Implementing BYOD Initiatives: 3 Case Studies

New Toolkit Reveals How 3 Organizations Approach BYOD
Implementing BYOD Initiatives: 3 Case Studies

The U.S. Equal Employment Opportunity Commission, facing a 15-percent cut to its 2012 IT operations budget, needed to eliminate expenses quickly, and saw an opportunity to pare costs by allowing employees to use their own smartphones rather than government-issued BlackBerry devices.

See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

A study on how EEOC employees used their government-issued mobile devices revealed that 75 percent of them never used them to make telephone calls; they were utilized mostly to check e-mail. "They either used the phone on their desk or they used their personal cell phone to make calls because it's just easier," EEOC Chief Information Officer Kimberly Hancher said. "People have them parked in their desk drawer, and the only time they use it is when they travel."

The commission's story along with those of the Alcohol and Tobacco Tax and Trade Bureau and State of Delaware regarding BYOD policies appear in a just-issued toolkit from the Federal Chief Information Officers Council entitled Bring Your Own Device: A Toolkit to Support Federal Agencies Implementing BYOD Programs.

***
Also read Update: VA Mobile Device Rollout
***

Besides the three case studies, the toolkit details ways to implement and secure employee-owned mobile devices, including three high-level approaches for agencies to implement a secure, BYOD program:

    Virtualization: Provide remote access to computing resources so that no data or corporate application processing is stored or conducted on the personal device.
    Walled garden: Contain data or corporate application processing within a secure application on the personal device so that it is segregated from personal data.
    Limited separation: Allow comingled corporate and personal data and/or application processing on the personal device with policies enacted to ensure minimum security controls are still satisfied.

The stories related by the three CIOs about their governmental organizations adoption of BYOD programs show that budgetary concerns, not necessarily employees' demands, drive the mobile policies.

Equal Employment Opportunity Commission

In 2008, EEOC issued 100 BlackBerry devices; by 2011, that number had reached 550. By the end of 2011, nearly one-quarter of EEOC's workforce had government-issued smartphones, costing the commission $800,000 annually. Meanwhile, the commission's IT budget for fiscal year 2012 was slashed by 15 percent, and cost savings Hancher implemented by reducing contractor services, eliminating some software maintenance and slashing for mobile devices sliced only $400,000.

Recognizing the need to generate more savings and that pattern of BlackBerry use was unsustainable, Hancher sought support from EEOC's top managers and union to revamp its mobile device program.

The BYOD pilot program focused on enticing users of government-provided BlackBerry devices to opt out. For months, EEOC's Hancher worked with information security staff, agency attorneys and the employees' union to draft rules that balanced employee privacy and government security. By June, many BlackBerry users opted out and voluntarily joined the BYOD pilot program.

The pilot focused on providing employees with access to agency email, calendars, contacts and tasks. With the mobile device management software, employees could read and write emails with or without Internet connectivity. A few senior executives who own Apple iPads were to be provided "privileged" access to the agency's internal systems through the secure virtual private network.

EEOC launched its BYOD pilot program last December, and by June worked out a plan that gave the remaining employees using agency-issued BlackBerries three options: voluntarily return their BlackBerry and bring their own smartphone or tablet to work; return their BlackBerry and get a government-issued cell phone with voice features only; or keep their BlackBerry with the understanding that EEOC does not have replacement devices.

Within the first three months of 2012, the EEOC pilot program cut the number of BlackBerry devices to 462 from 550 and monthly recurring costs by 20 percent to 30 percent by optimizing its rate plans with providers. Hancher projects between 10 percent and 30 percent of BlackBerry users will opt in for the BYOD program.

EEOC employees don't get reimbursed for their voice and data usage they conduct for work on their own devices. Hancher said she believes this cost could prompt some employees to keep their government-owned BlackBerries. But, for EEOC's younger employees, their personal devices appear to be an extension of their personalities.. For seasoned workers, their personal device allows them to do administrative work from home.

