Intel corp bring your own device case analysis

Your Case Study Analysis Of Intel Corp. – Bring Your Own Device Should Be Apx. 6 Pages (Double-Spaced, 1 Inch Margin All Around,2 Point Font). Be Sure To Add Graphics And References. Include The Following: In Your Introduction, Discuss The Consumeriz

INTEL CORP. – BRING YOUR OWN DEVICE R. Chandrasekhar wrote this case under the supervision of Professors Joe Compeau and Nicole Haggerty solely to provide material for class discussion. The authors do not intend to illustrate either effective or ineffective handling of a managerial situation. The authors may have disguised certain names and other identifying information to protect confidentiality. Richard Ivey School of Business Foundation prohibits any form of reproduction, storage or transmission without its written permission. Reproduction of this material is not covered under authorization by any reproduction rights organization. To order copies or request permission to reproduce materials, contact Ivey Publishing, Richard Ivey School of Business Foundation, The University of Western Ontario, London, Ontario, Canada, N6A 3K7; phone (519) 661-3208; fax (519) 661-3882; e-mail cases@ivey.uwo.ca. Copyright © 2013, Richard Ivey School of Business Foundation Version: 2013-02-15

In January 2010, Malcolm Harkins, chief information security officer, Intel Corp., was facing dilemmas in taking forward the Bring Your Own Device (BYOD)1 initiative. The company’s information technology (IT) division had been driving this initiative for nearly a year. Now that senior management had taken a strategic decision in favour of implementing BYOD, Harkins needed to take the lead in the opening up of the initiative broadly across the enterprise. More than 10,000 of Intel’s nearly 80,000 employees worldwide were already bringing their own devices to work. Harkins foresaw that the number of employee-owned mobile devices on the job at Intel would triple in a year and that, by 2014, about 70 per cent of employees would be using their own devices for at least part of their job. Said Harkins:

My dilemmas are three-fold. How do we extract value from the initiative and turn BYOD into a new source of competitive advantage at Intel? How do we ensure security of the corporate data on a device that an employee brings to the workplace? How do we respond to e-Discovery requests for information stored on a device that Intel does not own?

CONTEXT Early in 2009, Harkins had noticed a trend among the employees of Intel. Employees were bringing their own tablets and storage devices to their workstations and using them during office hours. Concurrently, the use of smart phones was rising. The distinction between corporate data and personal data on employee-owned devices was blurring because access to corporate data was no longer limited to office hours, just as personal data was no longer off-limits during office hours. 1 “Bring your own device (BYOD) is an alternative strategy allowing employees, business partners and other users to utilize a personally selected and purchased client device to execute enterprise applications and access data. Typically, it spans smartphones and tablets, but the strategy may also be used for PCs. It may include a subsidy.” Source: Gartner Inc., IT Glossary, available at http://www.gartner.com/it-glossary/bring-your-own-device-byod/, accessed December 21, 2012.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 2 9B13E002 The trend was catching up. BYOD was causing apprehensions among IT professionals mandated with information security (IS). Their immediate concerns were two-fold: The IT staff would be burdened with supporting and troubleshooting unmanaged devices; and, instead of using the devices for work-related activities, employees would be distracted by applications embedded into their devices, which could potentially lead to a negative impact on productivity. Harkins’s principal concerns related to issues of not only IT and IS (which were his areas of domain) but also finance, law, human resources development and the company’s brand equity (which were not his areas of domain). Employees had personally invested in laptops, netbooks and mobile devices, and they were using them for company work — whether at home, at office or on the road. This practice reduced Intel’s own costs of device procurement but increased its costs of evaluating, configuring and supporting a growing pool of smartphones, tablets and laptops. It also meant greater risks in terms of data security; company data was vulnerable to being compromised while being carried on personal devices. Intel, as an organization, needed to be able to access and control company information; but doing so on employee- owned devices without violating individual privacy was a grey area. Harkins also realized that who should be included in a BYOD program was a sensitive area. Every year, Intel recruited professionals at various levels, and its reputation as a preferred employer, among young jobseekers in particular, would also be affected by its stance on BYOD. Intel had three options for dealing with BYOD as a trend. It could have done nothing, in the hope that employees bringing own devices to work was only a fad and would soon pass. This approach would have ensured status quo but would have also pushed “shadow” IT (as the IT activities occurring outside of IT management were collectively known) further into the dark. The company could have issued a directive stating a categorical “No” to the option of employees bringing their own devices to work. Such an approach would have ensured not only a uniformity of technologies being deployed company-wide and Intel’s ownership of all IT devices used in the company but also corporate oversight. However, this approach would have meant falling behind ongoing trends and alienating a portion of its employees. Studies by both Gartner and McKinsey had pointed out that IT mobility was a rising phenomenon (see Exhibit 1: Top 10 Emerging Trends). The third option was to support BYOD, an approach that had seemed logical in light of some irrefutable “laws” of information security, as Harkins saw them:

