Mobile Devices: How to Safely Implement
a BYOD (Bring Your Own Device) Policy
Considerations for launching a mobility initiative in state and local governments
In
STRATEGIES
AND SOLUTIONS FOR LOCAL GOVERNMENT MANAGERS
VOLUME 45/NUMBER 5 2014
L
ocal government employees face enormous
demands on their time, which has prompted
a growing demand from employees for the use of
self-managed devices in the workplace. A “bring
your own device” (BYOD) policy eliminates the
need for employees to carry two devices: one
from work and a personal device. This means
local governments will need an organized
approach to managing these personal mobile
devices. The use of the BYOD in the workplace
also requires active monitoring and guidance by
knowledgeable staff.
This InFocus report outlines how local
governments can develop a mobile device
strategy to maximize efficiency while maintaining
internal standards for information controls and
information security. Local governments have
found many innovative ways to establish this
important strategy and empower their employees
to become more productive and responsive.
Mobile Devices: How to Safely Implement a BYOD (Bring Your Own Device) Policy
A mobile workforce
Employees of government entities are pushing their employers to allow the use of personal smartphones and tablets to retrieve work e-mail, create and edit work documents,
take meeting notes, and use text messaging, among other applications. Historically,
employees have carried two devices: one from work and a personal device. This recent
employee push presents an opportunity for government entities to save on the cost of
providing a work smartphone or tablet while empowering their employees to become
more efficient and responsive. Employees, at the same time, can use one device for both
personal purposes and work, and use the device that is both familiar and comfortable.
This paradigm is referred to as “bring your own device” (BYOD).
BYOD brings to the forefront two primary challenges:
1.How can governmental entities safely, securely, and intelligently deploy resources to
keep pace with the explosive demand for the use of employee-owned and employee
self-managed devices?
2.How will government entities address potential security and legal concerns when
employees direct their work voice calls and associated voicemail, e-mail, data, and
other information to their employee-owned smartphones or other devices; moving
government information away from the organizations protected network?
The development of a mobile device strategy addresses the above dilemma by
• Providing a complete BYOD structure to fulfill management’s desire to address the
organization’s overall information needs and the users’ demands.
• Defining what tools—software, hardware and operating system settings—are necessary to assure the availability, integrity, and confidentiality of the organization’s information technology (IT) assets.
• Developing guidance as to who within the organization can be included in BYOD and
for what uses.
• Providing clear guidelines on what devices (and operating systems, i.e., Apple IOS,
Android, or Windows 8) will be supported. Support of these devices must take into
consideration what technology skill sets are available to manage the support and
what the capacity limitations are of the existing data communications and any other
information systems.
• Preplanning the response procedures for when a device becomes lost, stolen, or
compromised.
The employee push for the use of personal smartphones and tablets at work is only
one component of the argument for BYOD. The benefits to the employer’s include:
Jeffrey S. Locketz, CPA, CITP, CISA, CISM, CGEIT, CRISC, CBCP, CRMA, CCIO, is
a partner in Lurie Besikof Lapidus & Company, LLP, Minneapolis, Minnesota, and
managing director of its LBL Technology Partners division. Jeff specializes in consulting
with government entities regarding management of information systems and internal
control structures. He frequently speaks to groups on information technology assurance,
information controls, information security and business continuity planning.
Iriana C. Arias-Chizek is an IT Audit and Consulting Manager in the LBL Technology
Partners division of Lurie Besikof Lapidus & Company, where she oversees IT assurance
and IT strategic planning engagements. She frequently consults with clients on
information controls and information security.
2
©2014 ICMA
Mobile Devices: How to Safely Implement a BYOD (Bring Your Own Device) Policy
1.Tight budgets won’t be burdened
with purchasing and refreshing
devices for employees. If organizations are already purchasing portable devices for their
employees, the reduction in
cost of employee devices and
monthly service fees will be
partially replaced by the costs
of employee reimbursements
and security infrastructure, and
the differential savings can be
repurposed.
2.Faster consumer mobile device
upgrade cycles. Employees tend
to upgrade to newer versions of
equipment faster than typical
government refresh cycles allow.
Therefore, employees will most
likely be using more up-to-date
equipment than would typically
be provided to them.
3.Learning curves are minimized.
As employees use equipment
that they are already familiar
with, this may relieve potential
support issues.
Global mobile data traffic
Consider these findings from a global mobile
data traffic study by Cisco Systems1. By the
end of 2012:
• Mobile data traffic was nearly 12 times the
size of all global Internet traffic in 2000
(885 petabytes per month vs. 75 petabytes
per month).
