BY OD Research Report
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
CONTENTS
About GovLoop 4 Executive Summary 5 Summary of Survey Findings 6 Do You Have a BYOD Policy? 7 Should Your Agency Provide a Device for You? 8 Do You Use Your Personal Phone for Work? 9 How Important is Ease of Use and Functionality in Your Work Devices? 10 What Are the Benefits of BYOD? 10 Would BYOD Help to Recruit and Retain Employees? 12 What Are Your Roadblocks to Adoption? 12 Challenges and Best Practices for Bring Your Own Device 13 Challenge: Providing Employee Reimbursement 13 Challenge: Maintaining Security in Diverse Network 14 Best Practice: Assess Network 15 In Focus: How to Build Trust in Your Network 15 Challenge: Anticipating Legal and Policy Challenges 16 Best Practice: Create Transparent Security Processes 17 Best Practice: Establish Ownership of Data – Silo Personal and Professional Data 17 Best Practice: Regulate User Applications 18 Best Practice: Provide Device Support Guidelines 19
2
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
In Focus: Minneapolis App Store Challenge: Blurring Lines Between Personal and Private
19 20 Best Practice: Promote Work / Life Balance 21 Best Practice: Lead By Example 21
Conclusion 22
Top 5 Next Steps for BYOD at Your Agency 23 Step 1: Meet With Key Stakeholders to Develop Pilot Plan 23 Step 2: Meet with Legal Team 23 Step 3: Craft Internal Policy for BYOD 23 Step 4: Announce Program to Employees 23 Step 5: Iterate, Review Outcomes, Improve BYOD Strategy 23 GovLoop Resources: 21 About the Authors 24 Pat Fiorenza – GovLoop Research Analyst 24 Lindsey Tepe – GovLoop Fellow 24 Jeff Ribeira- GovLoop Content and Community Coordinator 24 Vanessa Vogel-GovLoop Design Fellow 24 Contributors 25
3
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
ABOUT GOVLOOP Our mission is to “connect government to improve government.� We aim to inspire public sector professionals by serving as the knowledge network for government. GovLoop connects more than 55,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. The GovLoop community has been widely recognized across multiple sectors as a core resource for information sharing among public sector professionals. GovLoop members come from across the public sector; including federal, state, and local public servants, industry experts, as well as non-profit, association and academic partners. In brief, GovLoop is the leading online source for addressing public sector issues. In addition to being an online community, GovLoop works with government experts and top industry partners to produce valuable resources and tools, such as guides, infographics, online training, educational events, and a daily podcast with Chris Dorobek, all to help public sector professionals do their jobs better. GovLoop also promotes public service success stories in popular news sources like the Washington Post, Huffington Post, Government Technology, and other industry publications. Thank you to our sponsor, Oracle, for sponsoring the Re-Imagining Government Customer Service Report. Location GovLoop is headquartered in Washington D.C., where a team of dedicated professionals share a common commitment to connect and improve government.
GovLoop 734 15th St NW, Suite 500 Washington, DC 20005 Phone: (202) 407-7421 Fax: (202) 407-7501
4
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
EXECUTIVE SUMMARY her perspective provides insights on the evolution and challenges of BYOD programs in the federal government throughout this report. Kimberly states, “The devices we are supporting in this pilot are the blackberry, android, smart phones, tablets and IoS iPhone and iPad.”
For years, people have been using their own laptop, computer, or phone for work. Now, more than ever before, people desire to work on the device of their choice, anywhere and at any time. In this mobile environment, public sector agencies are challenged to find new and innovative ways to connect employees across multiple devices.
Kimberly states, “The BYOD policy is our first to be issued and it will be revised as we evolve the program, we are currently in a beta pilot. We started out with rules of behavior, privacy, and expectations for people who bring their personally owned device.”
With these new expectations, government agencies are challenged to manage multiple users, develop policies, and retain security in a versatile and diverse network. Additionally, public sector entities must provide the right IT infrastructure and support for numerous devices and operating systems.
This report is by no means a finished project. It is our sincere hope that after reading this report, you will work to improve how BYOD operates in your agency, drive innovation in government, and share your newfound on GovLoop knowledge across the public sector to help colleagues tackle similar challenges they are facing across the public sector.
