is critical. If this program is a pilot program, be careful how you select employees and develop a team.
STEP 2; MEET WITH LEGAL TEAM
STEP 5: ITERATE, REVIEW OUTCOMES,IMPROVE BYOD STRATEGY
After meeting with stakeholders, be sure to follow up and meet with the legal team to discuss the program and be sure that all legal requirements have been met. BYOD is very new in government, and there is a lack of legal precedent. Be sure to meet with legal advisors to mitigate legal risks.
Once the program has been initiated, be sure to set up periodic check points with end users and administrators so they can provide feedback on the program. This information will be critical for the agency to learn how to improve future BYOD initiatives, with input coming from the core stakeholders. 27
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
ABOUT THE AUTHORS Pat Fiorenza GovLoop Research Analyst Pat is currently a Research Analyst at GovLoop. Through the creation of blogs, research reports, guides, in-person, and online events, Pat helps to identify and find best practices to share with the GovLoop community. Pat SFDFJWFE IJT .BTUFST PG 1VCMJD "ENJOJTUSBUJPO EFHSFF GSPN UIF .BYXFMM 4DIPPM PG $JUJ[FOTIJQ BOE 1VCMJD "êBJST at Syracuse University. Lindsey Tepe GovLoop Fellow Lindsey is currently a Fellow at GovLoop. In this role, Lindsey assists with the development of content creation. This includes writing of blogs, research reports and facilitating community engagement on GovLoop. Lindsey SFDFJWFE IFS .BTUFST PG 1VCMJD "ENJOJTUSBUJPO GSPN UIF .BYXFMM 4DIPPM PG $JUJ[FOTIJQ BOE 1VCMJD "êBJST BU Syracuse and is a former Teach for America Fellow. Jeff Ribeira GovLoop Content and Community Coordinator Jeff is the Content and Community Coordinator at GovLoop and manages all creative and technical development projects. Vanessa Vogel GovLoop Design Fellow Vanessa is currently a Design Fellow at GovLoop. She recently graduated from Brigham Young University with a Bachelors degree in Graphic Design.
28
A RESEARCH REPORT FROM GOVLOOP AND CISCO
Cisco is the worldwide leader in networking that transforms how Government and Education connect, communicate, and collaborate. Since 1984, Cisco has led in the innovation of IPbased networking technologies, including routing, switching, security, TelePresence systems, unif ied communications, video, and wireless. The company’s responsible business practices help ensure accountability, business sustainability, and environmentally conscious operations and products. Our technology is changing the nature of work and the way we serve, educate, and defend. Helping government agencies maximize ef fectiveness in key areas:
· · · · · ·
Cloud Computing Data Center Consolidation Cyber Security Mobile (Mobile Collaboration) Telework Bring Your Own Device
For more information, visit www.cisco.com/go/usgov
29