Mobile Policies: Ensuring FlexibilityCIO Details Custom-Tailored Policies, Benefits
For large-scale organizations, ensuring flexibility is an essential component in developing a mobile device policy, a direction the city of Honolulu took when it created its program.
See Also: Top 50 Security Threats
The city of Honolulu consists of many departments, all of which are unique, says Gordon Bruce, the city's chief information officer. "There's no way that the parks department is the exact same way as the department of emergency services," he says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
As such, the city developed its mobile policy to take into account the independence of each agency. "It gives the agency the authority to enable access to the various systems using those mobile devices," Bruce says.
All the departments must first comply with a master policy, but from there is flexibility that enables individual agencies to tailor specific items unique to their department.
"We had a situation where there was a particular application that a department wanted to use," Bruce explains. But that application was on the restricted list for first responders, such as the police department. "But from the other agency's standpoint, there was no reason why they shouldn't be able to use that particular application," he says.
"Because they manage their own devices within that agency, they could enable that [application] to be downloaded," Bruce says.
In the interview, Bruce also discusses the:
- Involvement of labor unions in helping determine mobile device policy. Honolulu's payroll includes about 10,000 union members, and the mobile policy had to address if union workers should be paid overtime if they use mobile devices from home after work hours;
- Reasons behind the selection of AirWatch to be the city government's mobile device manager service;
- Incorporation of bring your own device into the overall mobile security policy of Honolulu's government.
Gordon's official title is director of the Department of Information Technology and CIO for the city and county of Honolulu. Gordon previously served as CIO for the Estate of James Campbell, now James Campbell Co., one of Hawaii's largest landowners. While at Campbell, he helped pioneer that organization's vision of a teleport and tech park in Kapolei, an unincorporated part of Honolulu County. He also is the former CIO of the Queen's Medical Center, the state's largest private hospital.
A former adjunct professor at the University of Hawaii, Gordon teaches at Hawaii Pacific University and at the Japan-America Institute of Management Science. He earned a master degree in international business from Hawaii Pacific.
ERIC CHABROW: It's not just BYOD [bring your own device] that's driving use of mobile technology in Honolulu government, but the technology itself. The policy you're implementing covers government-issued as well as personally-owned mobile devices. What's interesting about Honolulu's approach is how it allows individual agencies to tailor their mobile policy. First off, let's hear how the policy was developed. How did you initially decide what approach to take and who participated in developing the policy?
GORDON BRUCE: Honolulu has tried to jump on ahead of this. We knew that it was coming and we knew that we would be kidding ourselves if we were to bury our heads in the sand and say we're not going to support the use of mobile devices. When we sat down and looked at how we would secure these devices and enable them to be part of what the employee wants to use and what the citizen wants to use, we knew we would have to look at certain policies and we knew that different departments worked differently. In particular, you can take a look at the first-responder community versus the non-first responder community, two totally different methods of operation.
CHABROW: Can you provide an example?
BRUCE: There were a number of devices that the police carried that gave them push-to-talk capabilities on their mobile phone. That series of capabilities is going away. Verizon was the provider of that service. We found a software application that runs on an iPhone that enables push-to-talk capabilities that was available on previous devices. Police had to make a decision as to whether or not they wanted to make that application available or not. After they looked at the application, they decided they did not want to make it available because it was even more powerful than the push-to-talk capabilities they had in the past, and they didn't like the fact that you could also bring non-first responders into your push-to-talk family.
CHABROW: Push-to-talk - this is basically making an iPhone like a walkie-talkie?
CHABROW: What did the police end up doing?
BRUCE: They're stuck right now because that push-to-talk capability is going away. They're going to have to make a decision, find another application or decide that they no longer need it. And they still have their regular radios that they carry, but police like the mobile phone push-to-talk capabilities when they had to do a one-on-one with one of their associates. It wasn't a standard operating procedure tool but it became one.
Policy: Starting Phases
CHABROW: In developing the policy, did you start with first responders or non-first responders?
BRUCE: We had worked initially on the non-first responder group as far as developing our policy, and we had to look at things such as is it a city-purchased device or is it my own device. Do I qualify for overtime? Am I subject to FLSA standards? All of those kinds of things had to be taken into account as we developed the policy that would be rolled out for the employee.
CHABROW: You mentioned you had to look at if the person was qualified for overtime. Is this an area that when people think about mobile use, employees that are hourly employees, for example, may be putting in extra time when they shouldn't?
BRUCE: Right. Legally it can get very touchy. We're a union shop. That adds another flavor, if you will, to how things are done, and we have union as well as non-union employees. Areas that have always been kind of gray are if an employee uses and checks their e-mail after hours. Have any of them really filed for overtime or things like that? No, but their department heads tend to be the ones that are controlling whether or not they have the ability to do overtime after hours. That responsibility is with the agency head, and we wanted to keep that flavor going when we started rolling out the mobile devices.
