2. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
CONTENTS
About GovLoop 4
Executive Summary 5
Summary of Survey Findings 6
Do You Have a BYOD Policy? 7
Should Your Agency Provide a Device for You? 8
Do You Use Your Personal Phone for Work? 9
How Important is Ease of Use and Functionality in Your Work Devices? 10
What Are the Benefits of BYOD? 10
Would BYOD Help to Recruit and Retain Employees? 12
What Are Your Roadblocks to Adoption? 12
Challenges and Best Practices for Bring Your Own Device 13
Challenge: Providing Employee Reimbursement 13
Challenge: Maintaining Security in Diverse Network 14
Best Practice: Assess Network 15
In Focus: How to Build Trust in Your Network 15
Challenge: Anticipating Legal and Policy Challenges 16
Best Practice: Create Transparent Security Processes 17
Best Practice: Establish Ownership of Data – Silo Personal and Professional Data 17
Best Practice: Regulate User Applications 18
Best Practice: Provide Device Support Guidelines 19
2
3. A RESEARCH REPORT FROM GOVLOOP AND CISCO
In Focus: Minneapolis App Store 19
Challenge: Blurring Lines Between Personal and Private 20
Best Practice: Promote Work / Life Balance 21
Best Practice: Lead By Example 21
GovLoop Resources 21
Overview of White House BYOD Toolkit 22
BYOD in Brief: Expert Insights with Cisco’s David Graziano 24
Conclusion 26
Top 5 Next Steps for BYOD at Your Agency 27
Step 1: Meet With Key Stakeholders to Develop Pilot Plan 27
Step 2: Meet with Legal Team 27
Step 3: Craft Internal Policy for BYOD 27
Step 4: Announce Program to Employees 27
Step 5: Iterate, Review Outcomes, Improve BYOD Strategy 27
About the Authors 28
Pat Fiorenza:GovLoop Research Analyst 28
Lindsey Tepe: GovLoop Fellow 28
Jeff Ribeira: GovLoop Content and Community Coordinator 28
Vanessa Vogel: GovLoop Design Fellow 28
3
4. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
ABOUT GOVLOOP
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public sector profes-
sionals by serving as the knowledge network for government. GovLoop connects more than 60,000 members,
fostering government collaboration, solving common problems and advancing government careers.
The GovLoop community has been widely recognized across multiple sectors as a core resource for information
sharing among public sector professionals. GovLoop members come from across the public sector; including
federal, state, and local public servants, industry experts, as well as non-profit, association and academic partners.
In brief, GovLoop is the leading online source for addressing public sector issues.
In addition to being an online community, GovLoop works with government experts and top industry partners
to produce valuable resources and tools, such as guides, infographics, online training, educational events, and a
daily podcast with Chris Dorobek, all to help public sector professionals do their jobs better.
GovLoop also promotes public service success stories in popular news sources like the Washington Post, Huff-
ington Post, Government Technology, and other industry publications. Thank you to our sponsor, Cisco, for
sponsoring this research report.
Location
GovLoop is headquartered in Washington D.C., where a team of dedicated professionals share a common com-
mitment to connect and improve government.
GovLoop
734 15th St NW, Suite 500
Washington, DC 20005
Phone: (202) 407-7421
Fax: (202) 407-7501
4
5. A RESEARCH REPORT FROM GOVLOOP AND CISCO
EXECUTIVE SUMMARY
For years, people have been using their own laptop, Public Sector at Cisco. Kimberly was one of the early
computer, or phone for work. Now, more than ever adopters of BYOD in the federal government, her
before, people desire to work on the device of their perspectives in this report provides insights on the
choice, anywhere and at any time. In this mobile en- evolution and challenges of BYOD programs in the
vironment, public sector agencies are challenged to federal government.
find new and innovative ways to connect employees
across multiple devices. Kimberly states, “The BYOD policy is our first to be
issued and it will be revised as we evolve the program,
With these new expectations, government agencies we are currently in a beta pilot. We started out with
are challenged to manage multiple users, develop rules of behavior, privacy, and expectations for people
policies, and retain security in a versatile and diverse who bring their personally owned device.”
network. Additionally, public sector entities must
provide the right IT infrastructure and support for This report is by no means a finished project. It is
numerous devices and operating systems. our sincere hope that after reading this report, you
will work to improve how BYOD operates in your
The GovLoop Research Report, Exploring Bring Your agency, drive innovation in government, and share
Own Device in Government, will provide expert in- your newfound knowledge on GovLoop. In doing so,
sights from those in the trenches of BYOD policy. you will help facilitate knowledge sharing across the
This report also provides a summary of a recent survey public sector, helping colleagues tackle similar BYOD
conducted by GovLoop in 2012, administered to 103 challenges they are facing.
members from the GovLoop community.
In today’s mobile environment, BYOD is becoming
For this report GovLoop Research Analyst, Pat Fio- more and more a reality. Now is the time for agencies
renza, recently spoke with Kimberly Hancher, Chief to embrace BYOD, and learn how to make BYOD
Information Officer (CIO) at the U.S. Equal Employ- work at their agency. “Stop talking and start doing
ment Opportunity Commission (EEOC) and David it, you can talk about it forever, you just need to get
Graziano, Director, Security and Unified Access, US started,” stated Kimberly.
5
6. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
SUMMARY OF
SURVEY FINDINGS
This section provides an overview and key findings FEDERAL 62%
from GovLoop’s online survey. Throughout the re-
port we have addressed several of the key challenges LOCAL 20%
of bring your own device initiatives identified from
the survey. The GovLoop survey was conducted from STATE 18%
June 8 to July 2, 2012, and had a total of 103 par-
ticipants. The survey was developed to explore com- WHAT LEVEL OF
mon trends regarding BYOD from the GovLoop GOVERNMENT DO
community, with the goal of better understanding the YOU WORK FOR??
common challenges and roadblocks for BYOD in the
public sector.
