byod = bring your own device

BYOD

R e s e a r c h R e p o r t

EXPLORING BRING YOUR OWN DEVICE IN THE PUBLIC SECTOR

2

C O N T E N T S

About GovLoop 4 Executive Summary 5Summary of Survey Findings 6 Do You Have a BYOD Policy? 7 Should Your Agency Provide a Device for You? 8 Do You Use Your Personal Phone for Work? 9 How Important is Ease of Use and Functionality in Your Work Devices? 10 What Are the Bene!ts of BYOD? 10 Would BYOD Help to Recruit and Retain Employees? 12 What Are Your Roadblocks to Adoption? 12Challenges and Best Practices for Bring Your Own Device 13Challenge: Providing Employee Reimbursement 13Challenge: Maintaining Security in Diverse Network 14 Best Practice: Assess Network 15In Focus: How to Build Trust in Your Network 15Challenge: Anticipating Legal and Policy Challenges 16 Best Practice: Create Transparent Security Processes 17 Best Practice: Establish Ownership of Data – Silo Personal and Professional Data 17 Best Practice: Regulate User Applications 18 Best Practice: Provide Device Support Guidelines 19

A RESEARCH REPORT FROM GOVLOOP AND CISCO

3

In Focus: Minneapolis App Store 19Challenge: Blurring Lines Between Personal and Private 20 Best Practice: Promote Work / Life Balance 2 21GovLoop Resources 21Overview of White House BYOD Toolkit 22BYOD in Brief: Expert Insights with Cisco’s David Graziano 24Conclusion 26 Top 5 Next Steps for BYOD at Your Agency 27 Step 1: Meet With Key Stakeholders to Develop Pilot Plan 27 Step 2: Meet with Legal Team 27 Step 3: Craft Internal Policy for BYOD 27 Step 4: Announce Program to Employees 27 Step 5: Iterate, Review Outcomes, Improve BYOD Strategy 27About the Authors 28 Pat Fiorenza:GovLoop Research Analyst 28 Lindsey Tepe: GovLoop Fellow 28 Je" Ribeira: GovLoop Content and Community Coordinator 28 Vanessa Vogel: GovLoop Design Fellow 28

Best Practice: Lead By Example1


4

GovLoop’s mission is to “connect government to improve government.” We aim to inspire public sector profes-sionals by serving as the knowledge network for government. GovLoop connects more than 60,000 members, fostering government collaboration, solving common problems and advancing government careers.

!e GovLoop community has been widely recognized across multiple sectors as a core resource for information sharing among public sector professionals. GovLoop members come from across the public sector; including federal, state, and local public servants, industry experts, as well as non-pro"t, association and academic partners. In brief, GovLoop is the leading online source for addressing public sector issues.

In addition to being an online community, GovLoop works with government experts and top industry partners to produce valuable resources and tools, such as guides, infographics, online training, educational events, and a daily podcast with Chris Dorobek, all to help public sector professionals do their jobs better.

GovLoop also promotes public service success stories in popular news sources like the Washington Post, Hu#-ington Post, Government Technology, and other industry publications. !ank you to our sponsor, Cisco, for sponsoring this research report.

Location

GovLoop is headquartered in Washington D.C., where a team of dedicated professionals share a common com-mitment to connect and improve government.

GovLoop734 15th St NW, Suite 500

Washington, DC 20005Phone: (202) 407-7421

Fax: (202) 407-7501

A B O U T G O V L O O P


5

For years, people have been using their own laptop, computer, or phone for work. Now, more than ever before, people desire to work on the device of their choice, anywhere and at any time. In this mobile en-vironment, public sector agencies are challenged to "nd new and innovative ways to connect employees across multiple devices.

With these new expectations, government agencies are challenged to manage multiple users, develop policies, and retain security in a versatile and diverse network. Additionally, public sector entities must provide the right IT infrastructure and support for numerous devices and operating systems.

!e GovLoop Research Report, Exploring Bring Your Own Device in Government, will provide expert in-sights from those in the trenches of BYOD policy. !is report also provides a summary of a recent survey conducted by GovLoop in 2012, administered to 103 members from the GovLoop community.

For this report GovLoop Research Analyst, Pat Fio-renza, recently spoke with Kimberly Hancher, Chief Information O$cer (CIO) at the U.S. Equal Employ-ment Opportunity Commission (EEOC) and David Graziano, Director, Security and Uni"ed Access, US

Public Sector at Cisco. Kimberly was one of the early adopters of BYOD in the federal government, her perspectives in this report provides insights on the evolution and challenges of BYOD programs in the federal government.

Kimberly states, “!e BYOD policy is our "rst to be issued and it will be revised as we evolve the program, we are currently in a beta pilot. We started out with rules of behavior, privacy, and expectations for people who bring their personally owned device.”

!is report is by no means a "nished project. It is our sincere hope that after reading this report, you will work to improve how BYOD operates in your agency, drive innovation in government, and share your newfound knowledge on GovLoop. In doing so, you will help facilitate knowledge sharing across the public sector, helping colleagues tackle similar BYOD challenges they are facing.

In today’s mobile environment, BYOD is becoming more and more a reality. Now is the time for agencies to embrace BYOD, and learn how to make BYOD work at their agency. “Stop talking and start doing it, you can talk about it forever, you just need to get started,” stated Kimberly.

E X E C U T I V E S U M M A R Y


6

!is section provides an overview and key "ndings from GovLoop’s online survey. !roughout the re-port we have addressed several of the key challenges of bring your own device initiatives identi"ed from the survey. !e GovLoop survey was conducted from June 8 to July 2, 2012, and had a total of 103 par-ticipants. !e survey was developed to explore com-mon trends regarding BYOD from the GovLoop community, with the goal of better understanding the common challenges and roadblocks for BYOD in the public sector.