The GovLoop Research Report, Exploring Bring Your Own Device in Government, will provide expert insights from those in the trenches of BYOD policy. This report also provides a summary of a recent survey conducted by GovLoop from June 8 to July 2, 2012, administered to 103 members from the GovLoop community.
Kimberly reminds us that “Four years ago the only smartphones were blackberries, and now it is a very new environment.” In today’s mobile environment, BYOD is becoming more and more a reality. Now is the time for agencies to embrace BYOD, and learn how to make BYOD work at their agency. “Stop talking and start doing it, you can talk about it forever, you just need to get started,” stated Kimberly.
GovLoop Research Analyst, Pat Fiorenza, recently spoke with Kimberly Hancher, Chief Information Officer (CIO) at the U.S. Equal Employment Opportunity Commission (EEOC), discussing their newly implemented BYOD policy. As one of the early adopters of BYOD policy in the federal government, 5
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
SUMMARY OF SURVEY FINDINGS
FEDERAL 62%
This section provides an overview and key findings from GovLoop’s online survey. Throughout the report we have addressed several of the key challenges of bring your own device initiatives identified from the survey. The GovLoop survey was conducted from June 8 to July 2, 2012, and had a total of 103 participants. The survey was developed to explore common trends regarding BYOD from the GovLoop community, with the goal of better understanding the common challenges and roadblocks for BYOD in the public sector.
LOCAL 20% STATE 18%
WHAT LEVEL OF GOVERNMENT DO YOU WORK FOR??
Survey respondents were predominantly from the federal level of government (62%) with the rest of the respondents being closely divided between the state (18%) and local (20%) levels. Respondents represented public sector entities across all levels of government, and many different kinds of municipalities across the United States, including City and County of Broomfield, WA; City of Coral Gables, FL; the Departments of Commerce, Energy, and Defense; and several other federal agencies or departments. 6
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
DOES YOUR CURRENT ORGANIZATION HAVE A BRING YOUR OWN DEVICE POLICY? NO 80% YES 20%
The survey questions asked respondents to answer several multiplechoice questions as well as rank statements on a scale of 1 to 5, with 5 representing the highest score and 1 representing the lowest.
HOW DESIRABLE WOULD A BRING YOUR OWN DEVICE POLICY BE FOR YOUR AGENCY?
DO YOU HAVE A BYOD POLICY?
1 12% 2 5%
Results indicate that the majority of respondents’ organizations do not currently have a BYOD policy (80%), while only 20% stated their agency currently has a policy.
3 17% 4 19% 5 43%
When asked how desirable a BYOD policy is at their agency, 62% of respondents indicated that it would be desirable or extremely desirable. Of the remaining respondents, 17% selected 3, 12% selected 1, 5% selected 2; 5% responded that this question was not applicable.
NOT APPLICABLE 5% Please use a 5-point scale, where 5 is Extremely Desirable and 1 is Not Desirable.
7
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
IS IT NECESSARY FOR GOVERNMENT TO PROVIDE A DEVICE FOR EMPLOYEES?
56%
44%
NO
HOW IMPORTANT IS IT FOR AN ORGANIZATION TO PROVIDE YOU WITH A DEVICE?
YES
1 9% 2 14%
SHOULD YOUR AGENCY PROVIDE A DEVICE FOR YOU?
3 23%
Respondents were asked if it is necessary for government to provide a device to employees. Fifty six percent of respondents said “Yes,” and 44 percent said, “No.”
NOT APPLICABLE 3%
Expanding upon their answers, participants who responded “yes” gave these specific reasons: • “It is necessary to have the option of government supplied IT equipment” • “If required for certain positions” • “Some positions require constant availability” • “There are too many legal issues that could arise with bring your own device” For those that responded with
4 24% 5 27%
Please use a 5-point scale, where 5 is Extremely Desirable and 1 is Not Desirable.
“No,” some of the reasons include: • “Desirable, but not necessary” • “If provided the option, I would use my personal device” • “Most employees already have a device suitable for government work” • “Not all positions are appropriate” • “Not absolutely necessary, but there should be a limit as to how much an employee must be asked to contribute” 8
Additionally, respondents were asked to rank how important it is for their organization to provide devices to employees. The majority of participants (51%) responded with a 4 or 5. Of the remaining respondents, 23% chose 3, 14% chose 2, 9% chose 1, and finally, 3% indicated the question was not applicable.