Survey respondents were predominantly from the
federal level of government (62%) with the rest of the
respondents being closely divided between the state
(18%) and local (20%) levels. Respondents repre-
sented public sector entities across all levels of gov-
ernment, and many different kinds of municipalities
across the United States, including City and County
of Broomfield, WA; City of Coral Gables, FL; the De-
partments of Commerce, Energy, and Defense; and
several other federal agencies or departments.
6
7. A RESEARCH REPORT FROM GOVLOOP AND CISCO
DOES YOUR CURRENT
ORGANIZATION HAVE
A BRING YOUR OWN
DEVICE POLICY?
NO 80%
YES 20%
The survey questions asked respon-
dents to answer several multiple-
choice questions as well as rank
statements on a scale of 1 to 5, with
5 representing the highest score and HOW DESIRABLE
1 representing the lowest. WOULD A BRING YOUR
OWN DEVICE POLICY BE
DO YOU HAVE A BYOD FOR YOUR AGENCY?
POLICY? 1 12%
Results indicate that the majority 2 5%
of respondents’ organizations do
not currently have a BYOD policy 3 17%
(80%), while only 20% stated their
4 19%
agency currently has a policy.
5 43%
When asked how desirable a BYOD
policy is at their agency, 62% of re- NOT APPLICABLE 5%
spondents indicated that it would
be desirable or extremely desirable. Please use a 5-point
Of the remaining respondents, scale, where 5 is
Extremely Desirable
17% selected 3, 12% selected 1, and 1 is Not Desirable.
5% selected 2; 5% responded that
this question was not applicable.
7
8. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
IS IT NECESSARY
FOR GOVERNMENT TO
PROVIDE A DEVICE
FOR EMPLOYEES?
56%
44%
HOW IMPORTANT IS IT
FOR AN ORGANIZATION
TO PROVIDE YOU WITH
A DEVICE?
1 9%
NO YES 2 14%
3 23%
4 24%
SHOULD YOUR AGENCY 5 27%
PROVIDE A
DEVICE FOR YOU? NOT APPLICABLE 3%
Please use a 5-point
Respondents were asked if it is nec- scale, where 5 is
essary for government to provide a Extremely Desirable
and 1 is Not Desirable.
device to employees. 56 percent of
respondents said “Yes,” and 44 per-
cent said, “No.”
Below are some examples from re- Additionally, respondents were
Expanding upon their answers, par- spondents who do not believe gov- asked to rank how important it is
ticipants who responded “yes” gave ernment should provide a device to for their organization to provide de-
these specific reasons: employees: vices to employees.
The majority of participants (51%)
of government supplied IT equip- use my personal device” responded with a 4 or 5. Of the re-
ment” maining respondents, 23% chose
a device suitable for government 3, 14% chose 2, 9% chose 1, and
work” finally, 3% indicated the question
availability” was not applicable.
there should be a limit as to how
that could arise with bring your much an employee must be asked
own device” to contribute”
8
9. BY A RESEARCH REPORT FROM GOVLOOP AND CISCO
DO YOU USE YOUR
PERSONAL PHONE FOR
WORK PURPOSES?
41%
33% 35%
30%
21%
13%
YES- EMAIL YES- SOCIAL YES- ENTERING YES-READING & NO OTHER
NETWORKS TIME/EXPENSES/ WRITING
RELATED BUSINESS
FUNCTIONS
DO YOU USE YOUR
PERSONAL PHONE FOR
WORK?
Survey participants were asked (21%); entering time, expenses and calls, occasional emails and texting,
how they use their personal phonerelated business functions (13%); and receiving business-related noti-
for work purposes, with the op- and reading and writing (30%). fications from customer mobile ap-
tion to check all responses that plications. The same question was
apply and report additional uses.Thirty-three percent (33%) of re- asked regarding tablets, with the
spondents reported they do not majority of respondents stating they
Respondents indicated that they use their personal phone for work do not use their personal tablet for
utilized their personal phones functions. For those who reported work. For those who do, the main
for email (41%); social networks additional uses, they listed phone reason was for reading and writing.
9
10. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
HOW IMPORTANT
IS FUNCTIONALITY
AND EASE OF USE OF
DEVICE?
3 5%
4 24%
5 70%
NOT APPLICABLE 1%
Please use a 5-point
scale, where 5 is Of the provided responses, 71%
Extremely Important believed that “allowing people to
and 1 is Not Important.
work on most comfortable device,”
was the greatest benefit, followed
by improved productivity (58%),
and cost savings (55%). Respon-
dents submitted additional benefits
such as not having to carry multiple
HOW IMPORTANT IS EASE WHAT ARE THE BENEFITS devices, more modern equipment,
OF USE AND FUNCTION- OF BYOD? facilitating telework, and improved
usability.
ALITY IN YOUR WORK When asked what the benefits of
DEVICES? BYOD, respondents were able to The survey also found other benefits
select all that applied from cost sav- for BYOD policies. For instance,
When asked how important func- ings, allowing people to work on the survey finds that 79 percent
tionality is and the ease of use of de- the most comfortable device, and of respondents believe that BYOD
vices, respondents overwhelmingly improved productivity. Respon- could have a positive impact on
selected 5 (70%), followed distantly dents were also provided the oppor- employee satisfaction, productivity
by 4 (24%) and 3 (6%). tunity to report additional benefits. and employee engagement.