Survey respondents were predominantly from the federal level of government (62%) with the rest of the respondents being closely divided between the state (18%) and local (20%) levels. Respondents repre-sented public sector entities across all levels of gov-ernment, and many di#erent kinds of municipalities across the United States, including City and County of Broom"eld, WA; City of Coral Gables, FL; the De-partments of Commerce, Energy, and Defense; and several other federal agencies or departments.

FEDERAL 62%

WHAT LEVEL OF GOVERNMENT DO

YOU WORK FOR??

LOCAL 20%

STATE 18%

S U M M A R Y O FS U R V E Y F I N D I N G S


7

!e survey questions asked respon-dents to answer several multiple-choice questions as well as rank statements on a scale of 1 to 5, with 5 representing the highest score and 1 representing the lowest.

D O Y O U H A V E A B Y O D P O L I C Y ?

Results indicate that the majority of respondents’ organizations do not currently have a BYOD policy (80%), while only 20% stated their agency currently has a policy.

When asked how desirable a BYOD policy is at their agency, 62% of re-spondents indicated that it would be desirable or extremely desirable. Of the remaining respondents, 17% selected 3, 12% selected 1, 5% selected 2; 5% responded that this question was not applicable.

YES 20%

DOES YOUR CURRENT ORGANIZATION HAVE A BRING YOUR OWN

DEVICE POLICY?NO 80%

2 5%

4 19%

NOT APPLICABLE 5%

1 12%

3 17%

5 43%

HOW DESIRABLE WOULD A BRING YOUR

OWN DEVICE POLICY BE FOR YOUR AGENCY?

Please use a 5-point scale, where 5 is Extremely Desirable and 1 is Not Desirable.


8

S H O U L D Y O U R A G E N C Y P R O V I D E A D E V I C E F O R Y O U ?

Respondents were asked if it is nec-essary for government to provide a device to employees. 56 percent of respondents said “Yes,” and 44 per-cent said, “No.”

Expanding upon their answers, par-ticipants who responded “yes” gave these speci"c reasons:

of government supplied IT equip-ment”

availability”

that could arise with bring your own device”

Below are some examples from re-spondents who do not believe gov-ernment should provide a device to employees:

use my personal device”

a device suitable for government work”

there should be a limit as to how much an employee must be asked to contribute”

2 14%

4 24%

NOT APPLICABLE 3%

1 9%

3 23%

5 27%

Please use a 5-point scale, where 5 is

Extremely Desirable and 1 is Not Desirable.

HOW IMPORTANT IS IT FOR AN ORGANIZATION TO PROVIDE YOU WITH

A DEVICE?

IS IT NECESSARY FOR GOVERNMENT TO PROVIDE A DEVICE FOR EMPLOYEES?

Additionally, respondents were asked to rank how important it is for their organization to provide de-vices to employees.

!e majority of participants (51%) responded with a 4 or 5. Of the re-maining respondents, 23% chose 3, 14% chose 2, 9% chose 1, and "nally, 3% indicated the question was not applicable.

44%

NO YES

56%


9

D O Y O U U S E Y O U R P E R S O N A L P H O N E F O R W O R K ?

Survey participants were asked how they use their personal phone for work purposes, with the op-tion to check all responses that apply and report additional uses.

Respondents indicated that they utilized their personal phones for email (41%); social networks

(21%); entering time, expenses and related business functions (13%); and reading and writing (30%).

!irty-three percent (33%) of re-spondents reported they do not use their personal phone for work functions. For those who reported additional uses, they listed phone

DO YOU USE YOUR PERSONAL PHONE FOR

WORK PURPOSES?

calls, occasional emails and texting, and receiving business-related noti-"cations from customer mobile ap-plications. !e same question was asked regarding tablets, with the majority of respondents stating they do not use their personal tablet for work. For those who do, the main reason was for reading and writing.

BYODYES- EMAIL YES- SOCIAL

NETWORKSYES- ENTERING TIME/EXPENSES/ RELATED BUSINESS FUNCTIONS

YES-READING & WRITING

NO OTHER

21%13%

41%

30% 33% 35%


10

3 5%

5 70%

NOT APPLICABLE 1%

4 24%

HOW IMPORTANT IS FUNCTIONALITY AND EASE OF USE OF DEVICE?

Please use a 5-point scale, where 5 is Extremely Important and 1 is Not Important.

H O W I M P O R T A N T I S E A S E O F U S E A N D F U N C T I O N -A L I T Y I N Y O U R W O R K D E V I C E S ?

When asked how important func-tionality is and the ease of use of de-vices, respondents overwhelmingly selected 5 (70%), followed distantly by 4 (24%) and 3 (6%).

W H A T A R E T H E B E N E F I T S O F B Y O D ?

When asked what the bene"ts of BYOD, respondents were able to select all that applied from cost sav-ings, allowing people to work on the most comfortable device, and improved productivity. Respon-dents were also provided the oppor-tunity to report additional bene"ts.

Of the provided responses, 71% believed that “allowing people to work on most comfortable device,” was the greatest bene"t, followed by improved productivity (58%), and cost savings (55%). Respon-dents submitted additional bene"ts such as not having to carry multiple devices, more modern equipment, facilitating telework, and improved usability.

!e survey also found other bene"ts for BYOD policies. For instance, the survey "nds that 79 percent of respondents believe that BYOD could have a positive impact on employee satisfaction, productivity and employee engagement.


11

Respondents elaborated on their answers by stating:

and satisfaction for those who have more current devices that they can use in lieu of the federally-provided equipment. !ose who do not will most likely be angrier at the change in policy and disparity in equip-ment”

to perform work wherever they wanted”

aids productivity”

-bility initiatives”

!e three core bene"ts, cost sav-ings, e$ciency and productivity are typically contested. !ere are

many ways to look at how BYOD can potentially save costs within an agency.