These are unwritten laws that one must acknowledge. For example: Users want to click; when connected to the Internet, people will click on things. Information wants to be free; people are prone to talk, post, and share. Code wants to be wrong; a software program can never be 100 per cent error-free. Services want to be on tap; some background processes will always have to be switched on. Security features are double-edged; they help and they also harm. People set and forget; the efficacy of a control deteriorates with time. In such a context, compromise is inevitable for CIOs [chief information officers]. They cannot enforce rules of their own.

Dating back to the early 1990s, Intel’s IT division had acknowledged these laws. As personal computers became common in the homes of its employees, Intel allowed some employees to log in to the Intel network from their home systems and to use that ability to work from remote locations. Subsequently, however, amid concerns over data security risks, Intel had limited this provision to employees who were undertaking mission-critical processes.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 3 9B13E002 The launch of laptops in 1997 had, for the first time, brought the use of personal devices not connected to the corporate network, to centre stage. Laptops were followed by wireless access points, ultra-portables, tablets and net-books. But it was the arrival of smartphones in 2006 that marked the beginning of the BYOD trend. The increasing functionality of smartphones and similar devices had, in some cases, become comparable to laptops in their ability to not only process data but store data. Smartphones could connect to the data centre and plug into corporate applications hosted on the cloud. The trend was unstoppable; by early 2009, Intel recognized that it needed to implement a strategy to address the BYOD trend. As part of developing a strategy, Harkins was keen on gathering the input of not only employees who were bringing their own devices to work but also those employees who were not doing so. He organized a two-day web jam in March 2009. Over an uninterrupted 48-hour period, his team took queries, in turns, from nearly 7,000 employees and responded to more than 1,000 cyberposts. The web jam was an opportunity not only for Intel employees worldwide to provide input on how they wanted to use their smartphones but also for the IS team to explain what the use of smartphones meant to the organization, going forward. Although only 30 per cent of participants were okay with corporate access to their personal devices, there was a near unanimous view in favour of Intel managing the security of personal devices; and, in return for the freedom to bring their own devices to work, 100 per cent were willing to accept necessary training and adjustments to their behaviour. Accountability became one of the pivots around which the policy evolved. It cut both ways. IT was accountable for providing the technology footprint with which to manage devices; and employees were accountable for understanding the potential risk the devices they brought to work carried for the company. For years, Intel had been losing one per cent of its notebooks annually; they were either misplaced or stolen. But, under the terms of the BYOD initiative, Intel no longer needed to buy the devices. Allowing employees to bring their own devices would reduce the incidence of hardware loss; employees would be more vigilant about guarding them because of their sense of ownership. An integrated personal and business calendar on the device would also increase employee productivity. Costs, per se, would decrease because telecom carriers typically charged about 33 per cent less for data plans for individuals than they did for corporations. It was evident that BYOD was not a technology issue; it affected other company functions, such as legal, HR and accounting, whose help was required in defining policy, including such details as privacy and software licensing and enforcing compliance. Also evident was that a “one-size-fits-all” framework would not work. Harkins developed a five-tier model to manage the security risk inherent in BYOD (see Exhibit 2). Said Harkins:

A multi-tier architecture provides not only the greatest security but also return on investment. We classified the level of access to data and services into five categories with progressively higher degree of IS requirements. Level one, for example, pertained to corporate data, like stock price movements, which were uploaded in real time on public servers. Level two pertained to slightly confidential applications like payroll. We had to factor in issues of privacy at this level because the device was owned by the employee. Level three was what we called Basic and had the least permissive level of access to

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 4 9B13E002

corporate data. Examples of services included calendaring, contacts and emails. Level four, called Intermediate, consisted of applications pertaining to specific lines of business. Level five, called the Managed Equivalent, was the most permissive level of access to corporate data.

CONSUMERIZATION OF IT For many decades, IT had been a standalone activity whose understanding was limited to a few employees in an organization. It still carried a mystique to the vast majority, even as the giant mainframes gave way to personal computers, and desktop computers made data processing more accessible for individuals. In the late 1990s, the arrival of hand-held computing devices marked a new beginning of employee empowerment that came to be called the Consumerization of IT (CoIT), defined as “the adoption of any consumer-facing technology for business purposes.”2 Characterized by self-provisioning of technology, CoIT was one of the most disruptive phenomena in the workplace. It was encompassing many sub-categories of computing, such as social media, cloud, applications (apps) development and, of late, BYOD. From CoIT, companies were securing business gains, both internally and externally. Internally, employees were becoming more resourceful and innovative, leading to general gains in organizational productivity. IT’s own productivity was increasing because many consumer technologies were self-supporting and end-users were readily shoring up one another. IT could extend its capabilities across the organization without requiring additional resources. A company adopting CoIT could attract and retain young and skilled employees, leading to improvements in revenues, margins and market share. Externally, CoIT improved the company’s engagement with customers, vendors and business partners. When CoIT was implemented as part of a multi-channel strategy and for deploying tools of social media in particular, it was easier for existing stakeholders to do business with the company and for potential customers to sign up for its offerings. The greatest benefits came from the development of apps aimed at delivering the right data to the right set of users and managing both users and apps for the common good. Mobile apps, in particular, could be developed quickly and at a lower cost than traditional enterprise apps. Employees were developing front- end apps on their own, depending on their ongoing requirements. This development and device freedom had enhanced the spirit of enterprise in companies. However, CIOs were facing several challenges with CoIT. First, there were difficulties in securing the buy-in for any CoIT initiative from functions such as legal and accounting. These functions were accustomed to a compliance mode; risk taking was not part of their culture. A free-for-all culture, which the CoIT phenomenon seemed to represent, was contrary to their traditional mindset. Second, nurturing the innovation that CoIT represented was difficult because companies in general had no precedents for how to encourage productive innovation within the context of CoIT. The more dominant perspective was that personal devices loaded with attention-diverting applications were more representative of