We developed the policy that would take into account the independence of each agency and gives the agency the authority to enable access to the various systems using those mobile devices. That became the first one and the foundation for subsequent policy, which became the next one that came out of the first-responder community.
CHABROW: Why did you decide to go with the non-first responders first? And when you say "we," who are "we?"
BRUCE: The non-first responders are first because they were the ones that were asking first, so they were the first to come to the table. And "we" are agencies like the parks department, facilities and maintenance department and the roads division. These are the kinds of agencies that were saying, "How can we expand on citizen-facing mobile applications that we've already rolled out so that we as the provider of those services can also use mobile devices as the response and support piece of this citizen request?"
We rolled out a number of citizen-facing mobile applications. One of our major ones was one we call Honolulu 311, which enables a citizen with any mobile device to, say, see an abandoned vehicle, use their mobile device to take a photograph of that abandoned vehicle, we geo-code it, they send that information to us, we send it to the customer services department responsible for the removal of abandoned vehicles, and all of that information is geo-coded and put into the work-order system for our customer service department.
But what they didn't have at customer service was the mobile device piece that would allow them to make their job easier in responding to the fact that they've removed that vehicle. They came to us and said, "Wait a minute. How can we also use this tool?" That's when we had to say okay, let's start inserting things like our city policy and how we're going to use it, because we use e-mail a lot as back ends of some of these systems. We also have to look at how we would enable e-mail and secure the device, secure e-mail, secure the applications and all those things associated with it.
CHABROW: What time frame are we talking about? How long were these initial applications?
BRUCE: We have done all of this within 120 days.
CHABROW: How long ago was this implemented?
BRUCE: Honolulu 311 has been out for almost a year now, and then the back-end piece we were in pilot for 90 days and we're in live production this month.
CHABROW: So it's fairly recent?
BRUCE: Fairly recent.
CHABROW: It's interesting, how you're developing this mobile policy, because when you hear a lot about mobility today, you're hearing about BYOD, where people want to use their own devices to access corporate or government networks. Here, it sounds as if there was a specific need to get information and technology can provide that information, so it wasn't necessarily someone wanted to use their own device, but the idea that mobility is a new tool that can help government accomplish its goals.
BRUCE: Right. And there are two driving forces behind it. Number one was e-mail, the desire of many of the employees to get real-time e-mail on their mobile devices, and by real time I mean real time, not going on to a website or anything like that. Also, real-time access to a number of applications like our electronic forms system, our ERP system, our time-in attendance, employee self-service - these are all driving requests that are coming from the employee.
Developing Policy: Who's Involved
CHABROW: Let's talk about the people who helped develop the policy. Who's involved in this?
BRUCE: The department of information technology, the department of human resources, our legal department, budget and fiscal services group. If everything gets worked out, it bubbles up to the managing director's office and the mayor, who sign off and make it policy.
CHABROW: Can you discuss a little bit about why each of the parties is important to being part of the process? Obviously with the budget and fiscal services group, there's money involved in this. With HR, I guess it's because of people?
BRUCE: They're the interface to the union. They have all the union contracts that we have to comply with. We have to make sure that whatever policy we put in place doesn't conflict with whatever the union agreements are. Legal is involved because of the Fair Labor Standards Act [FLSA], making sure that we don't put something in place that could violate that. I typically don't like to do a lot of policy, but this is one where we really had no choice.
CHABROW: Why did you have no choice?
BRUCE: Because of the legal aspect. FLSA is a major one; overtime in the union. Those things are right there, and the things that were added to it were rights of use. Is it your own device? How much control will we the city be taking in the management of that device? Will we have the ability to wipe it completely if you lose it? If you violate our policy of use, what level of control over that device will we have? And it varies depending on whether or not it's a city-owned device or a personal device, and I'll give you an example. On our personal devices, it's very hard for us to say you can no longer go to iTunes and download music. On a city-owned device, we can very well say you're not going to be using iTunes and you're not going to be downloading music to the city-owned device. You have to balance those two kinds of things in your policy.
CHABROW: The policy could state if you want to have access to our system, and if it's your own device, you can't download iTunes.
BRUCE: Chances are though someone using their device, that pretty well goes out the window.
One Size Doesn't Fit All
CHABROW: But that's something where I believe in Honolulu you give each department the freedom to decide what the policy should be on these.
BRUCE: As we were developing the policy, we were also looking at the various technologies out there that would enable us to execute the policy, such as the mobile device management component. We looked at a number of different products out there that would allow us to manage that device and we had to find certain technologies that would enable, for example, each agency to have their own set of rules under the policy that they can operate; i.e., yes we'll let you use iTunes, or no, you cannot use iTunes.