Our survey found that 55 percent of respondents believed cost sav-ing was a bene"t. Generally, cost savings can be found reduced de-vice costs, shared data plans, and increased productivity. By allowing employees to work on their desired platform, they will become more e$cient using the tools they know best. Employees may use a PC for

-sonal use. By allowing the employee to select which tool to use, they are able to work on systems they are most comfortable in.

Kimberly Hancher stated in an in-terview with GovLoop Research Analyst, Pat Fiorenza, “From an

employee standpoint, I think that smartphones and tablets have be-come an extension of an individ-ual’s personality and personal pro-ductivity.

One of the bene"ts is that if a per-son is very pro"cient on a device, they should take that pro"ciency into the workplace, rather than learning how to be minimally pro"-cient with the government provided device. I can’t overemphasize how important personal productivity is across the enterprise.”

Similar to e$ciency, by enabling employees to work on the tool they feel most comfortable with, em-ployees will be able to accomplish tasks quicker and easier since they

they are using.

WHAT ARE THE BENEFITS OF BRING YORU OWN DEVICE?

55%

COST SAVINGS ALLOW PEOPLE TO WORK ON MOST COMFORTABLE DEVICES

IMPROVED PRODUCTIVITY

OTHER

71%

58%

29.7%

29%


12

W H A T A R E Y O U R R O A D B L O C K S T O A D O P T I O N ?

Finally, when asked what the largest roadblocks to developing a BYOD policy were, respondents were able to select all that apply from the fol-lowing options: lack of organiza-tional support, no IT infrastructure support, or costs.

!e biggest roadblock was per-ceived to be lack of organizational support (57%), followed by no IT infrastructure to support multiple devices (55%) and costs (19%). Respondents also had the oppor-tunity to submit other roadblocks

or challenges for implementing BYOD. Respondents commonly stated “security” as a concern. Fur-ther, some respondents cited laws in their home states, in which any device used for work purposes be-comes part of the public record and subject to disclosure.

One respondent summed up these roadblocks by listing, “lack of pol-icy, no clear way to reimburse sta# for data plans on own devices, [and] inconsistent IT policies to support personal devices.”

44%

NO YES

56%

W O U L D B Y O D H E L P T O R E C R U I T A N D R E T A I N E M P L O Y E E S ?

When asked if they believed a BYOD policy could serve as a re-tention and recruitment tool, 56% of respondents said, “Yes.” and 44 percent said, “No.” Survey par-ticipants commented, “!is is too small an issue to make the di#erence if someone chooses to work here or not;” “It may appear that agencies are shifting costs to employees”; “!is is especially true for millen-nials and teleworkers”; “increased

that “It shows your o$ce is forward thinking, savvy, and e$cient.”

DO YOU BELIEVE THAT BRING YOUR OWN DEVICE CAN

SERVE AS A RETENTION AND RECRUITMENT TOOL?

WHAT IS THE LARGEST ROADBLOCK YOU HAVE SEEN TO IMPLEMENTING BRING YOUR OWN DEVICE WITHIN YOUR AGENCY/DEPARTMENT?

57%

LACK OF ORGANIZATIONAL SUPPORT

NO IT INFRASTRUC-TURE TO SUPPORT MULTIPLE DEVICES

COSTS OTHER

55%

19%

47%


13

Although there are many potential bene"ts to BYOD, there are also challenges to fully leverage these ben-e"ts. Guided by the results of the GovLoop survey, this section will serve as a roadmap to help you navi-gate through common challenges while considering implementing a BYOD policy.

C H A L L E N G E : P R O V I D I N G E M P L O Y E E R E I M B U R S E M E N T

One of the main cost drivers to provide a cell phone is the cost of data plans. Kimberly Hancher stated, “With government provided devices, the cost is voice and data. With regard to BYOD program, we are looking to reduce these government costs.”

As more and more agencies are looking to implement BYOD, decreasing costs is the core goal of the initia-tive. One of the areas of concern for BYOD is that by facilitating work on personal devices, the cost of data

coverage and related expenses has been shifted to the employee. If government employees are using their personal phone for work purposes, there should be an expectation that they are not personally incurring the cost of increased data usage from work related activi-ties.

Currently, the federal government has provided little direction on how best to reimburse government em-ployees for their mobile device. Kimberly stated, “I would love to be able to o#er some kind of reimburse-ment for business use for their personal device, but there is no precedent for that. !is should be done on a government wide scale, to help agencies understand how to provide a reimbursement to employees.”

-zick provides one insightful solution for employee reimbursement, “One way to address this issue is to look at other ways in which government reimburses its employees. For instance, many agencies already

C H A L L E N G E S A N D B E S TP r a c t i c e s f o r B r i n g

Y o u r O w n D e v i c e


14

reimburse or defray the cost of using public transportation for work-related travel. Could BYOD determine the average cost of an employee voice and data plan - both on the enterprise and personal levels - and include an allowance for employees to cover the cost of using their own device while reducing the agency’s expenses?”

Terry Hill also stated on GovLoop, “We could build on what many agencies already do for teleworkers and share the cost of services for phone, internet, and e-mail up to a maximum of $50 a month or so. !is is less than agencies are typi-cally paying just for the blackber-ries (about $70) a month, for a net savings of $20 per month per em-ployee. Additional savings would be in eliminating landline phones and Ethernet systems. I don’t think there is much risk in using personal smart phones for calls and for e-mail/internet. !at way, agencies would not feel they have to block access to sites and monitor usage. Agencies would focus on keeping their operational systems secure and would no longer have to worry about o$ce software upgrades.”