2 “Consumerization of IT: How IT Should Manage Personal Technology at Work,” InfoWorld Special Report, May 2012, http://www.infoworld.com/d/consumerization-of-it/consumerization-of-it-how-it-should-manage-personal-technology-work- 194587, accessed December 10, 2012.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 5 9B13E002 productivity waste than enhancement; they were thus banned in many firms, such as those on Wall Street.3 To set up the systems and processes supportive of consumer technologies, CIOs needed to secure the data from threats of hacking, viruses and identity thefts; ensure interactive apps experience; manage the load on IT infrastructure and generally stay on the side of new generation workforce. Also necessary was keeping pace with changes in the legal and regulatory environments in different countries where a company’s employees were located. The singular challenge for CIOs, however, was in keeping pace with changes in their own domain of IT. INTEL – COMPANY BACKGROUND Intel was the world’s largest manufacturer of semiconductor chips (see Exhibit 3). Its main products were integrated circuits (i.e., chips etched with electronic switches) and platforms (i.e., suites of digital technologies), which were used as raw materials in computing and communications industries. Intel’s customers included both original equipment manufacturers (OEMs) which marketed branded products and original design manufacturers (ODMs) which provided services to branded and unbranded private-label resellers. In 2009, Hewlett-Packard Company accounted for 21 per cent of Intel’s net revenue (up from 20 per cent in 2008 and 17 per cent in 2007), and Dell Inc. accounted for 17 per cent of net revenue (down slightly from 18 per cent in both 2008 and 2007). The semiconductor industry was characterized by a high percentage of fixed costs in three areas: research and development (R&D), employment of skilled workforce and training of employees. The business was subject to downturns because product demand was variable. The product life cycle was limited, often less than a year. As a result, the pace of technological development and the frequency of new product introductions were more rapid than in other manufacturing sectors. Intel was driven by the strategic mandate of “being the preeminent provider of semiconductor chips and platforms for the worldwide digital economy.” Its goal was to “deliver a great ‘personal’ computing experience across all types of devices and enable consumers to move seamlessly from one type of device to another.” 4 Intel was routinely launching products with improved rates of data processing. It was also innovating to continue to improve the connectivity, storage, security, energy consumption, ease of use and inter-operability of devices. At the end of 2009, Intel had reorganized its business “to better align our major product groups around the core competencies of Intel architecture and our manufacturing operations.” The company had nine operating segments: PC Client Group; Data Center Group; Embedded and Communications Group; Digital Home Group; Ultra-Mobility Group; NAND Solutions Group; Wind River Software Group; Software and Services Group; and Digital Health Group. Said Harkins:

3 “Social Media Like Facebook, Twitter and Gmail Banned on Wall Street,” New York Times, November 23, 2012, http://articles.economictimes.indiatimes.com/2012-11-23/news/35317526_1_social-media-youtube-videos-analyst, accessed December 5, 2012. 4 Intel’s 2009 annual report, http://www.intc.com/intelAR2009/, accessed February 7, 2013.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 6 9B13E002

The growth of mobile microprocessor units has been outpacing the growth of desktop microprocessor units. This trend will continue. The escalating demand for mobile microprocessors will result in increased development of products with form factors requiring lower power. Their demand will be incremental to that of desktop microprocessors since a growing number of households have multiple devices for different computing functions.

In addition to its four wafer fabrication facilities in the United States (in Arizona, Oregon, New Mexico and Massachusetts), the company had manufacturing units in China, Ireland, Israel and Vietnam and test facilities in Malaysia, China and Costa Rica. It had sales and marketing offices worldwide. For the year ending December 2009, Intel had net revenues of $35.1 billion5 and net income of $4.3 billion (see Exhibit 4). Intel’s revenues had declined by 7 per cent over 2008, although the volume of shipments had increased, as a result of falling prices. Asia-Pacific was the single largest source of revenue at 55 per cent, followed by the Americas at 20 per cent. The company’s competitive advantages included scale, talent pool, global reach and customer orientation. ISSUES BEFORE HARKINS Extracting value Value from BYOD could be extracted from three sources: cost reduction, productivity gains and competitive advantage. An obvious potential source of cost reduction was that Intel would no longer need to pay for the 10,000 small form factor (SFF)6 devices already in circulation, for the purchase of individual devices and for their ongoing service and support. Although Intel had incurred these costs in the past, once BYOD became official, employees would assume these costs. The savings could be large, based on the expectation that, by 2014, nearly 60,000 more employees would be bringing their own devices to work. From reviewing the data over the past few quarters, Harkins had accessed a vital piece of information: Intel employees who were using their own devices were spending, on average, an additional 57 minutes every day on company-related work. This index of productivity was known in IT parlance as “time back per day per employee.” The company could use what was called a “burden rate” of about $100 per hour per employee to arrive at the gain in productivity. Additional gains could be realized from employees seizing every opportunity, outside the office hours, to carry on the business of Intel through real-time collaboration with internal and external customers. Employees would also be generally happy about BYOD, which would lead to gains like their rallying together in the event of a deadline or an emergency. Competitive advantage, particularly if it was to be sustainable, could be built only on a long haul. Harkins could see some potential sources of competitive advantage. For example, networking would, over time, lead to the development of better products and services. Use of authorized device would also minimize the general risk profile within IT.