• Mobile data traffic grew 70 percent, and
mobile video traffic exceeded 50 percent, of
overall usage for the first time.
• The average data use per smartphone grew
81 percent (342 MB per month, up from 189
MB in 2011).
• The number of mobile-connected tablets
increased to 36 million, and each tablet
generated nearly 250 percent more mobile
data traffic than the average smartphone
(820 MB per month versus 342 MB).
• Finally, 161 million laptops logged into
mobile networks in 2012 with each one
generating seven times more traffic than
the average smartphone (2.5 GB per month
vs. 342 MB).
Gartner cites “mobile apps and applications” as number two in their “Top 10 Strategic Technology Trends for 2014.” These two ideas coupled together are a continuation of
the trend that has already been seen, where mobile apps are being developed at a much
faster pace than desktop applications. This prediction and trend, reinforces the fact that
employees are no longer deskbound, but rather heavily rely on their portable devices.
The challenge for government technology leaders is the knowledge that IT mobility via
BYOD is critically important, and the difficulty of securing and managing expanded virtual access from employee-owned and employee self-managed devices.
It’s our opinion that the ubiquity and convenience of personal mobile hardware,
combined with the demand by employees for integrated access, will compel more governments to develop and deploy mobile strategies.
Municipal mobile applications
What’s the primary driver for mobile app development? In a word: engagement. For the
public sector, it means providing an array of mobile apps that allow citizens to have instant
communication with government agencies. Consider some of the apps already in use:
• The city of Boston is testing Street Bump, a free smartphone app that will automatically detect and report potholes or other street repair issues to the city. The mobile
app was developed by Boston’s Office of New Urban Mechanics, and it combines a
phone’s global positioning system (GPS) with accelerometers to detect when a user’s
car has hit a pothole. The app then alerts the department of public works. If three
users report the same pothole, a repair crew is dispatched4.
3
©2014 ICMA
Mobile Devices: How to Safely Implement a BYOD (Bring Your Own Device) Policy
Management support for mobile devices
Mobility ranked fourth among the most recent Top 10 list of state CIO priorities2 reported
by the National Association of State Chief Information Officers (NASCIO). However,
according to an annual survey conducted by NASCIO3, the level of readiness to support
mobile devices and applications (let alone employee-owned devices) actually declined
by eight percentage points in the past two years (32 percent unprepared in 2012 versus
24 percent not ready in 2011). Fully half of all senior state government technology
officers polled said their approach to mobility management was either totally or mostly
fragmented.
• Two years after launching municipal Facebook and Twitter feeds, the city of Williamsburg, Virginia, rolled out CITY411—an official smartphone app that allows citizens
to submit a variety of nonemergency service requests from iPhone or Android-based
phones. The app allows residents to send text and audio messages as well as photos5.
• On the West Coast, San Francisco residents can now use a new mobile app called
UP2CODE to report and track nonemergency code enforcement and nuisance
issues. The app, developed by the city attorney’s office, works on both iPhone and
Android platforms, allowing citizens to report violations of local or state housing,
building, health, or safety codes6.
As mobile devices continue to populate the workspace, more government employees
are demanding seamless connectivity and continuous up-to-date information from their
employers. For example, a city planner working on a municipal project may use a mobile
device to review, upload, and approve blueprints, change orders, or other documents,
rather than waiting for hard copies to be physically delivered to the municipal office.
Despite the overall growth trend for mobile apps, which is typically most advanced
on the West Coast, Northeast and Upper Midwest IT leaders in more rural areas may
not dive into the apps race anytime soon. That’s because public demand may simply be
lower in those regions, meaning the benefit of new mobile apps may not offset development and implementation costs.
Creating a BYOD strategy
Having a strategy in place before the rollout of your organization’s BYOD initiative will
limit any confusion and mitigate resistance. Consider these steps:
1.Get stakeholders involved from the beginning. Form a committee to construct a business case for BYOD.
2.Build a business case for BYOD. The business case will justify the reasoning for initiating BYOD within the governmental entity. A well-constructed case contains such
information as costs, benefits, additional risks, and internal effort necessary to implement BYOD.
3.Formulate policies. The BYOD policy is important to address a variety of issues,
including:
✔✔ Which organizational applications can be used from the devices
✔✔ Classes of users allowed
✔✔ How data are to be secured on the devices
✔✔ Level of support expectations
4
©2014 ICMA