Ultimately, BYOD reimbursement is something an agency will have to develop, working closely with the legal team.

C H A L L E N G E : M A I N T A I N I N G S E C U R I T Y I N D I V E R S E N E T W O R K

With an increase in the number and variety of devices available to consumers, agencies with a BYOD policy are challenged to identify and retain security in a more diverse net-work. To manage the proliferation of personal devices being utilized for work functions, BYOD poli-cies have moved to the forefront for IT professionals. Users want seam-less access to corporate resources, no matter which device they use or where that device is connected. In addition, users are connected wire-lessly to numerous network devices; printers, fax machines, and copy machines that can be accessed from employees’ personal devices.

At the top of the list for the EEOC is retaining security. “Security is at the top of our list that is why we are still doing a pilot. We will con-tinue to pilot until we feel we have the appropriate level of security and

have a history of dealing with the appropriate risks.”

Cisco has many great resources and case studies addressing how to pro-vide security with a diverse network on their BYOD Smart Solution page. !e resources provide some best practices and strategies for get-ting started with BYOD.

As smartphones continue to be-come more commonplace, the use of a work phone and personal phone has become blurred. !e desire for a seamless work experience has led many to using phones for both per-sonal and work. With this phenom-ena happening, agencies need to train employees on the cybersecu-rity threats that can compromise an agency’s mission and educate them on how to protect themselves and the organization while using mul-tiple devices.

http://www.cisco.com/web/solutions/trends/byod_smart_solution/index.html


15

Best Practice: Assess Network

Government agencies should start by identifying what devices already access their network, as well as the rights, privileges, and the informa-tion of each device.

!is will provide valuable insights for the organization on what kind of information is readily available to network members, and how to pro-tect the most critical information.

Further, agencies should not show preference to certain devices and

-ible with di#erent makes and mod-els, as well as diverse platforms for devices.

Being agile also means agencies should have all the latest software installed to protect the network.

To properly assess the network, one strategy agencies can employ is to pro"le devices as they enter the network. By pro"ling devices on the network, agencies will be able to make better decisions on secu-rity, identify issues, and understand what protocols they need to make for certain devices accessibility.

I N F O C U S : H O W T O B U I L D T R U S T I N Y O U R N E T W O R K

Cisco published a fascinating white paper entitled, Cybersecurity: Build Trust, Visibility, and Resilience, that addresses security issues across the Internet, and what government leaders and IT sta# need to know in order to keep systems safe. !e report focuses on "ve areas:

of risks.

and visibility to assess risks.

when security incidents do occur .

trust, visibility, and resilience in the network.

Cybersecurity is often cited as one of the main concerns for organiza-tions, the Cisco report states:

“!e uses of multi-vector attacks are growing. Cyber criminals re-main intent on targeting legitimate websites, with strategically timed; multi-vector spam attacks in order to establish key loggers, back doors, and bots. Criminals plan their mal-ware to arrive unannounced and stay resident for long periods. Re-gardless of your market sector, the threat is growing.”

http://www.cisco.com/web/strategy/government/defense_cybersecurity.html



16

To address this concern the report pays particular focus to “trust,” which Cisco says is typically over-used in cyber security discussions but is a fundamental practice that needs to be established within an organization. Cisco asks pointed questions about trust, including:

network?

connected to your network?

exposed to unnecessary risks?Cisco then provides three steps to provide trust within your network:

-ment: Validating user and device identity at the system point of entry and maintaining a state of trust

Remediation: Identifying miscon-"guration and vulnerability so that corrective actions can occur to as-

sure policy compliance and risk re-duction

-sign and feature application com-bined with best practices to create a threat-resistant and risk-tolerant infrastructure

!is is an important white paper to view. By implementing a BYOD program, your agency is opening the door to more threats and needs to prepare by taking the proper se-curity precautions.

C H A L L E N G E : A N T I C I P A T I N G L E G A L A N D P O L I C Y C H A L L E N G E S

!ere are a handful of legal and policy challenges that arise from BYOD. For managers and execu-tives in government, the best place to start with BYOD is crafting your policy, and prior to publishing,

have a conversation with your agen-cies attorneys. Enabling employees to use their personal phone may open Pandora’s box for the legal team. Here are some questions you should be working through with agency attorneys:

lost equipment, and periodic main-tenance?

occur on devices?

equipment’s software?-

stalled on the device? If this is a per-sonal device, what kind of control does the employer have?

be banned from use? -

era to take photos or record video, when and where?

P A S S W O R D



17

policies, i.e., social media?

!e answers to some of these ques-tions may seem obvious, but ad-dressing them in your agency’s BYOD policy is necessary. While thinking through what works best for your agency, these best practices may guide your thinking.

Best Practice: Create Transpar-ent Security Processes

As most users have experienced, mobile devices are often lost or sto-len. For users on the go, therefore, the convenience of access to private information on personal devices re-quires additional security measures.

First, personal devices should have password settings enabled if they have access to work-related in-formation. Guidelines should be provided for password length. !e

simple password settings on many devices can easily be adjusted to accommodate more complex pass-words. Required length and charac-ter variety should be consistent with general user policy. Guidelines for the frequency of password changes should also be provided. Depend-ing on security needs, devices may also be equipped with biometric security. Although expensive, voice recognition or "ngerprint scans can be installed on smart devices.

devices to be equipped with re-mote wiping capability. As Kim-berly Hancher from the EEOC told Chris Dorobek on the DorobekI-NSIDER, “[the EEOC] enforce[s] password complexity and history [...], and we also have a policy where if a phone is lost or stolen, we have the ability to do a full wipe of the device.” Kimberly recommends that users back up their personal

and data "les in case the device is lost or stolen and a full wipe needs to be performed.