10
11. A RESEARCH REPORT FROM GOVLOOP AND CISCO
WHAT ARE THE
BENEFITS OF BRING
YORU OWN DEVICE?
71%
55% 58%
29.7%
29%
COST SAVINGS ALLOW PEOPLE TO WORK IMPROVED OTHER
ON MOST COMFORTABLE PRODUCTIVITY
DEVICES
Respondents elaborated on their many ways to look at how BYOD employee standpoint, I think that
answers by stating: can potentially save costs within an smartphones and tablets have be-
agency. come an extension of an individ-
ual’s personality and personal pro-
and satisfaction for those who have Our survey found that 55 percent ductivity.
more current devices that they can of respondents believed cost sav-
use in lieu of the federally-provided ing was a benefit. Generally, cost One of the benefits is that if a per-
equipment. Those who do not will savings can be found reduced de- son is very proficient on a device,
most likely be angrier at the change vice costs, shared data plans, and they should take that proficiency
in policy and disparity in equip- increased productivity. By allowing into the workplace, rather than
ment” employees to work on their desired learning how to be minimally profi-
platform, they will become more cient with the government provided
to perform work wherever they efficient using the tools they know device. I can’t overemphasize how
wanted” best. Employees may use a PC for important personal productivity is
- across the enterprise.”
aids productivity” sonal use. By allowing the employee
to select which tool to use, they are Similar to efficiency, by enabling
- able to work on systems they are employees to work on the tool they
bility initiatives” most comfortable in. feel most comfortable with, em-
ployees will be able to accomplish
The three core benefits, cost sav- Kimberly Hancher stated in an in- tasks quicker and easier since they
ings, efficiency and productivity terview with GovLoop Research
are typically contested. There are Analyst, Pat Fiorenza, “From an they are using.
11
12. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
WHAT IS THE LARGEST ROADBLOCK DO YOU BELIEVE THAT BRING
YOU HAVE SEEN TO IMPLEMENTING YOUR OWN DEVICE CAN
BRING YOUR OWN DEVICE WITHIN SERVE AS A RETENTION AND
YOUR AGENCY/DEPARTMENT? RECRUITMENT TOOL?
57% 55% 56%
47%
44%
19%
LACK OF NO IT INFRASTRUC- COSTS OTHER
ORGANIZATIONAL TURE TO SUPPORT
SUPPORT MULTIPLE DEVICES
NO YES
WHAT ARE YOUR WOULD BYOD HELP TO
ROADBLOCKS TO RECRUIT AND RETAIN
ADOPTION? EMPLOYEES?
Finally, when asked what the largest or challenges for implementing When asked if they believed a
roadblocks to developing a BYOD BYOD. Respondents commonly BYOD policy could serve as a re-
policy were, respondents were able stated “security” as a concern. Fur- tention and recruitment tool, 56%
to select all that apply from the fol- ther, some respondents cited laws of respondents said, “Yes.” and 44
lowing options: lack of organiza- in their home states, in which any percent said, “No.” Survey par-
tional support, no IT infrastructure device used for work purposes be- ticipants commented, “This is too
support, or costs. comes part of the public record and small an issue to make the difference
subject to disclosure. if someone chooses to work here or
The biggest roadblock was per- not;” “It may appear that agencies
ceived to be lack of organizational One respondent summed up these are shifting costs to employees”;
support (57%), followed by no IT roadblocks by listing, “lack of pol- “This is especially true for millen-
infrastructure to support multiple icy, no clear way to reimburse staff nials and teleworkers”; “increased
devices (55%) and costs (19%). for data plans on own devices, [and]
Respondents also had the oppor- inconsistent IT policies to support that “It shows your office is forward
tunity to submit other roadblocks personal devices.” thinking, savvy, and efficient.”
12
13. A RESEARCH REPORT FROM GOVLOOP AND CISCO
CHALLENGES AND BEST
Practices for Bring
Your Own Device
Although there are many potential benefits to BYOD, coverage and related expenses has been shifted to the
there are also challenges to fully leverage these ben- employee. If government employees are using their
efits. Guided by the results of the GovLoop survey, personal phone for work purposes, there should be an
this section will serve as a roadmap to help you navi- expectation that they are not personally incurring the
gate through common challenges while considering cost of increased data usage from work related activi-
implementing a BYOD policy. ties.
CHALLENGE: PROVIDING EMPLOYEE Currently, the federal government has provided little
direction on how best to reimburse government em-
REIMBURSEMENT ployees for their mobile device. Kimberly stated, “I
would love to be able to offer some kind of reimburse-
One of the main cost drivers to provide a cell phone ment for business use for their personal device, but
is the cost of data plans. Kimberly Hancher stated, there is no precedent for that. This should be done on
“With government provided devices, the cost is voice a government wide scale, to help agencies understand
and data. With regard to BYOD program, we are how to provide a reimbursement to employees.”
looking to reduce these government costs.”
-
As more and more agencies are looking to implement zick provides one insightful solution for employee
BYOD, decreasing costs is the core goal of the initia- reimbursement, “One way to address this issue is to
tive. One of the areas of concern for BYOD is that by look at other ways in which government reimburses
facilitating work on personal devices, the cost of data its employees. For instance, many agencies already
13
14. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
reimburse or defray the cost of
using public transportation for
work-related travel. Could BYOD
determine the average cost of an
employee voice and data plan -
both on the enterprise and personal
levels - and include an allowance for
employees to cover the cost of using
their own device while reducing the CHALLENGE:MAINTAINING
agency’s expenses?”
