Description
Bring Your Own Device (BYOD) programs are initiated with the expectation of reduced costs for the company. In many situations, such reductions are not realized due to hidden or unexpected costs associated with the program.
Explanation & Answer
Introduction:
The Digital Government Strategy (the Strategy) (PDF / HTML), issued by the Federal Chief Information Officer (CIO) Steven VanRoekel the May 23, 2012, the creation of a Services (Advisory Group) Digital Advisory Group to promote requested interagency exchange and accelerated adoption of solutions mobile workforce and best practices in the development and delivery of digital services. Action # 3.3 Milestone strategy requires the Consultative Group to work with the Federal CIO Council (CIOC) to develop the entire government bring your own device (BYOD) [1] a guide based on lessons learned from successful BYOD programs put launched in agencies leaning forward. Through the Working Group BYOD, and CIOC Advisory Group produced this document to meet the requirements of Milestone Action # 3.3.
The implementation of a BYOD program is not mandatory. This document is intended to serve as a tool for organizations contemplating implementing BYOD programs. The guide aims not to be exhaustive, but rather provides key consideration and examples of existing policies and best practice areas. In addition to providing an overview of the considerations for implementing BYOD, members of the Working Group BYOD developed a small collection of case studies to highlight the successful efforts of the pilots or BYOD programs in various government agencies. The Working Group also met examples of existing policies to help inform IT leaders who are planning to develop BYOD programs for their organizations.
Deliverables Strategy Digital Future Government, as the reference architecture encompassed by Milestone Mobile Security Action # 9.1 and agency considerations BYOD is provided. The National Institute of Standards and Technology (NIST) is also developing several standards and guidelines focused on mobility, including: Guidelines for the management and security of mobile devices in the enterprise [2]; Privacy and Security Controls for Federal Information Systems and Organizations; and Personal Identity Verification (PIV) of Federal employees and contractors. Each of these documents should provide more information on issues related to the implementation of BYOD solutions.
While the case studies and examples of policies that the Working Group has met BYOD are a great starting point for considering BYOD programs agencies, this work is not finished. The Federal Government has still much to do to solve the most complex problems related to BYOD. This includes how government can reimburse employees for expenses federal voice / data incurred when using their personal mobile devices rather than mobile devices issued by the government, and greater security, privacy and legal considerations, including risk management supply chain and legal discovery.
Key Considerations:
The implementation of BYOD must be an iterative process - BYOD support for business technologies commodity systems like email and collaboration can lay the groundwork for expansion into various applications specific mission and scope more ample supply company. BYOD can be facilitated through native device applications, downloaded or installable applications, or even a web browser. The entities of public and private sector who have adopted solutions BYOD report that allows employees to use their personal mobile devices to access company resources often results in increased employee productivity and job satisfaction. Since the Federal information security perspective, the devices must be configured and managed security controls information according to the sensitivity of the underlying data as part of an overall risk management framework.
The Working Group noted BYOD additional features on this growing trend:
BYOD is to offer options to customers. By adopting the consumerization of information technology (IT), the government can address the personal preferences of its employees, offering greater mobility and better integration of their personal and work lives. It also allows employees the flexibility to work in a way that optimizes productivity.
BYOD can and should be profitable, so a cost-benefit analysis is essential, since the policy is implemented. Such cost-benefit analysis must take into account possible increases employee productivity and potential changes in costs. For example, to provide employees access to government services in their personal devices should help reduce the number of devices that provide government personnel and costs of asset management lifecycle associated with these devices. BYOD programs may, however, require government reimbursement for expenses of voice / data incurred when employees use their personal mobile devices rather than mobile devices issued by the government and the additional costs of business infrastructure in managing the aid of the BYOD users. In addition, overall costs can increase significantly for staff often communicate outside the coverage area of your primary service and incur roaming charges.
Implementation of a BYOD program presents a myriad of agencies with security, political, technical and legal challenges not only to internal communications, but also the relationships and trust with business and government partners. The magnitude of the problems is a function of both the sensitivity of the underlying data and the amount of processing and storage of data allowed in the personal device based on the technical approach adopted. Generally speaking, there are three high-level means of implementing a BYOD program:
Virtualization: Provide remote access to computing resources so that no data processing or corporate application is stored or held in the personal device;
Walled garden: Contain data or processing enterprise applications within a secure application in the personal device to be segregated from the personal data;
Limited Separation: Let the corporate and personal data comingled and / or processing applications in the personal device with the policies enacted to ensure minimum security controls are still satisfied.
