Learning Resource

Bring Your Own Device in Government

Bring your own device (BYOD) policies have transformed the way people conduct business, access data, and stay connected. BYOD is defined as the use of employee-owned devices to access enterprise content and the enterprise network (Deloitte, 2013).

In other words, a BYOD policy allows employees with the consent of their employer to use their own smartphones or tablets, and sometimes watches, for work-related duties and to access the corporate network.

But a key component of BYOD is that employees are also permitting their employers to use their devices for company or government business. This has become a cybersecurity policy challenge for organizations. As authors David Kim and Michael G. Solomon note, the major security risk associated with BYOD is that the "IT asset is owned by the employee."

Other issues associated with BYOD include who "owns" the data (some is personal, some is work-related) and whether the user or the company is responsible for everything from IT support, software updates, and antivirus patches and protection (Kim & Solomon, 2018). Privacy and legal issues are also concerns, and all of the issues are not just considerations for the companies, but for the employees as well.

BYOD programs are popular in the private sector: 38 percent of companies expect to stop providing devices to workers by 2016, according to a global survey of CIOs by Gartner, Inc.'s Executive Programs (Gartner, 2013). And by 2017, the survey says half of employers may impose a mandatory BYOD policy (Whittaker, 2013). However, this trend of allowing employees to bring their own device to work is not just limited to the private sector. Federal agencies are beginning to adopt such policies as well. Regardless whether the organization is a private or government entity, a BYOD strategy/approach is developed and implemented to reduce cost, increase program productivity and effectiveness, adapt to a changing workforce, and improve user experience (CIO Council, 2012).

The following must be taken into account when a federal agency is considering a BYOD approach (CIO Council, 2012):

  • technical aspects
  • roles and responsibilities
  • incentives for government and individuals
  • survey employees on benefit and challenges
  • voluntary vs. mandatory participation in BYOD program and impact on terms of service
  • security
  • privacy
  • service provider(s)
  • devices and applications (apps)
  • asset management

According to the toolkit guidelines formulated by the federal BYOD working group, there are three high-level means of implementing a BYOD program: virtualization, walled garden, and limited separation (CIO Council, 2012).

Virtualization: Providing remote access to computing resources so that no data or corporate application processing is stored or conducted on the personal device.

Walled garden: Keeping data or corporate application processing within a secure application on a personal device so that it is segregated from personal data.

Limited separation: Allowing commingled corporate and personal data and/or application processing on a personal device with policies enacted to ensure minimum security controls are still satisfied.

Cybersecurity professionals should also familiarize themselves with two guideline documents from the National Institute for Standards and Technology (NIST) that establish best practices for securing the devices that handle and attach to government networks and data: NIST Special Publication 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise, and the NIST Special Publication 800-164 Guidelines on Hardware Rooted Security in Mobile Devices (Draft).

References

Deloitte. (2013). Understanding the bring-your-own-device landscape. https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/about-deloitte/deloitte-uk-understanding-the-bring-your-own-device%20landscape.pdf

Ellis, R. K. (2012, September 5). New BYOD toolkit for federal agencies [Blog post]. https://www.td.org/Publications/Blogs/GovLearning-Blog/2012/09/New-BYOD-Toolkit-for-Federal-Agencies

Federal Chief Information Officers Council (CIO Council). (2012, August). Bring your own device: A toolkit to support federal agencies implementing bring your own device (BYOD) programs. https://cio.gov/wp-content/uploads/downloads/2012/09/byod-toolkit.pdf

Gartner. (2013). Gartner predicts by 2017, half of employers will require employees to supply their own devices for work purposes. http://www.gartner.com/newsroom/id/2466615

Kim, D., & Solomon, M. G. (2018). Fundamentals of information systems security (3rd ed.). Burlington, MA: Jones & Bartlett.

Whittaker, Z. (2013, May 2). BYOD: From optional to mandatory by 2017, says Gartner. http://www.zdnet.com/article/byod-from-optional-to-mandatory-by-2017-says-gartner/