Or in an example of the police department, first-responders can download applications from the police store, but they cannot download applications from the iTunes store. Concurrent with us writing policy, we were also looking at the technology to make sure that the technology fit the need of policy and vice versa.
Mobile Device Management
CHABROW: Honolulu chose AirWatch for its mobile device manager. Were there a lot of products out there?
BRUCE: There's not a lot, but there's a lot of vendors getting into the business at a very, I don't want to say, immature state - because it's not the truly mature state - but they're evolving. So whether it's MaaS360 or AirWatch or Quest or IBM, they all have mobile device management tools out there. We took the approach that the tool also had to match policy.
CHABROW: How did you vet the AirWatch product?
BRUCE: We did a pilot project. We did a hundred devices, e-mail only, and not access to the applications yet, but access to e-mail only, real-time. We used AirWatch to manage and control in the pilot, so people had to be willing to go through the pain of some things that we had to learn as we used the tool. We did that for about 45 days, got through that growing pain concurrent with developing the policy and got everything formalized by the beginning of September so that we could start rolling out 400 devices that are still waiting.
CHABROW: You're still in the pilot project?
BRUCE: No pilot is over. One hundred are being moved over to production, which is a minor thing to do. Then we have another 400 new ones that will be coming online, which has started already.
CHABROW: These are city-owned devices?
BRUCE: It's both a combination of city-owned devices and bring-your-own-device. Mostly it's city-owned. There are a few BYODs.
CHABROW: This is designed so each department can develop their own policies. What can these devices access and download?
BRUCE: The departments must comply with the master policy, but there's some flexibility within that master policy that enables them to do some things that may be unique to them. We had a situation where there was a particular application that a department wanted to use, or a test or evaluate. It was one of those that were on the restricted list of the first-responders who said, "No, we don't want them to do this." But from the other agency's standpoint, there was no reason why they shouldn't be able to use that particular application. Because they manage their own devices within that agency, they could enable that to be downloaded.
CHABROW: Why is this flexibility good?
BRUCE: Every department is unique. There's no way that the parks department is the exact same way as the department of emergency services. There are too many unique rules and too many unique ways that they operate. They also have different components within their respective union contracts; they're a little bit different. It's difficult to have a one-size-fits-all.
We have 10,000 employees that are unionized with two major unions, and the union contracts are not truly identical. Then departments have administrated rules under which they operate as well, so those have to be brought in to take place. If you think about it, we've got the legal department; we've got the prosecuting attorney's office; we've got waste, water and we've got roads. We have, in our particular case, driver's licensing and motor vehicle registration. Then we've got police, ambulance, fire; it just goes on and on. There are differences between those agencies.
CHABROW: Say a union worker at night wants to check e-mail. How will that work out?
BRUCE: Back to the department head. The department head has to look at that particular individual and say, "Okay, this individual is a unionized employee and under the union contract they qualify for overtime for any work after an eight-hour day, or whatever hour of day it is." That department head would be put into a position of saying to that employee, "I'm sorry. Because of the union contract, I'm not in a position to enable you to do this. If you're willing to sign this terms-of-use document that says that you agree that you do not want to qualify for overtime in order to have this capability and all the various rules associated with it, then I'll approve that."
What happens right now is if I'm an employee and I want to use my own device, or even if the city is going to provide me with a device, I go online, submit an online request and approve a terms-of-use agreement. I sign that terms-of-use agreement that I understand that this is the rule under which I will operate the device. Adjacent to that is the city's policy on use of mobile devices. When that goes to the department head, he or she can accept this employee's request and approve it. That then gets submitted to our agency for us to enable the device, and once we've enabled that device it's up to the department head to administer it.
CHABROW: Has the union raised any objections?
BRUCE: Not yet because it's not a requirement to do your job.
CHABROW: But having a mobile device could be helpful in doing your job?
BRUCE: It could be. It's like mechanics. Mechanics bring their own tools. The city has tools that they can use, but some of the mechanics would rather use their own. And that's fine; it's your choice. This is a little bit different but also a little bit the same in the fact that you want to bring your own tool - it's your choice - but because of the situation with overtime, because of the flexibility technology gives you, there are a certain number of tweaks we have to do to it.
CHABROW: But the difference here between bringing your own tools and mobility is there could be situations where an employee will be working hours that they normally would not work, and I guess that raises another question, how to define work. It was the time when work is done. It's happening to all of us where we're working and may take a few hours off during the day because we know we could be at home at night because we have the technology that we could make up that time. That may not be the same thing with an hourly worker.