5 All currencies amounts are shown in U.S. dollars unless otherwise noted. 6 SFF devices were small computers, distinct from traditional personal computers that had towers or conventional full-size laptops. SFF devices included tablets and devices commonly called netbooks, smartbooks or ultrabooks.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 7 9B13E002 Besides, Intel was making its debut in Fortune magazine’s 2010 annual list of the best companies to work for in the United States, at 98th position in a list of 100. The ranking, which would be useful for its annual recruiting, was based on the facilities that Intel provided to employees, such as telecommuting, job- sharing programs and compressed workweeks. The provision of BYOD would likely improve Intel’s rankings, thereby leading to improved brand equity among potential employees. Said Harkins:

My difficulty is fundamental. How do I dollarize the risks and returns of BYOD? There are businesses at Intel which are sensitive to data walking out the door. They would buy into BYOD if they see, in measurable terms, how BYOD is adding value. But we only have intuitive information so far. What particular data should I mine and apply in order to arrive at the true value of BYOD?

Security The security risk in a BYOD environment had two broad components — device and data. The dilemma before Harkins pertained to two areas: the extent to which device security, which was new to Intel, could be deployed and the extent to which data security, which was prevalent in any case, could be extended in a BYOD situation. Traditionally, all the hardware that was owned and operated by the company was equipped with such built-in IS features as security settings, log-on procedures, authentication protocols, access controls, firewalls and anti-malware software (see Exhibit 5). The BYOD situation would typically comprise two types of devices — managed devices and unmanaged devices. Intel layered its own security controls on all managed devices; the controls took on two forms — encryption and remote-wipe capability. Like round pegs in a round hole, the managed devices fit perfectly with the IT environment and IT expectations. Unmanaged devices, however, were like square pegs in a round hole. No single solution supported all the devices owned by employees, thereby representing a security risk. Leaving a corporate footprint on the devices owned by employees could be damaging for employee privacy. Data encryption and remote-wipe capability would both come into play when the data was compromised or the device was lost or stolen. But the remote-wipe would also affect personal data stored by the employee on the device. The issue of privacy acquired a serious tone, particularly when no evidence of data compromise could be detected upon retrieval of a lost or stolen device. Another relevant issue related to the hourly employees. Intel had 79,800 employees at Intel worldwide, of whom 55 per cent were located in the United States. The majority of Intel’s wafer fabrication activities were also located in the United States. Hourly employees at Intel US were required to report the hours that they spent doing office work on their SFF devices while off network and away from their workstations. These hours counted not only toward their overtime compensation but also for any related expenses. Even routine activities conducted on an SFF device outside normal hours, such as checking a calendar or responding to emails, were required by Intel to be logged as overtime. The log would leave a trail, which would likely create a long-term liability for the company in the event of any claim any time in future by any hourly employee.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 8 9B13E002 Intel also had other concerns. Global IDs (such as Google ID and Live ID) were gaining popularity, and employees commonly had multiple global IDs, both on the same devices and among their different devices. Integrating global IDs into the corporate Active Directory7 account was fraught with security risks. A password that protected cloud-based email was not adequate for protecting corporate data. Data co-mingling was another potential hazard. If an employee inadvertently placed corporate data on a personally owned device of a friend or family member, who then plugged into an USB connection to charge up, the company’s data would be synchronized with personal data. Another issue related to the implications of jurisdiction (as in a country’s borders), where normal data protection laws (including one’s constitutional rights) did not apply. Said Harkins:

At Intel, we follow what I may call the 4P framework for IS in general: Prediction, Persistence, Patience and Preparedness. The IS team should be able to predict where the security threats would be coming from, which parts of the organization would be vulnerable, and how the risk would manifest itself. It should be persistent about things that matter to Intel and the practices that we care about as a company. It should be patient, not alarmist, and refrain from screaming “the sky is falling.” It should be prepared with strategic controls, contingency plans and mitigation procedures. My dilemma is: How do we apply that framework in executing BYOD?