The growing trend of BYOD shows that we as IT leaders have changed the way we adopt technology. Gone are the days of long projects that address each claim. Now we integrate new technologies in a rapid and iterative, agile, interoperable and secure method to meet the changing needs of the market and customers. Agnosticism devices is more important than ever. Our software, hardware and application support on common systems and personal devices. Our security controls information must also be compatible with existing legislation and standards to ensure the confidentiality, integrity and availability [3] Because of these and other considerations, BYOD is not necessarily a good choice for all government agencies -. That has to adapt to the environment agency, mission requirements support and meet the specific needs of staff.
The business case for implementing BYOD programs vary from one agency to another, but often involves the following drivers: reduce costs, increase productivity and effectiveness of the program, adapt to a changing workforce, and improve the customer experience user. Below is a list of points to consider when determining whether a BYOD program is right for your agency and its staff is shown. The list, which is by no means exhaustive, includes policies and processes considerations for Chief Information Officers, Directors of Technology, Heads of Security Information Services, Chief Human Capital Officers, CFOs, Chief Acquisition Officers, and others.
Technical Approach
Virtualization
Walled garden
Separation Limited
Roles and responsibilities
Agency
User
Mesa (s) Help / Service
Technical support Carrier
Incentives for government and individuals
Employees of the survey on the benefits and challenges
Consider vs. compulsory voluntary participation in the BYOD program and the impact in terms of service
Education, use and operation
Set orientation, training, and user agreements
Establish policies associated in collaboration with union representative
Ensure compliance with the federal Fair Labor Standards Act (FLSA) requirements (eg, policies of the institution should look not exempt employees do not carry out the work after hours unless directly authorized / trained)
Consider impact of connectivity requirements and data plan chosen technical approach (eg virtualization) on reimbursement of employees
Apply telework arrangements consistent with the requirements for implementing the Telework Enhancement Act and OMB
Security
Assess and document risks:
Information Security (operating system compromise due to malware, misuse of the device, and the risks of contagion information)
Security Operations (personal devices may disclose information about a user to perform specific activities in certain environments)
The transmission security (guards to mitigate the interception of transmission)
Ensure consistency with government-wide standards for the processing and storage of Federal information
Evaluate the safety of data against BYOD devices are replacing
Ensures interoperability systems architect (government data against personal data)
Privacy
Identify the right balance between personal privacy and security of the organization
Process documents for employees to protect personal data if / when the device is clean government
Ethical / legal questions
Define "acceptable use" of governments and individual perspective
Address legal discovery (including rights of confiscation) and liability issues (eg through predefined opt-in in terms of service requirements)
Consider consequences for equal employment rights (eg, the disparity in the quality of personal devices)
Supplier (s) of service
Identify companies that could offer discounts to government employees
Evaluate opportunities to leverage Federal Strategic Sourcing Initiative
Assess the tax implications of reimbursement
Devices and applications (apps)
Identify and support enabled devices to prevent the introduction of malicious hardware and firmware
Define content applications required, permitted or prohibited and consider the use of mobile device management (MDM) and mobile application management (MAM) systems to enforce company policies [4]
Adopt best practices development of existing applications to support the device-agnostic and data portability across platforms
Compatibility Issues addresses applications (eg accidental exchange of sensitive information due to differences in the information display between platforms)
Recommended approach for storing content (cloud vs. device)
Clarify the ownership of applications and data
Asset Management
Removing the device if replaced, lost, stolen or sold, or termination of the contract (must remove government information before disposal)
Reporting and tracking lost / stolen personal devices
The replacement of lost personal devices if the employee decides not replace personal funds
The funds for operation and maintenance
Case Studies
In the right environment, BYOD programs can be a huge success. The members of the Working Group BYOD developed a small collection of case studies that highlight the successful implementation of a pilot or BYOD program at a government agency. These studies include a brief synopsis outlining the specific challenges, approaches and lessons learned from each. None of the BYOD programs discussed in these case studies involving the transmission of classified information. Agencies should consider the applicability of technical and regulatory approaches discussed in their own environments.
The Department of Alcohol and Snuff Tax and Trade Bureau of the Treasury (TTB) implemented a virtual desktop that allows BYOD solution with the minimum policy or legal implications;
The Committee on Equal Employment Opportunity (EEOC) was the first of several federal agencies to implement a BYOD pilot allowed employees "opt out" of the mobile program provided by the government and install third party software on your own smartphones that allowed the use of their device based on official work;
The State of Delaware launched an effort to not only embrace the concept of BYOD, but to realize the significant cost savings by having employees become your device owned by the state in favor of a device of personal property, which could save the state about half of its current wireless expenses.