One of the key elements to having a transparent security policy is engag-ing key stakeholders from the very beginning of the process. In doing so, an organization will be able to gather feedback, understand needs; addresses concerns, and build sup-port for BYOD initiatives.

Kimberly Hancher stated, “Include key stakeholders, legal support, your HR group and your end users. I put together an advisory group of legal, HR, "nance, and also put together an end user group to give feedback of features and what their reactions are to security measures we set up, to make sure that BYOD is really usable.”

Best Practice: Establish Owner-ship of Data – Silo Personal and Professional Data

While the personal device may belong to the employee, they will not own all data on that device. To avoid potential ownership issues, it is important to establish ownership upfront, and make sure there is a clear process for removing agency data from the device that is di#er-


18

entiated for diverse circumstances. Likewise, a best practice is to “silo” personal and professional data.

Work information accessed and stored on a personal device clearly still belongs to the organization, not the individual. Personal devic-es are also used, however, to store music, photos and other personal data that is created or purchased by employees. !is combination of personal and private data can create issues in the event that a device is lost or stolen, if there is a security concern, or when an employee exits the organization.

One approach to dealing with the blurring of personal and private data is containerization. !is ap-proach to data management would enable users to compartmentalize personal and work data, utilizing virtual desktop infrastructure and cloud computing.

If data is separated along these lines, containerization of data can allow for a selective wipe to speci"cally target work-related information.

As Kimberly Hancher from the EEOC explained to Chris Dorobek on the DorobekINSIDER, “[!e EEOC is] experimenting during this phase of the pilot with some-thing we’re calling selective wipe which means that it removes only the business portion of the data from the device. So if, for example,

it is recovered, just the business data would have been eliminated.”

In the event that an individual leaves the organization, there should be a process laid out for wiping enter-prise information from that device. Agencies should carefully consider their policy for remote wiping in the event that an employee leaves unexpectedly.

Jerry Rhoads on GovLoop stated, “Technically speaking, the govern-ment should, in my opinion keep the biz side of the phone separate or “siloed out” from the “Angry Birds” part of the phone.” Jerry continued to provide more insights, stating,

-digm of managing the user/device and change to managing the user’s

at work, put the smart phone into “work” mode, when on a break or at home --switch to personal mode.”Best Practice: Regulate User Appli-cations

Best Practice: Regulate User Applications

!ere are a steadily increasing num-ber of applications available for us-ers of any device, and keeping up with these applications is a daunt-ing task. It is important for an agen-cy to think through their policy toward work-related and personal applications, as all device applica-tions may have an impact on net-

work security. !ere are three ways to mitigate this risk:

1) Employee Education

Helping users understand the data risks created by downloading and using questionable applications is the most e#ective method to man-age applications. While policies may set parameters for what types of applications users can download and forbid some outright, educat-ing employees about security risks will result in a higher level of com-pliance.

2) Application Store

To moderate what kinds of ap-plications users download, some agencies have set up an applica-tion store with company-approved applications. !is approach to ap-plication management allows agen-cies to choose speci"c work-related applications for employees to use, and can also be utilized to approve personal applications if an agency decides to strictly regulate personal apps.

3) Acceptable Use Agreements

Acceptable Use Agreements (AUA) for employees regarding social me-dia use. An organization’s BYOD policy for social media applications should be consistent with existing AUAs.


19

Best Practice: Provide Device Support Guidelines

With employees purchasing their own devices and service plans, it is necessary for organizations to decide whether or not they will provide service and support. Some company software may require in-house tech support, but issues with call service, reception, and connec-tion most likely should be left for service providers to address. Less technically savvy employees may be less inclined to use their own devic-es for work if they are aware of their responsibility for any problems or repairs.

Kimberly Hancher and the EEOC created two working documents to clarify how employees can use government commissioned phones and personal devices under BYOD, “Along with the BYOD rules of be-havior, we also created a separate

document for government owned mobile devices, to be able to dis-tinguish between two sets of rules if you are given a government owned device. We clearly outline what the expectations and the guidance that we give you, so that way people can see what the di#erences are.” !is is a great best practice to help clarify any uncertainty about what kind of support will be provided to employ-ees.

I N F O C U S : M I N N E A P O L I S A P P S T O R E

the way as early adopters and sup-porters of BYOD. !ey have inno-vated a unique approach to support Apple products.

While an ideal BYOD policy would support a variety of products, in-cluding Android devices, this exam-ple provides a possible framework

for BYOD services and support. (City Website Source)

!e city o#ers Apple users two ser-vice packages to accommodate the needs of users.

provides access to work email, cal-endar, tasks and contacts. !ere is no cost associated with the basic service, and is available to all em-ployees.

-vides access to work email, calendar, tasks and contacts, as well as access to VPN, CityTalk and City net-work drives and folders.

!e Premiere Service also o#ers ac-

Store, which o#ers work-related productivity apps and training ma-terial. !ere is a one-time enroll-ment fee of $100 for this service.

http://www.minneapolismn.gov/news/employees/WCMS1P-084947


20

!e city has also innovated an ap-plication store where work-related productivity applications can be found. !e applications are avail-able with the premiere service, and enable users to access and manipu-late documents.

!is approach to application man-agement provides several advan-tages. !e applications employees utilize to access the network and manipulate documents are provid-ed by the city, which allows for ad-ditional data security.