e-Discovery U.S. companies such as Intel had a legal obligation, under the U.S. Federal Rules of Civil Procedures (FRCP), to comply with demands from the courts of law for inside documents in the event of litigation. Everything in an enterprise — from terabyte-sized databases to 14-character tweets — was thus potentially discoverable (i.e., subject to discovery) and reviewable by litigants. In December 2006, electronic discovery (or e-Discovery as it came to be called) gained a mandate in the United States. The FRCP were amended to expand the coverage of e-Discovery to all document-intensive information on which a company relied to conduct day-to-day business. The amendment brought under the purview of e-Discovery all computer systems and devices storing digital information. It also brought under its ambit all types of litigation — class action, corporate fraud and employment. The changes gave litigants wide-ranging powers to seek, as part of their review, access to the whole range of data running through the networks of an enterprise, including not only legacy data archived on backup tapes but also emails, instant messages, calendars and contact lists. Also included in the accessible data were posts on MySpace, a social media platform; records from the Global Positioning System (GPS), a satellite-based navigation protocol; and data from EZ-Pass, a toll-collection system that automatically deducted tolls from a prepaid account. All these data became part of what was collectively referred to as electronically stored information (ESI), which could be required to be produced as evidence in a court of law. ESI had more volume because, unlike paper, it replicated itself. An email was stored not only in the sender’s and receiver’s files but also at several devices in several locations. ESI was more complex than 7 “Active Directory was an advanced, hierarchical directory service used for managing permissions and user access to network resources. Introduced in Windows 2000, it was a domain-based network wherein a company's workgroups (departments, sections, offices, etc.) were assigned domain names similar to Web addresses.” PC Mag.com, “Encyclopedia,” http://www.pcmag.com/encyclopedia_term/0,1237,t=Active+Directory&i=37454,00.asp, accessed December 15, 2012.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 9 9B13E002 paper because the history of a document in the form of progressive edits, known as metadata, was embedded into it with invisible ink. ESI was more fragile because it lent itself to easier alteration than paper, which only computer forensic techniques could detect. ESI was also more difficult to delete because of the backup provisions. Unlike paper, ESI was dependent on an ecosystem of software and hardware. Research firm Gartner found in 2008 that nearly 90 per cent of U.S. companies with revenue exceeding $1 billion were facing an average of 147 lawsuits at any given time, and that the average cost to defend a corporate lawsuit exceeded $1.5 million per case.8 During 2009, e-Discovery costs amounted to 90 per cent of a litigation budget with a majority of the costs associated with the review of ESI. The scope of e-Discovery had two dimensions — legal and technological. Without technical skills, lawyers had difficulty ascertaining the specific form of ESI, its sourcing, its collection, its storage and its interpretation. IT professionals had difficulty understanding the legalese, which had increased the risk factor for companies. Intel itself was in the middle of a lawsuit, which had been filed in 2005 by Advanced Micro Devices (AMD) on alleged anti-competitive practices. 9 The case, which represented the largest e-Discovery ever, was scheduled for trial in February 2010. Intel was facing issues in retrieving data for e-Discovery. The company’s Microsoft Exchange servers automatically purged employee emails once in 35 days and senior executive emails once in 60 days. Its backup tapes were non-indexed; they were designed for disaster recovery and not for e-Discovery. Intel found that tracking emails containing specific keywords, as sought under e-Discovery, was taking time. The company had not preserved several batches of emails sent to its employees and was planning to locate them from the email inboxes of employees who had received them. Said Harkins:

The challenges in e-Discovery are several. There is the matter of ownership. Intel does not own the devices; individual employees do. Personal ownership precludes intervention by Intel’s IT team without consent. There is the sheer number of devices that has already characterized the SFF universe at Intel. The devices used by 10,000 employees bringing their own devices are by no means similar. In addition, different categories characterize the data — corporate data, non-corporate data; device-created data, application-created data, and user created data — making retrieval, as and when sought under the Rules, difficult. There is also the matter of location of data; it could be with the corporate network, a server, a cloud, a telecom carrier and the device itself. Knowing the location of data is critical to responding on time to an e-Discovery request.