SECURITY IN DIVERSE
Terry Hill also stated on GovLoop, NETWORK
“We could build on what many
agencies already do for teleworkers With an increase in the number have a history of dealing with the
and share the cost of services for and variety of devices available to appropriate risks.”
phone, internet, and e-mail up to consumers, agencies with a BYOD
a maximum of $50 a month or so. policy are challenged to identify and Cisco has many great resources and
This is less than agencies are typi- retain security in a more diverse net- case studies addressing how to pro-
cally paying just for the blackber- work. To manage the proliferation vide security with a diverse network
ries (about $70) a month, for a net of personal devices being utilized on their BYOD Smart Solution
savings of $20 per month per em- for work functions, BYOD poli- page. The resources provide some
ployee. Additional savings would cies have moved to the forefront for best practices and strategies for get-
be in eliminating landline phones IT professionals. Users want seam- ting started with BYOD.
and Ethernet systems. I don’t think less access to corporate resources,
there is much risk in using personal no matter which device they use or As smartphones continue to be-
smart phones for calls and for e- where that device is connected. In come more commonplace, the use
mail/internet. That way, agencies addition, users are connected wire- of a work phone and personal phone
would not feel they have to block lessly to numerous network devices; has become blurred. The desire for
access to sites and monitor usage. printers, fax machines, and copy a seamless work experience has led
Agencies would focus on keeping machines that can be accessed from many to using phones for both per-
their operational systems secure employees’ personal devices. sonal and work. With this phenom-
and would no longer have to worry ena happening, agencies need to
about office software upgrades.” At the top of the list for the EEOC train employees on the cybersecu-
is retaining security. “Security is at rity threats that can compromise an
Ultimately, BYOD reimbursement the top of our list that is why we agency’s mission and educate them
is something an agency will have to are still doing a pilot. We will con- on how to protect themselves and
develop, working closely with the tinue to pilot until we feel we have the organization while using mul-
legal team. the appropriate level of security and tiple devices.
14
15. A RESEARCH REPORT FROM GOVLOOP AND CISCO
To properly assess the network,
Best Practice: Assess Network one strategy agencies can employ is
to profile devices as they enter the and visibility to assess risks.
Government agencies should start network. By profiling devices on
by identifying what devices already the network, agencies will be able when security incidents do occur .
access their network, as well as the to make better decisions on secu-
rights, privileges, and the informa- rity, identify issues, and understand trust, visibility, and resilience in the
tion of each device. what protocols they need to make network.
for certain devices accessibility.
This will provide valuable insights Cybersecurity is often cited as one
for the organization on what kind
of information is readily available to I N F O C U S : H O W T O B U I L D
of the main concerns for organiza-
tions, the Cisco report states:
network members, and how to pro- T R U S T I N Y O U R N E T W O R K
tect the most critical information. “The uses of multi-vector attacks
Cisco published a fascinating white are growing. Cyber criminals re-
Further, agencies should not show paper entitled, Cybersecurity: Build main intent on targeting legitimate
preference to certain devices and Trust, Visibility, and Resilience, websites, with strategically timed;
- that addresses security issues across multi-vector spam attacks in order
ible with different makes and mod- the Internet, and what government to establish key loggers, back doors,
els, as well as diverse platforms for leaders and IT staff need to know and bots. Criminals plan their mal-
devices. in order to keep systems safe. The ware to arrive unannounced and
report focuses on five areas: stay resident for long periods. Re-
Being agile also means agencies gardless of your market sector, the
should have all the latest software threat is growing.”
installed to protect the network. of risks.
15
16. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
P A S S W O R D
sure policy compliance and risk re- have a conversation with your agen-
To address this concern the report duction cies attorneys. Enabling employees
pays particular focus to “trust,” - to use their personal phone may
which Cisco says is typically over- sign and feature application com- open Pandora’s box for the legal
used in cyber security discussions bined with best practices to create team. Here are some questions you
but is a fundamental practice that a threat-resistant and risk-tolerant should be working through with
needs to be established within an infrastructure agency attorneys:
organization. Cisco asks pointed
questions about trust, including: This is an important white paper
to view. By implementing a BYOD
network? program, your agency is opening lost equipment, and periodic main-
the door to more threats and needs tenance?
connected to your network? to prepare by taking the proper se-
curity precautions. occur on devices?
exposed to unnecessary risks?
Cisco then provides three steps to CHALLENGE: equipment’s software?
provide trust within your network: -
ANTICIPATING LEGAL AND stalled on the device? If this is a per-
- POLICY CHALLENGES sonal device, what kind of control
ment: Validating user and device does the employer have?
identity at the system point of entry There are a handful of legal and
and maintaining a state of trust policy challenges that arise from be banned from use?
BYOD. For managers and execu- -
Remediation: Identifying miscon- tives in government, the best place era to take photos or record video,
figuration and vulnerability so that to start with BYOD is crafting your when and where?
corrective actions can occur to as- policy, and prior to publishing,
16
17. A RESEARCH REPORT FROM GOVLOOP AND CISCO
and data files in case the device is
lost or stolen and a full wipe needs
to be performed.
One of the key elements to having a
transparent security policy is engag-
ing key stakeholders from the very
beginning of the process. In doing
so, an organization will be able to
gather feedback, understand needs;
addresses concerns, and build sup-
simple password settings on many port for BYOD initiatives.
policies, i.e., social media? devices can easily be adjusted to
accommodate more complex pass- Kimberly Hancher stated, “Include
The answers to some of these ques- words. Required length and charac-
tions may seem obvious, but ad- ter variety should be consistent with key stakeholders, legal support,
dressing them in your agency’s general user policy. Guidelines for your HR group and your end users.