!is also simpli"es tech support by selecting the best applications for each process. Establishing software support parameters is also clear-er – if an application is available through the City app store, user

support is provided. -

neapolis app store include:

-ware to connect to the City net-work

to the City network, this tool fa-cilitates browsing drives

and edit .pdf documents

o$ce productivity tool

With this range of applications, iPads have the same utility as a desktop computer or laptop. Ex-panding this model to support all tablets will increase the appeal and e#ectiveness of their BYOD poli-cy. (Source Interview)

C H A L L E N G E : B L U R R I N G L I N E S B E T W E E N P E R S O N A L A N D P R I V A T E

!e lines between personal and pri-vate lives have progressively blurred as technology has evolved. Imple-menting a BYOD policy allows em-ployees to access their work from any location. While this can be lib-erating for some, it also means that unanswered work emails and voice mails, uncompleted tasks and to-do lists, and un"nished documents are readily available. As employees are bringing their own devices home as well, with BYOD it is no longer possible to physically leave work at work.

http://www.governing.com/topics/technology/col-In-Minneapolis-BYOD-is-Better.html


21

Since work is readily available, it is important to establish expectations and boundaries. Without an orga-nization-wide approach, employ-ees may feel pressure to do more at home.

Having guidelines that accommo-date a work/life balance is impor-tant, but just as important is setting an example from the top down. Best Practice: Promote Work/Life Balance

Constantly having a device con-nected to work may allow for great-er responsiveness, but organiza-

tions will bene"t from establishing clear expectations regarding work hours. While 24/7 responsiveness can sound appealing in theory, in practice this often leaves employees feeling less satis"ed with their work and less productive in the long run.

Organizations can bene"t from establishing a culture that values time o# and respects the work/life balance of employees. Establishing this kind of work culture involves discouraging unnecessary after-hours emails, phone calls, and text messages. Also, agencies should set reasonable expectations regarding response time for communication

not during the organization’s hours of operation.

Best Practice: Lead By Example

!e best-intentioned organization can still fail to create an environ-ment that promotes work/life bal-ance if leadership does not model these behaviors. If managers are texting and sending emails time-stamped at 1:00 a.m., employees may feel pressure to work around the clock as well. For managers who have adopted BYOD, it is impor-tant to consider the impact your work hours may have on organiza-tional culture.

G O V L O O P R E S O U R C E SHow Do You Retain Security With BYOD?BYOD and BeyondEEOC Cuts Costs With BYOD Pilot ProgramWhat Would You Put in a Bring Your Own Device Strategy

Trends on Tuesday: Smartphone Separation Anxiety

http://www.govloop.com/profiles/blogs/how-do-you-retain-security-with-byod

http://www.govloop.com/profiles/blogs/do-you-byod

http://www.govloop.com/profiles/blogs/eeoc-cuts-costs-with-byod-pilot-program

http://www.govloop.com/forum/topics/what-would-you-put-in-a-bring-your-own-device-strategy

http://www.govloop.com/profiles/blogs/trends-on-tuesday-great-american-smartphone-mirgration

http://www.govloop.com/profiles/blogs/trends-on-tuesday-smartphone-separation-anxiety


22

O V E R V I E W O F W H I T E H O U S E B Y O D T O O L K I T

Recently, the White House an-nounced a BYOD tool kit for gov-ernment agencies. !e report is an important step to wider adoption of bring-your-own-device policies in government, and empowers leaders in government to explore if BYOD is feasible within their agency. !e report has a few excellent case stud-ies related to BYOD and template policies for BYOD implementa-tion.

!e case studies and policy exam-ples can be found below:

Alcohol and Tobacco Tax and Trade Bureau (TTB) Virtual Desk-top Impl...

U.S. Equal Employment Op-portunity Commission (EEOC) BYOD Pilot

State of Delaware BYOD Pro-gram

Sample #1: Policy and Guidelines

Dev...Sample #2: Bring Your Own De-

vice – Policy and Rules of Behavior

Technology Device PolicySample #4: Wireless Communi-

cation Reimbursement ProgramSample #5: Portable Wireless

Network Access Device Policy

!e BYOD toolkit is a great starting point for government agencies. !e report does an excellent job of out-

lining key areas, providing strategic guidance, and identifying that there is still a lot of work to be done. !e BYOD toolkit states:

“Implementing a BYOD program is not mandatory. #is document is in-tended to serve as a toolkit for agen-cies contemplating implementation of BYOD programs. #e toolkit is not meant to be comprehensive, but rather provides key areas for con-sideration and examples of exist-ing policies and best practices. In addition to providing an overview of considerations for implementing BYOD, the BYOD Working Group members developed a small collection of case studies to highlight the suc-cessful e"orts of BYOD pilots or pro-grams at several government agencies. #e Working Group also assembled examples of existing policies to help inform IT leaders who are planning to develop BYOD programs for their organizations.”

!e report also provides future -

curity Reference Architecture that intends to inform agency consid-erations on BYOD. Further, the National Institute of Standards and Technology (NIST), is drafting guidelines speci"cally for mobile. !e BYOD Toolkit states: “Guide-

Security and Privacy Controls for Federal Information Systems and Organizations; and Personal Iden-tity Veri"cation (PIV) of Federal Employees and Contractors. Each of these documents should provide further insight into issues associated with the implementation of BYOD solutions.”

One of the more compelling sec-tions of the report is when the au-thors identify the trends and busi-ness case for BYOD. !e BYOD working group identi"ed several characteristics. One of the "rst characteristics that the report men-tions is “BYOD is about o#ering choice.” !e report states:

http://www.whitehouse.gov/digitalgov/bring-your-own-device























http://www.nist.gov/index.html

http://www.nist.gov/index.html



23

By embracing the consumerization of Information Technology (IT), the government can address the personal preferences of its employ-ees, o#ering them increased mobil-ity and better integration of their personal and work lives. It also en-

work in a way that optimizes their productivity.

!ere is an ongoing trend that people want to work on the devices they desire and are most comfort-able with. !is is an important development, people will be most productive, e#ective and potential-ly improved morale by working on devices they are most comfortable with.