CHABROW: I don't know whether that's a big problem that could have an impact on how mobile technology will be employed in governments.
BRUCE: That's why we've had to look at each of those pieces. We're not forcing the employee to use their own tool set. We're not forcing the employee to check e-mail after hours. That occurs when they make the request to have that capability. Right at this point in time, we've put the responsibility on the actual department head to approve that employee's use of that device, understanding that could also mean after their normal work day. But it's the employee's call and they've also said that they agree that will be their decision whether or not to use it after hours.
Importance of Mobility
CHABROW: You're developing a mobile policy that really isn't divorced by BYOD. Bring-your-own-device is an element of your mobile policy?
CHABROW: And you're developing this policy because of the way organizations - in your case the city government - are using technology and how technology is evolving. What does this say about how important mobility is becoming in government in doing what they need to do?
BRUCE: Mobility has always been there. We have 2500 laptops, mobile devices if you will, that are out there right now today. They sit in police cars. They sit in ambulances. They sit on individuals who take them out on the job. They take them home. But now what they've got is another device that's a lot less expensive and a lot more portable that they would rather use, and there are more individuals who have access to them.
Think of it this way. A PC laptop is $2500; mobile devices are $300, $400 or $500. We have a whole new market out there of consumers that now have access to these mobile devices that they've never had before. And these devices have access to the systems. Securing them and all of that becomes DIT's responsibility. There are certain things that we do to their device at home that enables them to do that, just as there are certain things that we're going to do to their mobile device that will enable them to do that; i.e., in the mobile device, they must be running AirWatch.
CHABROW: AirWatch is a software that's put on the device, and the rest of it is through a cloud service?
BRUCE: Yeah, and in our particular case we had an option. But we've elected to go with the cloud service.
CHABROW: No security concerns with the cloud service?
BRUCE: No. We've made them jump through many hoops and there are certain requirements that they had to comply with, and most of them do already because they know that they wouldn't be able to sell their product if they didn't have it.
CHABROW: Can you give me an example of what those requirements would be?
BRUCE: There are certain federal security standards. There are encryption requirements.
CHABROW: Is there a way that you can vet them or audit them to make sure they're doing what you want them to do?
BRUCE: There's documentation that they have to provide us with that verifies that.
Supporting Personal Devices
CHABROW: Right now, most of the mobile devices being used in Honolulu are government-issued ones, although I suspect that maybe over the years there will be an increased use of individual ones. Would you say that's correct?
BRUCE: That's true. I would say it's around 25 or more are personal.
CHABROW: Twenty-five units?
BRUCE: Yes, 25 of the first 100, so that's not bad - 25 percent. Now I don't think that percentage will hold that high when we get more and more of these devices rolled out, the next 400 for example. I know the next 400 are 100-percent city-purchased.
CHABROW: The issue of support really isn't a big one because you're not supporting I guess personally-owned mobile devices - iPads, iPhones and laptops, correct?
BRUCE: We support the laptops.
CHABROW: Even the personally-owned ones?
BRUCE: Only to the point where we enable access. If you can't get in to our system and you've got all the appropriate pieces on there, that's not our problem. We have the same approach with the mobile devices because we found during the pilot program that two exact devices running the exact same iOS can run differently depending on who your carrier is. We've made the decision that when you bring in these mobile devices, whether it is a city-purchased device or a BYOD, we will not support that device. We will give you and we will enable that device. If during the course of operations you either change carriers or do something with the device, that's not our problem. We don't have the resources to manage these.
CHABROW: Could there be, if not immediately, problems if people start using their own devices that are not supported and things go wrong and it somehow has an impact on the work that they have to do and that the city has to do?
BRUCE: It could, but I will use an example. I've got someone up there with a laptop right now and they went to a website and they downloaded an application that causes some problem with that particular PC. Right now because we support the laptop, we go and take it off their hands and spend the time to correct whatever it is that they caused. Right now, if they downloaded some piece of software or whatever onto the mobile device and all of a sudden it's not working and they can't figure it out, we're just going to reset it. We'll wipe it and reset it back to normal.
We ran into those kinds of things during the process and it enabled us to make it real clear to the individual that wants to use their own device that you've got to be careful with what you do with it. It's actually making them better with managing their own device. For example, a lot of them who bring their own device didn't have passwords. We require passwords.
CHABROW: And they're not simple passwords either?
BRUCE: No, they're not simple passwords. They must meet the city's requirement for passwords and they must renew them every 90 days, and we enforce that renewal through the mobile device manager. Our point to them is that you know you were walking around with this device, with all kinds of personal stuff on it that anyone could get to. We've helped you make it more secure. Again, it's your call. We're not saying you have to use your device to get into the city system.