BYOD policy is necessary. While the frequency of password changes I put together an advisory group
thinking through what works best should also be provided. Depend- of legal, HR, finance, and also put
for your agency, these best practices ing on security needs, devices may together an end user group to give
may guide your thinking. feedback of features and what their
also be equipped with biometric reactions are to security measures
security. Although expensive, voice we set up, to make sure that BYOD
Best Practice: Create Transpar- recognition or fingerprint scans can
is really usable.”
ent Security Processes be installed on smart devices.
Best Practice: Establish Owner-
As most users have experienced,
mobile devices are often lost or sto- devices to be equipped with re- ship of Data – Silo Personal and
len. For users on the go, therefore, mote wiping capability. As Kim- Professional Data
the convenience of access to privateberly Hancher from the EEOC told
information on personal devices re- Chris Dorobek on the DorobekI- While the personal device may
quires additional security measures.NSIDER, “[the EEOC] enforce[s] belong to the employee, they will
password complexity and history not own all data on that device. To
First, personal devices should have [...], and we also have a policy avoid potential ownership issues, it
password settings enabled if they where if a phone is lost or stolen, we is important to establish ownership
have access to work-related in- have the ability to do a full wipe of upfront, and make sure there is a
formation. Guidelines should be the device.” Kimberly recommends clear process for removing agency
provided for password length. The that users back up their personal data from the device that is differ-
17
18. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
entiated for diverse circumstances. it is recovered, just the business data work security. There are three ways
Likewise, a best practice is to “silo” would have been eliminated.” to mitigate this risk:
personal and professional data.
In the event that an individual leaves 1) Employee Education
Work information accessed and the organization, there should be a
stored on a personal device clearly process laid out for wiping enter- Helping users understand the data
still belongs to the organization, prise information from that device. risks created by downloading and
not the individual. Personal devic- Agencies should carefully consider using questionable applications is
es are also used, however, to store their policy for remote wiping in the most effective method to man-
music, photos and other personal the event that an employee leaves age applications. While policies
data that is created or purchased unexpectedly. may set parameters for what types
by employees. This combination of of applications users can download
personal and private data can create Jerry Rhoads on GovLoop stated, and forbid some outright, educat-
issues in the event that a device is “Technically speaking, the govern- ing employees about security risks
lost or stolen, if there is a security ment should, in my opinion keep will result in a higher level of com-
concern, or when an employee exits the biz side of the phone separate or pliance.
the organization. “siloed out” from the “Angry Birds”
part of the phone.” Jerry continued 2) Application Store
One approach to dealing with the to provide more insights, stating,
blurring of personal and private - To moderate what kinds of ap-
data is containerization. This ap- digm of managing the user/device plications users download, some
proach to data management would and change to managing the user’s agencies have set up an applica-
enable users to compartmentalize tion store with company-approved
personal and work data, utilizing at work, put the smart phone into applications. This approach to ap-
virtual desktop infrastructure and “work” mode, when on a break or at plication management allows agen-
cloud computing. home --switch to personal mode.” cies to choose specific work-related
Best Practice: Regulate User Appli- applications for employees to use,
If data is separated along these lines, cations and can also be utilized to approve
containerization of data can allow personal applications if an agency
for a selective wipe to specifically Best Practice: Regulate User decides to strictly regulate personal
target work-related information. Applications apps.
As Kimberly Hancher from the 3) Acceptable Use Agreements
There are a steadily increasing num-
EEOC explained to Chris Dorobek
ber of applications available for us-
on the DorobekINSIDER, “[The
ers of any device, and keeping up
EEOC is] experimenting during Acceptable Use Agreements (AUA)
with these applications is a daunt-
this phase of the pilot with some- for employees regarding social me-
ing task. It is important for an agen-
thing we’re calling selective wipe dia use. An organization’s BYOD
cy to think through their policy
which means that it removes only policy for social media applications
toward work-related and personal
the business portion of the data should be consistent with existing
applications, as all device applica-
from the device. So if, for example, AUAs.
tions may have an impact on net-
18
19. A RESEARCH REPORT FROM GOVLOOP AND CISCO
Best Practice: Provide Device document for government owned for BYOD services and support.
Support Guidelines mobile devices, to be able to dis- (City Website Source)
tinguish between two sets of rules if
With employees purchasing their you are given a government owned The city offers Apple users two ser-
own devices and service plans, it device. We clearly outline what the vice packages to accommodate the
is necessary for organizations to expectations and the guidance that needs of users.
decide whether or not they will we give you, so that way people can
provide service and support. Some see what the differences are.” This is
company software may require in- a great best practice to help clarify provides access to work email, cal-
house tech support, but issues with any uncertainty about what kind of endar, tasks and contacts. There is
call service, reception, and connec- support will be provided to employ- no cost associated with the basic
tion most likely should be left for ees. service, and is available to all em-
service providers to address. Less ployees.
technically savvy employees may be I N F O C U S : M I N N E A P O L I S
less inclined to use their own devic- A P P S T O R E -
es for work if they are aware of their vides access to work email, calendar,
responsibility for any problems or tasks and contacts, as well as access
repairs. to VPN, CityTalk and City net-
the way as early adopters and sup- work drives and folders.
porters of BYOD. They have inno-
Kimberly Hancher and the EEOC vated a unique approach to support
created two working documents Apple products. The Premiere Service also offers ac-
to clarify how employees can use
government commissioned phones While an ideal BYOD policy would Store, which offers work-related
and personal devices under BYOD, support a variety of products, in- productivity apps and training ma-
“Along with the BYOD rules of be- cluding Android devices, this exam- terial. There is a one-time enroll-
havior, we also created a separate ple provides a possible framework ment fee of $100 for this service.