BY EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
41%
30%
DO YOU USE YOUR PERSONAL PHONE FOR WORK PURPOSES?
33%
35%
NO
OTHER
21%
13%
YES- EMAIL
YES- SOCIAL NETWORKS
YES-READING & WRITING
YES- ENTERING TIME/EXPENSES/ RELATED BUSINESS FUNCTIONS
DO YOU USE YOUR PERSONAL PHONE FOR WORK? Survey participants were asked how they use their personal phone for work purposes, with the option to check all responses that apply and report additional uses. Respondents indicated that they utilized their personal phones for email (41%); social networks (21%); entering time, expenses and related busi-
ness functions (13%); and reading and writing (30%). Thirty-three percent (33%) of respondents reported they do not use their personal phone for work functions. For those who reported additional uses, they listed phone calls, occasional emails and texting, and receiving business-related notifica9
tions from customer mobile applications. The same question was asked regarding tablets, with the majority of respondents stating they do not use their personal tablet for work. For those who do, the main reason was for reading and writing.
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
HOW IMPORTANT IS FUNCTIONALITY AND EASE OF USE OF DEVICE? 3 5% 4 24% 5 70% NOT APPLICABLE 1% Please use a 5-point scale, where 5 is Extremely Important and 1 is Not Important.
HOW IMPORTANT IS EASE WHAT ARE THE BENEFITS OF USE AND FUNCTIONOF BYOD? ALITY IN YOUR WORK When asked what the benefits of DEVICES? BYOD, respondents were able to
Of the provided responses, 71% believed that “allowing people to work on most comfortable device,� was the greatest benefit, followed by improved productivity (58%), and cost savings (55%). Respondents submitted additional benefits such as not having to carry multiple devices, more modern equipment, facilitating telework, and improved usability.
The survey also found other benefits for BYOD policies. For instance, the survey finds that 79 percent of respondents believe that BYOD select all that applied from cost sav- could have a positive impact on When asked how important funcings, allowing people to work on employee satisfaction, productivity tionality is and the ease of use of dethe most comfortable device, and and employee engagement. vices, respondents overwhelmingly improved productivity. Responselected 5 (70%), followed distantly dents were also provided the oppor- Respondents elaborated on their by 4 (24%) and 3 (6%). tunity to report additional benefits. answers by stating: 10
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
WHAT ARE THE BENEFITS OF BRING YORU OWN DEVICE?
71% 58%
55%
29.7% 29%
COST SAVINGS
ALLOW PEOPLE TO WORK ON MOST COMFORTABLE DEVICES
• “It will only help engagement and satisfaction for those who have more current devices that they can use in lieu of the federally-provided equipment. Those who do not will most likely be angrier at the change in policy and disparity in equipment” • “Many employees would be able to perform work wherever they wanted” • “Having an all-in-one solution aids productivity” • “Supports flexible work hours” • “Supports telework and other mobility initiatives” The three core benefits -- cost savings, efficiency and productivity -- are typically contested. There are many ways to look at how BYOD can potentially save costs within
OTHER
IMPROVED PRODUCTIVITY
an agency. Our survey found that 55 percent of respondents believed cost saving was a benefit. Generally, cost savings can be found reduced device costs, shared data plans, and increased productivity. By allowing employees to work on their desired platform, they will become more efficient using the tools they know best. Employees may use a PC for work purposes, but a Mac for personal use. By allowing the employee to select which tool to use, they are able to work on systems they are most comfortable in.
al’s personality and personal productivity. One of the benefits is that if a person is very proficient on a device, they should take that proficiency into the workplace, rather than learning how to be minimally proficient with the government provided device. I can’t overemphasize how important personal productivity is across the enterprise.”
Similar to efficiency, by enabling employees to work on the tool they feel most comfortable with, employees will be able to accomplish Kimberly Hancher stated in an in- tasks quicker and easier since they terview with GovLoop Research have higher fluency on the tools Analyst, Pat Fiorenza, “From an they are using. employee standpoint, I think that smartphones and tablets have become an extension of an individu11
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
DO YOU BELIEVE THAT BRING YOUR OWN POLICIES CAN SERVE AS A RETENTION AND RECRUITMENT TOOL?