A second characteristic is “BYOD can and should be cost-e#ective, so a cost-bene"t analysis is essential as the policy is deployed.” !e re-port is clear to identify that BYOD presents a shift of costs to employ-ees. As less government devices are deployed, more services are being accessed on personal devices, in which the user is responsible for paying data fees. !e report cites that this continues to be one of the challenges for BYOD.

“Additionally, overall costs may signi"cantly increase for personnel who frequently communicate out-side of the coverage area of their primary service provider and incur roaming charges,” stated the tool-

kit. !e report also acknowledges that security is a key challenge for BYOD initiatives. Stating:

“Implementation of a BYOD pro-gram presents agencies with a myri-ad of security, policy, technical, and legal challenges not only to internal communications, but also to rela-tionships and trust with business and government partners.”

Another interesting aspect of the report is that the toolkit clearly identi"es three high-level means of implementing a BYOD program, virtualization, walled garden, lim-ited separation. !e report provides a brief description of each:

access to computing resources so that no data or corporate applica-tion processing is stored or con-ducted on the personal device;

corporate application processing within a secure application on the personal device so that it is segre-gated from personal data;

mingled corporate and personal data and/or application processing on the personal device with poli-cies enacted to ensure minimum security controls are still satis"ed.

Especially important for BYOD is making the business case for imple-menting a BYOD program. !e re-port identi"es the commonly stated

reasons for BYOD adoption, re-duce costs, increase e$ciency/pro-ductivity, adapt to workforce, and improve user experience.

!e report also provides an exten-sive list of areas to approach while considering a BYOD plan.

(Note: the report provides an even deeper look at each of the bullet points below, see complete list here)

individuals

!is is a great example of how the Digital Government Strategy, and the leadership and vision by Steve VanRoekel, is helping to facilitate the improved use of technology in government, to deliver improved services to Americans.

I was super impressed with this re-port. !e report provides a fantastic roadmap for agencies to follow if they are considering BYOD.

Although there are still some chal-lenges to BYOD, this is a positive step in the right direction.


24

David Graziano, Director, Security and Uni"ed Access, US Public Sec-tor, Cisco, recently spoke with Pat Fiorenza of GovLoop on the state of BYOD in the public sector.

David provided expert insights on how to best manage, control and implement a BYOD program for a public sector agency.

!is guide addressed numerous best practices and ways to overcome common challenges for public sec-tor agencies looking to implement BYOD initiatives. Graziano’s in-sights provide further evidence that although challenges still remain for BYOD, this is one of the most im-portant trends occurring in govern-ment.

During the interview, David was clear to highlight the bene"ts of BYOD, from optimizing business lines to workforce productivity and morale; BYOD clearly has the potential to transform how agen-

cies operate. Although the bene"ts are clear, there are numerous best practices that David highlighted for agencies to consider.

He advised that agencies must start by embracing BYOD, and accept that BYOD is a trend that they must act upon, “Embracing BYOD is really important, because if they don’t, then the agency is actually moving away from technology rath-er than leveraging it to achieve their mission,” states Graziano.

Embracing BYOD is essential. BYOD initiatives show a commit-ment to becoming an innovative workplace and allowing people to work on the platform they desire.

“If you embrace BYOD and make it very easy for people to get on the network and enforce policies to protect data, that is the best thing,” David keenly acknowledges. Once BYOD is embraced by agencies, he advises that it is essential that the

organization create a simple user experience. David states:

“You need to create a simple user experience. !is involves guest ac-cess and on-boarding, this means potentially allowing people access who do not work for you and limit-ing information they can access. If it is an employee, it is simple on-boarding, managing the user expe-rience of getting on the network, establishing and con"rming their identity and authenticate who they are and their device, just making this a very smooth process.”

Clearly, the intent is not to limit ac-cess or have challenges connecting to a respective network. Although bringing in a tablet for work use can aid in productivity, David is sure to address the importance of setting policy to protect government data.

Graziano advises that the right kind of policy needs to be developed, and that if necessary, the agency has

B Y O D i n B r i e f : E x p e r t I n s i g h t s w i t h

C i s c o ’ s D a v i d G r a z i a n o

?


25

the right to delete all data on the device.

Further, David advises the use of Next Generation Encryption in any BYOD initiative. Cara Sioman re-cently described Next Generation Encryption in a Cisco blog post as:

“#e next generation of encryption technologies meets the evolving needs of agencies and enterprises by utiliz-ing modern, but well reviewed and tested cryptographic algorithms and protocols. As an example, Elliptic Curve Cryptography (ECC) is used in place of the more traditional Rivest-Shamir-Adleman (RSA) algorithms. By upgrading these algorithms, NGE cryptography prevents hackers from having a single low-point in the sys-tem to exploit and e$ciently scales to high data rates, while providing all of the security of the Advanced Encryp-tion Standard (AES) cipher.”

Security and protecting govern-ment data is the preeminent con-cern for any BYOD initiative, with the use of Next Generation Encryp-tion, agencies can work to remain safe, and still implement a success-ful BYOD initiative.

David highlighted four core chal-lenges for BYOD, the loss of con-

trol, protecting government data, limited access, and changing work practices for new employees. !e loss of control is absolutely one of the most critical concerns with BYOD. Graziano states, “Typically loss of control is related to policy, if you are going to let these things on your network, how do you pos-sibly control where they are allowed to go, and what they are allowed to do?”

!ese are important considerations to make while crafting a BYOD policy, and as David mentioned, the importance of a well-crafted policy is essential to the success of any government BYOD initiative.

Closely linked to the challenge of a loss of control, is the need to pro-tect government data. David states, “If you are going to allow people access to data and in theory they could pull it down, you run the risk of losing that government data.”