19
20. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
The city has also innovated an ap- support is provided. CHALLENGE: BLURRING
plication store where work-related -
productivity applications can be neapolis app store include:
LINES BETWEEN
found. The applications are avail- PERSONAL AND PRIVATE
able with the premiere service, and -
enable users to access and manipu- ware to connect to the City net- The lines between personal and pri-
late documents. work vate lives have progressively blurred
as technology has evolved. Imple-
This approach to application man- to the City network, this tool fa- menting a BYOD policy allows em-
agement provides several advan- cilitates browsing drives ployees to access their work from
tages. The applications employees any location. While this can be lib-
utilize to access the network and and edit .pdf documents erating for some, it also means that
manipulate documents are provid- unanswered work emails and voice
ed by the city, which allows for ad- office productivity tool mails, uncompleted tasks and to-do
ditional data security. lists, and unfinished documents are
With this range of applications, readily available. As employees are
This also simplifies tech support by iPads have the same utility as a bringing their own devices home
selecting the best applications for desktop computer or laptop. Ex- as well, with BYOD it is no longer
each process. Establishing software panding this model to support all possible to physically leave work at
support parameters is also clear- tablets will increase the appeal and work.
er – if an application is available effectiveness of their BYOD poli-
through the City app store, user cy. (Source Interview)
20
21. A RESEARCH REPORT FROM GOVLOOP AND CISCO
GOVLOOP RESOURCES
How Do You Retain Security With BYOD?
BYOD and Beyond
EEOC Cuts Costs With BYOD Pilot Program
What Would You Put in a Bring Your Own Device Strategy
Trends on Tuesday: Smartphone Separation Anxiety
Since work is readily available, it is tions will benefit from establishing not during the organization’s hours
important to establish expectations clear expectations regarding work of operation.
and boundaries. Without an orga- hours. While 24/7 responsiveness
nization-wide approach, employ- can sound appealing in theory, in Best Practice: Lead By Example
ees may feel pressure to do more at practice this often leaves employees
home. feeling less satisfied with their work The best-intentioned organization
and less productive in the long run. can still fail to create an environ-
Having guidelines that accommo- ment that promotes work/life bal-
date a work/life balance is impor- Organizations can benefit from ance if leadership does not model
tant, but just as important is setting establishing a culture that values these behaviors. If managers are
an example from the top down. time off and respects the work/life texting and sending emails time-
balance of employees. Establishing stamped at 1:00 a.m., employees
Best Practice: Promote Work/ this kind of work culture involves may feel pressure to work around
Life Balance discouraging unnecessary after- the clock as well. For managers who
hours emails, phone calls, and text have adopted BYOD, it is impor-
Constantly having a device con- messages. Also, agencies should set tant to consider the impact your
nected to work may allow for great- reasonable expectations regarding work hours may have on organiza-
er responsiveness, but organiza- response time for communication tional culture.
21
22. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
OVERVIEW OF WHITE
HOUSE BYOD TOOLKIT
Recently, the White House an-
nounced a BYOD tool kit for gov-
ernment agencies. The report is an
important step to wider adoption of
bring-your-own-device policies in
government, and empowers leaders
in government to explore if BYOD
is feasible within their agency. The
report has a few excellent case stud-
ies related to BYOD and template
policies for BYOD implementa- lining key areas, providing strategic curity Reference Architecture that
tion. guidance, and identifying that there intends to inform agency consid-
is still a lot of work to be done. The erations on BYOD. Further, the
The case studies and policy exam- BYOD toolkit states: National Institute of Standards and
ples can be found below: Technology (NIST), is drafting
“Implementing a BYOD program is guidelines specifically for mobile.
Alcohol and Tobacco Tax and not mandatory. This document is in- The BYOD Toolkit states: “Guide-
Trade Bureau (TTB) Virtual Desk- tended to serve as a toolkit for agen-
top Impl... cies contemplating implementation
U.S. Equal Employment Op- of BYOD programs. The toolkit is Security and Privacy Controls for
portunity Commission (EEOC) not meant to be comprehensive, but Federal Information Systems and
BYOD Pilot rather provides key areas for con- Organizations; and Personal Iden-
State of Delaware BYOD Pro- sideration and examples of exist- tity Verification (PIV) of Federal
gram ing policies and best practices. In Employees and Contractors. Each
Sample #1: Policy and Guidelines addition to providing an overview of these documents should provide
of considerations for implementing further insight into issues associated
Dev... BYOD, the BYOD Working Group with the implementation of BYOD
Sample #2: Bring Your Own De- members developed a small collection solutions.”
vice – Policy and Rules of Behavior of case studies to highlight the suc-
cessful efforts of BYOD pilots or pro- One of the more compelling sec-
Technology Device Policy grams at several government agencies. tions of the report is when the au-
Sample #4: Wireless Communi- The Working Group also assembled thors identify the trends and busi-
cation Reimbursement Program examples of existing policies to help ness case for BYOD. The BYOD
Sample #5: Portable Wireless inform IT leaders who are planning working group identified several
Network Access Device Policy to develop BYOD programs for their characteristics. One of the first
organizations.” characteristics that the report men-
The BYOD toolkit is a great starting tions is “BYOD is about offering
point for government agencies. The The report also provides future choice.” The report states:
report does an excellent job of out- -
22
23. A RESEARCH REPORT FROM GOVLOOP AND CISCO
By embracing the consumerization kit. The report also acknowledges reasons for BYOD adoption, re-
of Information Technology (IT), that security is a key challenge for duce costs, increase efficiency/pro-
the government can address the BYOD initiatives. Stating: ductivity, adapt to workforce, and
personal preferences of its employ- improve user experience.
ees, offering them increased mobil- “Implementation of a BYOD pro-
ity and better integration of their gram presents agencies with a myri- The report also provides an exten-
personal and work lives. It also en- ad of security, policy, technical, and sive list of areas to approach while
legal challenges not only to internal considering a BYOD plan.
work in a way that optimizes their communications, but also to rela-
productivity. tionships and trust with business (Note: the report provides an even
and government partners.” deeper look at each of the bullet
There is an ongoing trend that points below, see complete list here)
people want to work on the devices Another interesting aspect of the
they desire and are most comfort- report is that the toolkit clearly
able with. This is an important identifies three high-level means of
development, people will be most implementing a BYOD program,
productive, effective and potential- virtualization, walled garden, lim- individuals
ly improved morale by working on ited separation. The report provides
devices they are most comfortable a brief description of each:
with.