WHAT IS THE LARGEST ROADBLOCK YOU HAVE SEEN TO IMPLEMENTING BRING YOUR OWN DEVICE WITHIN YOUR AGENCY/DEPARTMENT?
57%
55%
44%
19% LACK OF ORGANIZATIONAL SUPPORT
NO IT INFRASTRUCTURE TO SUPPORT MULTIPLE DEVICES
56%
47%
COSTS
OTHER
NO
WOULD BYOD HELP TO RECRUIT AND RETAIN EMPLOYEES?
WHAT ARE YOUR ROADBLOCKS TO ADOPTION? Finally, when asked what the largest roadblocks to developing a BYOD policy were, respondents were able to select all that apply from the following options: lack of organizational support, no IT infrastructure support, or costs. The biggest roadblock was perceived to be lack of organizational support (57%), followed by no IT infrastructure to support multiple devices (55%) and costs (19%). Respondents also had the opportunity to submit other roadblocks or challenges for im-
YES
plementing BYOD. Respondents commonly stated “security” as a concern. Further, some respondents cited laws in their home states, in which any device used for work purposes becomes part of the public record and subject to disclosure. One respondent summed up these roadblocks by listing, “lack of policy, no clear way to reimburse staff for data plans on own devices, [and] inconsistent IT policies to support personal devices.”
12
When asked if they believed a BYOD policy could serve as a retention and recruitment tool, 56% of respondents said, “Yes.” and 44 percent said, “No.” Survey participants commented, “This is too small an issue to make the difference if someone chooses to work here or not;” “It may appear that agencies are shifting costs to employees”; “This is especially true for millennials and teleworkers”; “increased flexibility is attractive;” and finally that “It shows your office is forward thinking, savvy, and efficient.”
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
CHALLENGES AND BEST
Practices for Bring Your Own Device
Although there are many potential benefits to BYOD, there are also challenges to fully leverage these benefits. Guided by the results of the GovLoop survey, this section will serve as a roadmap to help you navigate through common challenges while considering implementing a BYOD policy.
coverage and related expenses has been shifted to the employee. If government employees are using their personal phone for work purposes, there should be an expectation that they are not personally incurring the cost of increased data usage from work related activities.
CHALLENGE: PROVIDING EMPLOYEE REIMBURSEMENT
Currently, the federal government has provided little direction on how best to reimburse government employees for their mobile device. Kimberly stated, “I would love to be able to offer some kind of reimbursement for business use for their personal device, but there is no precedent for that. This should be done on a government wide scale, to help agencies understand how to provide a reimbursement to employees.”
One of the main cost drivers to provide a cell phone is the cost of data plans. Kimberly Hancher stated, “With government provided devices, the cost is voice and data. With regard to BYOD program, we are looking to reduce these government costs.”
GovLoop Community Manager, Andrew Kzmarzick provides one insightful solution for employee reimbursement, “One way to address this issue is to look at other ways in which government reimburses its employees. For instance, many agencies already
As more and more agencies are looking to implement BYOD, decreasing costs is the core goal of the initiative. One of the areas of concern for BYOD is that by facilitating work on personal devices, the cost of data 13
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
reimburse or defray the cost of using public transportation for work-related travel. Could BYOD determine the average cost of an employee voice and data plan both on the enterprise and personal levels - and include an allowance for employees to cover the cost of using their own device while reducing the agency’s expenses?” Terry Hill also stated on GovLoop, “We could build on what many agencies already do for teleworkers and share the cost of services for phone, internet, and e-mail up to a maximum of $50 a month or so. This is less than agencies are typically paying just for the blackberries (about $70) a month, for a net savings of $20 per month per employee. Additional savings would be in eliminating landline phones and Ethernet systems. I don’t think there is much risk in using personal smart phones for calls and for email/internet. That way, agencies would not feel they have to block access to sites and monitor usage. Agencies would focus on keeping their operational systems secure and would no longer have to worry about office software upgrades.”
CHALLENGE:MAINTAINING SECURITY IN DIVERSE NETWORK With an increase in the number and variety of devices available to consumers, agencies with a BYOD policy are challenged to identify and retain security in a more diverse network. To manage the proliferation of personal devices being utilized for work functions, BYOD policies have moved to the forefront for IT professionals. Users want seamless access to corporate resources, no matter which device they use or where that device is connected. In addition, users are connected wirelessly to numerous network devices; printers, fax machines, and copy machines that can be accessed from employees’ personal devices.