"While I'm not advocating working 24x7, it is just more comfortable to sit and do timecard approvals on a Friday night in the comfort of your home instead of during the prime time work day when your attention should be on more complex and business-oriented issues," Hancher said.

Alcohol and Tobacco Tax and Trade Bureau

For the Alcohol and Tobacco Tax and Trade Bureau, known as TTB, the issue wasn't as much the use of personal mobile devices as costs to maintain desktop and laptop computers for its widely dispersed workforce. More than 80 percent of bureau employees regularly telework, including many who work fulltime from their homes.

Replacing desktops and laptops every three to four years cost TTB about $2 million and caused several months of disruption.

The bureau determined that the best solution was to centralize all client computing power and applications, user data and user settings and allow access to its resources by thin-client devices that rely on another machine for computational power, such as a server behind a firewall. About 70 percent of bureau personnel use thin clients to access all applications and data.

The virtual desktop allows the bureau to avoid the expense of replacing hardware, saving the bureau $1.2 million. The bureau developed a Linux USB device that turns old desktops and laptops into thin clients for about $10 a device. In the thin-client environment, no data touches end users' devices. That allows employees to use their own mobile devices to access without officials worrying that sensitive data would be loaded onto them.

About 70 percent of bureau employees access bureau computing resources through thin devices. "There's is no typical user setup," bureau CIO Robert Hughes said in the toolkit report. "If the desired user configuration works, TTB allows it.

He offered the following example: a bureau attorney uses a thin client in the office, a personally owned Macintosh computer when working from home and an iPad when on the road. Several TTB employees occasionally use Kindle Fire devices if they need to check e-mail when out of the office or need to approve a time card that was not ready when they left the office for the weekend.

"The primary TTB BYOD lesson learned is to avoid allowing data to touch the personal device," Hughes wrote. "Having all data, settings and processing in a central location and using the BYOD device simply as a viewer significantly simplifies the legal and policy implications."

State of Delaware

Delaware's state government, in implementing pilot programs, was an early adopter of a bring-your-own-device initiative [see 7 Steps to Secure Mobile Devices and Wipe Out: Data Vanish on Smart Phones].

The state is expanding its original program, and beginning in January will migrate current state-issued BlackBerry users to either their own devices through a proposed reimbursement program or to a device that runs directly through the state's wireless carrier.

Delaware CIO William Hickox estimates the state could save up to $2.5 million dollars annually through the reimbursement program as well as $75,000 in lifecycle and $120,000 in continuing support costs.

How would the reimbursement program work? Employees whose job duties require frequent need for a mobile device, as determined by their supervisor, would receive a monthly voice/data plan reimbursement to cover the costs of state related business.

Who qualifies? Employees on the road or in the field, but required to remain in touch with others, typically out of the office on business 50 or more days a year; employees whose duties require them to be contacted anywhere and/or anytime; and employees with round-the-clock response requirements.

Eligible employees will receive $10 a month for voice only, $30 a month for data only or $40 a month for voice and data.

So far, Delaware has reduced expenses tied to mobile devices by 45 percent, resulting in an overall reduction of departmental wireless costs of 15 percent. Hickox expects the savings to grow.

Although the state, as of this summer, has begun to reimburse more than 100 employees for using their own devices, over 1,000 state employees use their personal devices in its BYOD program.

As Delaware began to implement its BYOD program, concerns were raised whether reimbursements would be taxed as personal income. By requiring employees to submit for reimbursements, the payments are considered nontaxable expenses. Another sticking point was the federal Freedom of Information Act. Delaware avoided potential problems because all of the state's e-mail is centralized and a copy of every transaction is maintained on the central servers, which results in a clean copy being available for discovery, if necessary.

One challenge that remains: growing the reimbursement program. Wireless carriers have begun to place limits on data flow for a flat fee, and employees are balking to use their own devices since they no longer have unlimited data use. The state refuses to reimburse employees who max out on their data plans. It's a problem that still needs to be resolved.


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.