A report from a state CIO association recommends allowing employees to use personally owned smartphones for government business. Its guidelines for security and policy setting in such cases will resonate for any enterprise grappling with how to accommodate employee-owned smartphones.
The tightening of budgets is one of the drivers behind the recommendation that states loosen the reins on their employees' use of personal smartphones to access government networks, according to the National Association of State CIOs
Fourteen states allow employees to use their personal smartphones for government use and have implemented security measures to protect the state from breaches, according to a new NASCIO report, Security at the Edge -- Protecting Mobile Computing Devices Part II
, released March 31, 2010. Five additional states are currently reviewing their policies, according to the report. See the table below for a list of state policies. (Note: 36 states responded to the survey cited in the report.
Among NASCIO's guidelines for allowing employee-owned smartphones to access enterprise networks and applications:
- Recognize the increased prevalence of personal smartphones and the ever-expanding capabilities of these devices. As storage and access capacities increase, guidelines should be established to assert what type of information can be securely protected.
- Reduce costs and manage expectations by establishing an enterprise policy on the use of personally owned smartphones. The convenience of a single device for workers is very enticing, but clear security controls and end-user responsibilities must be agreed to.
- Embrace the business capabilities of smartphones, but only allow devices that can be provisioned to meet appropriate security standards. In addition, contemplate what is acceptable use for smartphones and if an employee has expectations for reimbursement.
- Set expectations for the end-user, because inevitably smartphones may be lost or stolen. Reporting the loss of a device or a data breach to an IT agency will increase the chances of securing information and data.
- Mitigate risks by using the proper tools to improve mobile device security. Smartphones should be required to have encryption capabilities to protect stored data, strong passwords, inactivity timeouts, lock out after several failed attempts to log in, and remote whipping capabilities.
- Anticipate that there will be problems that will arise and troubleshoot connectivity and security issues on personally owned smartphones.
According to NASCIO, as state CIOs continue to balance cost controls and advocate for enterprise IT policies, there are clearly innovative technologies, strategies and tactics for reducing and avoiding costs. The use of personal smartphones in the workplace may be a viable option to consider, NASCIO recommends.
"The classic dilemma that officials are faced with is balancing risks and rewards when considering enterprise policies for the use of personally owned smartphones," said NASCIO Executive Director Doug Robinson in a prepared statement. "With the caveat that the proper security measures are in place for state networks and services, the trend towards allowing personal smartphones for state business use is an opportunity for states to increase productivity, user convenience and lower acquisition costs."
State Policies On Using Personally Owned Smartphones For Government Business
(36 states responding)
||Alabama, Alaska, Delaware, Florida, Hawaii, Indiana, Maryland, Michigan, Mississippi, Missouri, Montana, Nevada, North Carolina, Wisconsin
|State Agencies Set Policies
||Arkansas, Iowa, Kentucky, New Jersey, New York, Utah, Viriginia
||Maine, Massachusetts, Nebraska, Oregon, Rhode Island, South Dakota, Tennessee, Washington, West Virginia, Wyoming
||California, Colorado, Idaho, Minnesota, New Mexico
Source: National Association of State CIOs, "Security at the Edge -- Protecting Mobile Computing Devices Part II," March 31, 2010.