At the top of the list for the EEOC is retaining security. “Security is at Ultimately, BYOD reimbursement the top of our list that is why we is something an agency will have to are still doing a pilot. We will condevelop, working closely with the tinue to pilot until we feel we have legal team. the appropriate level of security and 14
have a history of dealing with the appropriate risks.” Cisco has many great resources and case studies addressing how to provide security with a diverse network on their BYOD Smart Solution page. The resources provide some best practices and strategies for getting started with BYOD. As smartphones continue to become more commonplace, the use of a work phone and personal phone has become blurred. The desire for a seamless work experience has led many to using phones for both personal and work. With this phenomena happening, agencies need to train employees on the cybersecurity threats that can compromise an agency’s mission and educate them on how to protect themselves and the organization while using multiple devices.
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
Best Practice: Assess Network Government agencies should start by identifying what devices already access their network, as well as the rights, privileges, and the information of each device. This will provide valuable insights for the organization on what kind of information is readily available to network members, and how to protect the most critical information. Further, agencies should not show preference to certain devices and software. Agencies need to be flexible with different makes and models, as well as diverse platforms for devices. Being agile also means agencies should have all the latest software installed to protect the network. To properly assess the network, one strategy agencies can employ is
to profile devices as they enter the network. By profiling devices on the network, agencies will be able to make better decisions on security, identify issues, and understand what protocols they need to make for certain devices accessibility.
IN FOCUS: HOW TO BUILD TRUST IN YOUR NETWORK Cisco published a fascinating white paper entitled, Cybersecurity: Build Trust, Visibility, and Resilience, that addresses security issues across the Internet, and what government leaders and IT staff need to know in order to keep systems safe. The report focuses on five areas: • Understanding the proliferation of risks • Achieving a trusted network • Creating network transparency and visibility to assess risks 15
• Establishing network resilience when security incidents do occur • Working with Cisco to address trust, visibility, and resilience in the network Cybersecurity is often cited as one of the main concerns for organizations, the Cisco report states, and “The uses of multi-vector attacks are growing. Cyber criminals remain intent on targeting legitimate websites, with strategically timed; multi-vector spam attacks in order to establish key loggers, back doors, and bots. Criminals plan their malware to arrive unannounced and stay resident for long periods. Regardless of your market sector, the threat is growing.” To address this concern the report pays particular focus to “trust,” which Cisco says is typically overused in cyber security discussions
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
P
A
S
S
W
O
but is a fundamental practice that needs to be established within an organization. Cisco asks pointed questions about trust, including: • Whom can you trust within your network? • Can you trust how devices are connected to your network? • Can you trust that you are not exposed to unnecessary risks? Cisco then provides three steps to provide trust within your network: • Asset Discovery and Management: Validating user and device identity at the system point of entry and maintaining a state of trust • Configuration Management and Remediation: Identifying misconfiguration and vulnerability so that corrective actions can occur to assure policy compliance and risk reduction • Architectural Optimization: Design and feature application combined with best practices to create
R
D
a threat-resistant and risk-tolerant should be working through with infrastructure agency attorneys: This is an important white paper to view. By implementing a BYOD program, your agency is opening the door to more threats and needs to prepare by taking the proper security precautions.
CHALLENGE: ANTICIPATING LEGAL AND POLICY CHALLENGES
• Who owns the device? • Who is responsible for damages, lost equipment, and periodic maintenance? • How will installation of software occur on devices? • Who is responsible to upgrade equipment’s software? • What kind of apps can be installed on the device? If this is a personal device, what kind of control does the employer have? • What functions of the phone may be banned from use? • Can the employee use the camera to take photos or record video, when and where? • How can the rules be enforced? • How does BYOD fit with existing policies, i.e., social media?
There are a handful of legal and policy challenges that arise from BYOD. For managers and executives in government, the best place to start with BYOD is crafting your policy, and prior to publishing, have a conversation with your agencies attorneys. Enabling employees to use their personal phone may open Pandora’s box for the legal The answers to some of these questeam. Here are some questions you tions may seem obvious, but ad16
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
transparent security policy is engaging key stakeholders from the very beginning of the process. In doing so, an organization will be able to gather feedback, understand needs; addresses concerns, and build support for BYOD initiatives.
dressing them in your agency’s BYOD policy is necessary. While thinking through what works best for your agency, these best practices may guide your thinking.