OPTIONS BEFORE HARKINS With all of these concerns and opportunities in mind, Harkin sat down at his desk to consider what to propose to the other executives at Intel regarding the implementation of BYOD. Three practical issues, each with wide-ranging implications, needed to be determined.

8 Volonino Linda and Redpath Ian, “e-Discovery for Dummies,” John Wiley & Sons, 2009, Chapter 1: “Knowing Why e- Discovery Is a Burning Issue,” http://media.wiley.com/product_data/excerpt/29/04705101/0470510129.pdf page 15 of 24, accessed August 25, 2012. 9 Ibid.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 10 9B13E002 Financial Consideration: Harkins could incorporate incentives for purchasing devices with specific support provisions. For example, Intel could pick up the entire tab for both device and service for an “approved” device, but pay for only the cost of the service for an “unapproved” device. Security: Harkins could deny all “unmanaged” devices access to protected data. The upside was that all devices under BYOD would be fully “managed.” The downside was that this approach would promote shadow IT. He could use the client–server solution. All the data would remain on the server side and only the results would be posted to the user, typically, in a browser. This approach would prevent the data from being collected or stored, temporarily or permanently, on an unmanaged device. Because no data would be posted on the device, the security risk would be nil. The flipside was that, if an unmanaged device was compromised, an attacker could access and compromise all the computers in the chain from front to back. Intel could ensure that unmanaged devices carried only screenshots of the data returns, giving the endpoint almost zero access to any of the computers in the chain of delivering the data. e-Discovery: Harkins was considering three options related to e-Discovery: All employees could be required to sign a service agreement incorporating legal safeguards; Applications could be developed to ensure that all information flowed through corporate servers, thereby pre-empting the need to tap into the employee’s device; Intel could collaborate with device manufacturers to install e-Discovery capabilities. Harkins was seeking strategic opportunities in BYOD for value creation. He envisioned not only a safe and secure data infrastructure but also engaged, motivated and digitally enabled employees who could collaborate freely, act innovatively and work more independently than in the past. Was such a vision possible? Or would the risks of BYOD outweigh its gains?

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 11 9B13E002

Exhibit 1

TOP 10 EMERGING INFORMATION TECHNOLOGY TRENDS

# Technology-Enabled Business Trends # Top Technology Trends 1 2 3 4 5 6 7 8 9 10

Distributed Co-Creation Network as Organization Collaboration at Scale Internet of Things Experiments with Big Data Wiring for a Sustainable World Anything as a Service (Cloud computing) Multi-sided Business Models Innovation for the Bottom of the Pyramid Public Goods on Grid (Wired cities)

1 2 3 4 5 6 7 8 9 10

Tablets and Mobile Devices Mobile Applications and Interfaces Context-aware Computing Internet of Things App Stores Next-Generation Analytics Big Data In-memory Extreme Low-Energy Servers Cloud Computing

Source: Gartner http://www.gartner.com/newsroom/id/1826214, accessed September 14, 2012.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 12 9B13E002

Exhibit 2

INTEL’S BRING YOUR OWN DEVICE RISK MANAGEMENT MODEL

Source: Company files

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 13 9B13E002

Exhibit 3

TOP 10 SEMICONDUCTOR COMPANIES BY REVENUE, 2008 and 2009 2009 Rank

2008 Rank

Name of the company 2009 Revenue (million US$)

2008 Revenue (million US$)

Market share 2009 (%)

1 2 3 4 5 6 7 8 9 10

1 2 3 4 5 8 9 6 12 7

Intel Samsung Electronics Toshiba Texas Instruments ST Microelectronics Qualcomm Hynix Renesas Technology Advanced Micro Devices Sony