Additionally, Graziano advises that policies will di#er for government furnished devices and personal de-vices. “If the devices are govern-ment furnished, you can establish one set of policies, and if it is lit-erally BYOD, then you have to es-tablish a di#erent set of policies for

that,” stated David. Beyond opera-tional and e$ciency gains, BYOD also may contribute to tackling the challenges to recruit and retain top talent in government. BYOD has the potential to shape how govern-ment entities recruit the next gen-eration of public servants.

BYOD is becoming a necessity for recruitment, as a new demographic of employees enter the workforce; entrants have expectations that in-formation will be available at their "ngertips. “!ey have expectations that they are gong to be able to ac-cess information on any device, any time anywhere,” David states.

David provided some great insights on BYOD and how it is shaping public sector entities. As the mo-bile boom continues, and agencies work towards delivering improved services, BYOD initiatives will be critical to improve how government operates.

David provided great insights how BYOD is shaping the public sector. As the mobile boom continues, and agencies work towards delivering improved services, BYOD initia-tives will play a critical role trans-forming government operations and service delivery.


26

C O N C L U S I O N

Government at all levels is looking to "nd new and innovative ways to save money, cut costs and deliver increased services to citizens. As budgets continue to tighten, initiatives like BYOD become more and more appealing to government agencies. Agencies must embrace new ways of thinking, and engage in new initiatives designed to cut costs and increase e$ciency. BYOD is only one part of the solution. As government problems and system become more complex, so does the workplace. BYOD is one solution to help facilitate an increasingly mobile and active workforce, allowing people to work when and how they want.

!is report provided an overview of a recent survey and best practices to overcome common roadblocks to BYOD. If you are interested in more information, be sure to visit GovLoop and connect with like-minded pro-fessionals engaged in BYOD development. If you have any questions on this report or would like more informa-tion, please reach out to Pat Fiorenza, GovLoop Research Analyst at [email protected].


27

T O P 5 N E X T

With BYOD, there are many ways to bring BYOD into your agency. After reading through this report, here is the need to know information on next steps to initiate a bring your own device strategy at your agency.

S T E P 1 : M E E T W I T H K E Y S T A K E H O L D -E R S T O D E V E L O P E P I L O T P L A N

At the very onset of developing your BYOD policy, agency leads should sit down with key stakeholders within the agency to discuss what a BYOD initiative looks like. Sta# members from all functional areas should be present, to provide input and feedback. !is will also help develop buy-in and create a uni"ed vision for the agency’s BYOD program.

S T E P 2 ; M E E T W I T H L E G A L T E A M

After meeting with stakeholders, be sure to follow up and meet with the legal team to discuss the program and be sure that all legal requirements have been met. BYOD is very new in government, and there is a lack of legal precedent. Be sure to meet with legal advisors to mitigate legal risks.

S T E P 3 : C R A F T I N T E R N A L P O L I C Y F O R B Y O D

After you have met with key stakeholders and the agency’s legal team, begin to craft the BYOD policy. !is guide has dozens of best practices and tips of what should be included in the policy, but also be sure to incorporate feedback from the legal team and agency leaders.

S T E P 4 : A N N O U N C E P R O G R A M T O E M -P L O Y E E S

Like with any program, announcing and selling the program to employees is critical. If this program is a pilot program, be careful how you select employees and develop a team.

S T E P 5 : I T E R A T E , R E V I E W O U T C O M E S , I M P R O V E B Y O D S T R A T E G Y

Once the program has been initiated, be sure to set up periodic check points with end users and adminis-trators so they can provide feedback on the program. !is information will be critical for the agency to learn how to improve future BYOD initiatives, with input coming from the core stakeholders.

S t e p s f o r B Y O D a t Y o u r A g e n c y


28

A B O U T T H E A U T H O R S

Pat Fiorenza GovLoop Research Analyst

Pat is currently a Research Analyst at GovLoop. !rough the creation of blogs, research reports, guides, in-per-son, and online events, Pat helps to identify and "nd best practices to share with the GovLoop community. Pat

at Syracuse University.

Lindsey TepeGovLoop Fellow

Lindsey is currently a Fellow at GovLoop. In this role, Lindsey assists with the development of content creation. !is includes writing of blogs, research reports and facilitating community engagement on GovLoop. Lindsey

Syracuse and is a former Teach for America Fellow.

Je! RibeiraGovLoop Content and Community Coordinator

Je# is the Content and Community Coordinator at GovLoop and manages all creative and technical development projects.

Vanessa VogelGovLoop Design Fellow

Vanessa is currently a Design Fellow at GovLoop. She recently graduated from Brigham Young University with a Bachelors degree in Graphic Design.


29

Helping government agencies maximize ef fectiveness in key areas:

· Cloud Computing

· Data Center Consolidation

· Cyber Security

· Mobile (Mobile Collaboration)

· Telework

· Bring Your Own Device

Cisco is the worldwide leader in net-

working that transforms how Govern-

ment and Education connect, commu-

nicate, and collaborate. Since 1984,

Cisco has led in the innovation of IP-

based networking technologies, includ-

ing routing, switching, security, TelePres-

ence systems, unif ied communications,

video, and wireless. The company’s re-

sponsible business practices help en-

sure accountability, business sustain-

ability, and environmentally conscious

operations and products. Our technol-

ogy is changing the nature of work and

the way we serve, educate, and defend.

For more information, visit www.cisco.com/go/usgov

http://www.cisco.com/web/solutions/trends/byod_smart_solution/index.html


http://www.minneapolismn.gov/news/employees/WCMS1P-084947

http://www.governing.com/topics/technology/col-In-Minneapolis-BYOD-is-Better.html

byod = bring your own device

Documents

govloop community

govloop fellow

govloop members

govloop content

public sector professionals

public sector agencies

public sector issues

public sector includingfederal