Best Practice: Create Transparent Security Processes As most users have experienced, mobile devices are often lost or stolen. For users on the go, therefore, the convenience of access to private information on personal devices requires additional security measures.
general user policy. Guidelines for the frequency of password changes should also be provided. Depending on security needs, devices may also be equipped with biometric security. Although expensive, voice recognition or fingerprint scans can be installed on smart devices. Most BYOD policies also require devices to be equipped with remote wiping capability. As Kimberly Hancher from the EEOC told Chris Dorobek on the DorobekINSIDER, “[the EEOC] enforce[s] password complexity and history [...], and we also have a policy where if a phone is lost or stolen, we have the ability to do a full wipe of the device.” Kimberly recommends that users back up their personal and data files in case the device is lost or stolen and a full wipe needs to be performed.
First, personal devices should have password settings enabled if they have access to work-related information. Guidelines should be provided for password length. The simple password settings on many devices can easily be adjusted to accommodate more complex passwords. Required length and character variety should be consistent with One of the key elements to having a 17
Kimberly Hancher stated, “Include key stakeholders, legal support, your HR group and your end users. I put together an advisory group of legal, HR, finance, and also put together an end user group to give feedback of features and what their reactions are to security measures we set up, to make sure that BYOD is really usable.”
Best Practice: Establish Ownership of Data – Silo Personal and Professional Data While the personal device may belong to the employee, they will not own all data on that device. To avoid potential ownership issues, it is important to establish ownership upfront, and make sure there is a clear process for removing agency data from the device that is differentiated for diverse circumstances. Likewise, a best practice is to “silo” personal and professional data. Work information accessed and
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
stored on a personal device clearly still belongs to the organization, not the individual. Personal devices are also used, however, to store music, photos and other personal data that is created or purchased by employees. This combination of personal and private data can create issues in the event that a device is lost or stolen, if there is a security concern, or when an employee exits the organization. One approach to dealing with the blurring of personal and private data is containerization. This approach to data management would enable users to compartmentalize personal and work data, utilizing virtual desktop infrastructure and cloud computing. If data is separated along these lines, containerization of data can allow for a selective wipe to specifically target work-related information. As Kimberly Hancher from the EEOC explained to Chris Dorobek on the DorobekINSIDER, “[The EEOC is] experimenting during this phase of the pilot with something we’re calling selective wipe which means that it removes only the business portion of the data from the device. So if, for example, it is recovered, just the business data would have been eliminated.”
In the event that an individual leaves the organization, there should be a process laid out for wiping enterprise information from that device. Agencies should carefully consider their policy for remote wiping in the event that an employee leaves unexpectedly. Jerry Rhoads on GovLoop stated, “Technically speaking, the government should, in my opinion keep the biz side of the phone separate or “siloed out” from the “Angry Birds” part of the phone.” Jerry continued to provide more insights, stating, “Maybe we should change the paradigm of managing the user/device and change to managing the user’s experience. My thoughts are when at work, put the smart phone into “work” mode, when on a break or at home --switch to personal mode.” Best Practice: Regulate User Applications
Best Practice: Regulate User Applications There are a steadily increasing number of applications available for users of any device, and keeping up with these applications is a daunting task. It is important for an agency to think through their policy 18
toward work-related and personal applications, as all device applications may have an impact on network security. There are three ways to mitigate this risk: 1) Employee Education Helping users understand the data risks created by downloading and using questionable applications is the most effective method to manage applications. While policies may set parameters for what types of applications users can download and forbid some outright, educating employees about security risks will result in a higher level of compliance. 2) Application Store To moderate what kinds of applications users download, some agencies have set up an application store with company-approved applications. This approach to application management allows agencies to choose specific work-related
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
service providers to address. Less I N F O C U S : M I N N E A P O L I S technically savvy employees may be less inclined to use their own devic- A P P S T O R E es for work if they are aware of their responsibility for any problems or The city of Minneapolis is leading the way as early adopters and repairs. supporters of BYOD. They have 3) Acceptable Use Agreements Many organizations already have Kimberly Hancher and the EEOC innovated a unique approach to Acceptable Use Agreements (AUA) created two working documents support Apple products. While for employees regarding social me- to clarify how employees can use an ideal BYOD policy would supdia use. An organization’s BYOD government commissioned phones port a variety of products, includpolicy for social media applications and personal devices under BYOD, ing Android devices, this example should be consistent with existing “Along with the BYOD rules of be- provides a possible framework for AUAs. havior, we also created a separate BYOD services and support. (City document for government owned Website Source) applications for employees to use, and can also be utilized to approve personal applications if an agency decides to strictly regulate personal apps.