A second characteristic is “BYOD access to computing resources so
can and should be cost-effective, that no data or corporate applica-
so a cost-benefit analysis is essential tion processing is stored or con-
as the policy is deployed.” The re- ducted on the personal device;
port is clear to identify that BYOD This is a great example of how the
presents a shift of costs to employ- corporate application processing Digital Government Strategy, and
ees. As less government devices are within a secure application on the the leadership and vision by Steve
deployed, more services are being personal device so that it is segre- VanRoekel, is helping to facilitate
accessed on personal devices, in gated from personal data; the improved use of technology in
which the user is responsible for government, to deliver improved
paying data fees. The report cites mingled corporate and personal services to Americans.
that this continues to be one of the data and/or application processing
challenges for BYOD. on the personal device with poli- I was super impressed with this re-
cies enacted to ensure minimum port. The report provides a fantastic
“Additionally, overall costs may security controls are still satisfied. roadmap for agencies to follow if
significantly increase for personnel they are considering BYOD.
who frequently communicate out- Especially important for BYOD is
side of the coverage area of their making the business case for imple- Although there are still some chal-
primary service provider and incur menting a BYOD program. The re- lenges to BYOD, this is a positive
roaming charges,” stated the tool- port identifies the commonly stated step in the right direction.
23
24. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
?
BYOD in Brief:
Expert Insights with
Cisco’s
David Graziano
David Graziano, Director, Security cies operate. Although the benefits organization create a simple user
and Unified Access, US Public Sec- are clear, there are numerous best experience. David states:
tor, Cisco, recently spoke with Pat practices that David highlighted for
Fiorenza of GovLoop on the state of agencies to consider. “You need to create a simple user
BYOD in the public sector. experience. This involves guest ac-
He advised that agencies must start cess and on-boarding, this means
David provided expert insights on by embracing BYOD, and accept potentially allowing people access
how to best manage, control and that BYOD is a trend that they who do not work for you and limit-
implement a BYOD program for a must act upon, “Embracing BYOD ing information they can access. If
public sector agency. is really important, because if they it is an employee, it is simple on-
don’t, then the agency is actually boarding, managing the user expe-
This guide addressed numerous moving away from technology rath- rience of getting on the network,
best practices and ways to overcome er than leveraging it to achieve their establishing and confirming their
common challenges for public sec- mission,” states Graziano. identity and authenticate who they
tor agencies looking to implement are and their device, just making
BYOD initiatives. Graziano’s in- Embracing BYOD is essential. this a very smooth process.”
sights provide further evidence that BYOD initiatives show a commit-
although challenges still remain for ment to becoming an innovative Clearly, the intent is not to limit ac-
BYOD, this is one of the most im- workplace and allowing people to cess or have challenges connecting
portant trends occurring in govern- work on the platform they desire. to a respective network. Although
ment. bringing in a tablet for work use can
“If you embrace BYOD and make aid in productivity, David is sure to
During the interview, David was it very easy for people to get on the address the importance of setting
clear to highlight the benefits of network and enforce policies to policy to protect government data.
BYOD, from optimizing business protect data, that is the best thing,”
lines to workforce productivity David keenly acknowledges. Once Graziano advises that the right kind
and morale; BYOD clearly has the BYOD is embraced by agencies, he of policy needs to be developed,
potential to transform how agen- advises that it is essential that the and that if necessary, the agency has
24
25. A RESEARCH REPORT FROM GOVLOOP AND CISCO
the right to delete all data on the trol, protecting government data, that,” stated David. Beyond opera-
device. limited access, and changing work tional and efficiency gains, BYOD
practices for new employees. The also may contribute to tackling the
Further, David advises the use of loss of control is absolutely one challenges to recruit and retain top
Next Generation Encryption in any of the most critical concerns with talent in government. BYOD has
BYOD initiative. Cara Sioman re- BYOD. Graziano states, “Typically the potential to shape how govern-
cently described Next Generation loss of control is related to policy, ment entities recruit the next gen-
Encryption in a Cisco blog post as: if you are going to let these things eration of public servants.
on your network, how do you pos-
“The next generation of encryption sibly control where they are allowed BYOD is becoming a necessity for
technologies meets the evolving needs to go, and what they are allowed to recruitment, as a new demographic
of agencies and enterprises by utiliz- do?” of employees enter the workforce;
ing modern, but well reviewed and entrants have expectations that in-
tested cryptographic algorithms and These are important considerations formation will be available at their
protocols. As an example, Elliptic to make while crafting a BYOD fingertips. “They have expectations
Curve Cryptography (ECC) is used in policy, and as David mentioned, that they are gong to be able to ac-
place of the more traditional Rivest- the importance of a well-crafted cess information on any device, any
Shamir-Adleman (RSA) algorithms. policy is essential to the success of time anywhere,” David states.