Best Practice: Provide Device mobile devices, to be able to distinguish between two sets of rules if The city offers Apple users two serSupport Guidelines you are given a government owned vice packages to accommodate the With employees purchasing their own devices and service plans, it is necessary for organizations to decide whether or not they will provide service and support. Some company software may require inhouse tech support, but issues with call service, reception, and connection most likely should be left for
device. We clearly outline what the expectations and the guidance that we give you, so that way people can see what the differences are.” This is a great best practice to help clarify any uncertainty about what kind of support will be provided to employees.
19
needs of users.
• Basic Service: Their basic service provides access to work email, calendar, tasks and contacts. There is no cost associated with the basic service, and is available to all employees.
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
• Premiere Service: This service provides access to work email, calendar, tasks and contacts, as well as access to VPN, CityTalk and City network drives and folders. The Premiere Service also offers access to the new Minneapolis App Store, which offers work-related productivity apps and training material. There is a one-time enrollment fee of $100 for this service.
utilize to access the network and manipulate documents are provided by the city, which allows for additional data security. This also simplifies tech support by selecting the best applications for each process. Establishing software support parameters is also clearer – if an application is available through the City app store, user support is provided.
The city has also innovated an application store where work-related productivity applications can be found. The applications are available with the premiere service, and enable users to access and manipulate documents.
Some apps provided in the Minneapolis app store include:
CHALLENGE: BLURRING LINES BETWEEN PERSONAL AND PRIVATE
• Cisco AnyConnect: VPN software to connect to the City network • File Browser: Once connected to the City network, this tool facilitates browsing drives • iAnnotate: Allows ability to read and edit .pdf documents
The lines between personal and private lives have progressively blurred as technology has evolved. Implementing a BYOD policy allows employees to access their work from any location. While this can be lib-
This approach to application management provides several advantages. The applications employees
20
• QuickOffice Pro HD: Microsoft office productivity tool With this range of applications, iPads have the same utility as a desktop computer or laptop. Expanding this model to support all tablets will increase the appeal and effectiveness of their BYOD policy. (Source Interview)
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
GOVLOOP RESOURCES How Do You Retain Security With BYOD? BYOD and Beyond EEOC Cuts Costs With BYOD Pilot Program What Would You Put in a Bring Your Own Device Strategy Trends on Tuesday: Great American Smartphone Migration Trends on Tuesday: Smartphone Separation Anxiety
erating for some, it also means that unanswered work emails and voice mails, uncompleted tasks and to-do lists, and unfinished documents are readily available. As employees are bringing their own devices home as well, with BYOD it is no longer possible to physically leave work at work. Since work is readily available, it is important to establish expectations and boundaries. Without an organization-wide approach, employees may feel pressure to do more at home. Having guidelines that accommodate a work/life balance is important, but just as important is setting an example from the top down.
Best Practice: Promote Work/ Life Balance
Constantly having a device connected to work may allow for greater responsiveness, but organizations will benefit from establishing clear expectations regarding work hours. While 24/7 responsiveness can sound appealing in theory, in practice this often leaves employees feeling less satisfied with their work and less productive in the long run.
Best Practice: Lead By Example
The best-intentioned organization can still fail to create an environment that promotes work/life balance if leadership does not model these behaviors. If managers are texting and sending emails timestamped at 1:00 a.m., employees may feel pressure to work around the clock as well. For managers who Organizations can benefit from have adopted BYOD, it is imporestablishing a culture that values tant to consider the impact your time off and respects the work/life work hours may have on organizabalance of employees. Establishing tional culture. this kind of work culture involves discouraging unnecessary afterhours emails, phone calls, and text messages. Also, agencies should set reasonable expectations regarding response time for communication not during the organization’s hours of operation. 21
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
CONCLUSION
Government at all levels is looking to find new and innovative ways to save money, cut costs and deliver increased services to citizens. As budgets continue to tighten, initiatives like BYOD become more and more appealing to government agencies. Agencies must embrace new ways of thinking, and engage in new initiatives designed to cut costs and increase efficiency. BYOD is only one part of the solution. As government problems and system become more complex, so does the workplace. BYOD is one solution to help facilitate an increasingly mobile and active workforce, allowing people to work when and how they want. This report provided an overview of a recent survey and best practices to overcome common roadblocks to BYOD. If you are interested in more information, be sure to visit GovLoop and connect with like-minded professionals engaged in BYOD development.
22
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
TOP 5 NEXT
Steps for BYOD at Your Agency With BYOD, there are many ways to bring BYOD into your agency. After reading through this report, here is the need to know information on next steps to initiate a bring your own device strategy at your agency.
STEP 3: CRAFT INTERNAL POLICY FOR BYOD After you have met with key stakeholders and the agency’s legal team, begin to craft the BYOD policy. This guide has dozens of best practices and tips of what should be included in the policy, but also be sure to incorporate feedback from the legal team and agency leaders.
STEP 1: MEET WITH KEY STAKEHOLDERS TO DEVELOPE PILOT PLAN At the very onset of developing your BYOD policy, agency leads should sit down with key stakeholders within the agency to discuss what a BYOD initiative looks like. Staff members from all functional areas should be present, to provide input and feedback. This will also help develop buy-in and create a unified vision for the agency’s BYOD program.
STEP 4: ANNOUNCE PROGRAM TO EMPLOYEES Like with any program, announcing and selling the program to employees is critical. If this program is a pilot program, be careful how you select employees and develop a team.
STEP 2; MEET WITH LEGAL TEAM
STEP 5: ITERATE, REVIEW OUTCOMES,IMPROVE BYOD STRATEGY
After meeting with stakeholders, be sure to follow up and meet with the legal team to discuss the program and be sure that all legal requirements have been met. BYOD is very new in government, and there is a lack of legal precedent. Be sure to meet with legal advisors to mitigate legal risks.
Once the program has been initiated, be sure to set up periodic check points with end users and administrators so they can provide feedback on the program. This information will be critical for the agency to learn how to improve future BYOD initiatives, with input coming from the core stakeholders. 23
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
ABOUT THE AUTHORS
Pat Fiorenza – GovLoop Research Analyst Pat is currently a Research Analyst at GovLoop. Through the creation of blogs, research reports, guides, in-person, and online events, Pat helps to identify and find best practices to share with the GovLoop community. Pat received his Masters of Public Administration degree from the Maxwell School of Citizenship and Public Affairs at Syracuse University. Lindsey Tepe – GovLoop Fellow Lindsey is currently a Fellow at GovLoop. In this role, Lindsey assists with the development of content creation. This includes writing of blogs, research reports and facilitating community engagement on GovLoop. Lindsey received her Masters of Public Administration from the Maxwell School of Citizenship and Public Affairs at Syracuse and is a former Teach for America Fellow. Jeff Ribeira-GovLoop Content and Community Coordinator Jeff is the Content and Community Coordinator at GovLoop and manages all creative and technical development projects. Vanessa Vogel-GovLoop Design Fellow Vanessa is currently a Design Fellow at GovLoop. She recently graduated from Brigham Young University with a Bachelors degree in Graphic Design.
24
EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECOTR
Cisco is the worldwide leader in networking that transforms how Government and Education connect, communicate, and collaborate. Since 1984, Cisco has led in the innovation of IPbased networking technologies, including routing, switching, security, TelePresence systems, unif ied communications, video, and wireless. The company’s responsible business practices help ensure accountability, business sustainability, and environmentally conscious operations and products. Our technology is changing the nature of work and the way we serve, educate, and defend. Helping government agencies maximize ef fectiveness in key areas:
· · · · · ·
Cloud Computing Data Center Consolidation Cyber Security Mobile (Mobile Collaboration) Telework Bring Your Own Device
For more information, visit www.cisco.com/go/usgov
25