By upgrading these algorithms, NGE any government BYOD initiative.
cryptography prevents hackers from David provided some great insights
having a single low-point in the sys- Closely linked to the challenge of a on BYOD and how it is shaping
tem to exploit and efficiently scales to loss of control, is the need to pro- public sector entities. As the mo-
high data rates, while providing all of tect government data. David states, bile boom continues, and agencies
the security of the Advanced Encryp- “If you are going to allow people work towards delivering improved
tion Standard (AES) cipher.” access to data and in theory they services, BYOD initiatives will be
could pull it down, you run the risk critical to improve how government
Security and protecting govern- of losing that government data.” operates.
ment data is the preeminent con-
cern for any BYOD initiative, with Additionally, Graziano advises that David provided great insights how
the use of Next Generation Encryp- policies will differ for government BYOD is shaping the public sector.
tion, agencies can work to remain furnished devices and personal de- As the mobile boom continues, and
safe, and still implement a success- vices. “If the devices are govern- agencies work towards delivering
ful BYOD initiative. ment furnished, you can establish improved services, BYOD initia-
one set of policies, and if it is lit- tives will play a critical role trans-
David highlighted four core chal- erally BYOD, then you have to es- forming government operations
lenges for BYOD, the loss of con- tablish a different set of policies for and service delivery.
25
26. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
CONCLUSION
Government at all levels is looking to find new and innovative ways to save money, cut costs and deliver increased
services to citizens. As budgets continue to tighten, initiatives like BYOD become more and more appealing to
government agencies. Agencies must embrace new ways of thinking, and engage in new initiatives designed to
cut costs and increase efficiency. BYOD is only one part of the solution. As government problems and system
become more complex, so does the workplace. BYOD is one solution to help facilitate an increasingly mobile and
active workforce, allowing people to work when and how they want.
This report provided an overview of a recent survey and best practices to overcome common roadblocks to
BYOD. If you are interested in more information, be sure to visit GovLoop and connect with like-minded pro-
fessionals engaged in BYOD development. If you have any questions on this report or would like more informa-
tion, please reach out to Pat Fiorenza, GovLoop Research Analyst at pat@govloop.com.
26
27. A RESEARCH REPORT FROM GOVLOOP AND CISCO
TOP 5 NEXT
Steps for BYOD
at Your Agency
With BYOD, there are many ways to bring BYOD
into your agency. After reading through this report,
STEP 3: CRAFT INTERNAL POLICY FOR
here is the need to know information on next steps BYOD
to initiate a bring your own device strategy at your
agency. After you have met with key stakeholders and the
agency’s legal team, begin to craft the BYOD policy.
STEP 1: MEET WITH KEY STAKEHOLD- This guide has dozens of best practices and tips of
what should be included in the policy, but also be
ERS TO DEVELOPE PILOT PLAN sure to incorporate feedback from the legal team and
agency leaders.
At the very onset of developing your BYOD policy,
agency leads should sit down with key stakeholders
within the agency to discuss what a BYOD initiative STEP 4: ANNOUNCE PROGRAM TO EM-
looks like. Staff members from all functional areas PLOYEES
should be present, to provide input and feedback.
This will also help develop buy-in and create a unified Like with any program, announcing and selling the
vision for the agency’s BYOD program. program to employees is critical. If this program is a
pilot program, be careful how you select employees
STEP 2; MEET WITH LEGAL TEAM and develop a team.
After meeting with stakeholders, be sure to follow up STEP 5: ITERATE, REVIEW
and meet with the legal team to discuss the program
and be sure that all legal requirements have been met.
OUTCOMES,IMPROVE BYOD STRATEGY
BYOD is very new in government, and there is a lack
Once the program has been initiated, be sure to set
of legal precedent. Be sure to meet with legal advisors
up periodic check points with end users and adminis-
to mitigate legal risks.
trators so they can provide feedback on the program.
This information will be critical for the agency to
learn how to improve future BYOD initiatives, with
input coming from the core stakeholders.
27
28. EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR
ABOUT THE AUTHORS
Pat Fiorenza
GovLoop Research Analyst
Pat is currently a Research Analyst at GovLoop. Through the creation of blogs, research reports, guides, in-per-
son, and online events, Pat helps to identify and find best practices to share with the GovLoop community. Pat
at Syracuse University.
Lindsey Tepe
GovLoop Fellow
Lindsey is currently a Fellow at GovLoop. In this role, Lindsey assists with the development of content creation.
This includes writing of blogs, research reports and facilitating community engagement on GovLoop. Lindsey
Syracuse and is a former Teach for America Fellow.
Jeff Ribeira
GovLoop Content and Community Coordinator
Jeff is the Content and Community Coordinator at GovLoop and manages all creative and technical
development projects.
Vanessa Vogel
GovLoop Design Fellow
Vanessa is currently a Design Fellow at GovLoop. She recently graduated from Brigham Young University
with a Bachelors degree in Graphic Design.
28
29. A RESEARCH REPORT FROM GOVLOOP AND CISCO
Cisco is the worldwide leader in net-
working that transforms how Govern-
ment and Education connect, commu-
nicate, and collaborate. Since 1984,
Cisco has led in the innovation of IP-
based networking technologies, includ-
ing routing, switching, security, TelePres-
ence systems, unif ied communications,
video, and wireless. The company’s re-
sponsible business practices help en-
sure accountability, business sustain-
ability, and environmentally conscious
operations and products. Our technol-
ogy is changing the nature of work and
the way we serve, educate, and defend.
Helping government agencies maximize ef fectiveness in key areas:
· Cloud Computing
· Data Center Consolidation
· Cyber Security
· Mobile (Mobile Collaboration)
· Telework
· Bring Your Own Device
For more information, visit www.cisco.com/go/usgov
29