32,095 17,123 10,640

9,612 8,400 6,475 5,940 5,664 5,038 4,670

33,767 16,902 11,081 11,068 10,325

6,477 6,023 7,017 5,455 6,950

14.1 7.5 4.7 4.2 3.7 2.8 2.6 2.5 2.2 2.0

Top 10 Revenues 105,657 115,065 46.3 Others 121,078 143,843 53.7 Total Semiconductor Industry Revenues 226,735 258,908 Source: Dale Ford, “Semiconductor Market Declines Less Than Expected, Samsung Shines in 2009,” isuppli Market Research, November 23, 2009, http://www.isuppli.com/semiconductor-value-chain/news/pages/semiconductor-market- declines-less-than-expected-samsung-shines-in-2009.aspx, accessed September 20, 2012.

Exhibit 4

INTEL – CONSOLIDATED INCOME STATEMENT (in US million $) Year ending December 2009 2008 2007 Net Revenue Less: Cost of Sales Research and Development Marketing, General and Administrative Restructuring and Asset Impairment Amortization

35,127

15,566 5,653 7,931

231 35

37,586

16,742 5,722 5,452

710 6

38,334

18,430 5,755 5,401

516 16

Operating Income 5,711 8,954 8,216 Net Income 4,369 5,292 6,976 Source: http://www.intc.com/annuals.cfm accessed October 10, 2012Intel 2010 annual report, page 50.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 14 9B13E002

Exhibit 5

GLOSSARY OF TERMS RELATED TO BRING YOUR OWN DEVICE (BYOD) Access Control: The management of admission to system and network resources. It grants authenticated users access to specific resources based on company policies and the permission level assigned to the user or user group. Access Method: The portion of a computer’s operating system responsible for formatting data sets and their direction to specific storage devices Anti-malware Software: An umbrella term for antivirus programs, spyware blockers, intrusion detection systems and other software that eradicates unwanted input coming from the Internet. Authentication Protocol: The protocol by which an entity on a network proves its identity to a remote entity with the use of a secret key such as a password. Automated Backup: The most basic form of storage availability Backup Server: A software or hardware system that copies (or “shadows”) the contents of a server, providing redundancy. Basic Input/Output System: BIOS is the part of an operating system that links the specific hardware devices to the software. Cloud Computing: A form of computing in which scalable and elastic IT-enabled capabilities are delivered as a service using Internet technologies. Common Internet File System: A protocol that allows groups of users to work together and share documents via the Internet or their corporate intranets. Entry-level Smartphone: A mobile communications device that is closer to an enhanced phone in specification and usage, but because it runs on an open operating system (OS), it is classified as a smartphone. The device’s primary focus is voice communication. Feature Smartphone: A mobile communications device that is optimized in its specifications and features to support one or more primary functions, such as music, video, gaming, pictures, browsing, mobile TV, navigation and messaging. Compared with entry-level smartphones, these devices usually feature larger displays, more powerful processors, more embedded memory and better battery capacity. Firewall: A system that limits the data that can pass through it and protects a networked server or client machine from damage by unauthorized users. A firewall can be either hardware- or software-based. Global Positioning System: GPS determines the position of a mobile device. It uses satellites to a high level of accuracy of within a few metres of the device. Metadata: Information about a particular content. For example, the metadata for an image describes how large the picture is, the colour depth and the image resolution. The metadata for text describes the length of the document, the document’s author, when the document was written and when progressive revisions were made. M-Business: A business model that deploys mobile and wireless technologies and devices.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.

Page 15 9B13E002

Exhibit 5 (continued) Mobile Middleware: Software that addresses the challenges faced by mobile applications running on wireless links that may be slow, intermittent or have high latency. Mobile Device Management (MDM): The sourcing, provisioning, securing and managing of handheld mobile devices (primarily smartphones and media tablets) to a third party. Network Security: The measures taken to protect a communications pathway from unauthorized access to, and accidental or willful interference of, regular operations. Network Sharing: A business model in which two or more communications service providers share network resources through joint ownership or third-party-enabled network sharing (open networks). No-Email Initiatives: Initiatives that encourage the switch from email to enterprise social network platforms (such as wikis and blogs), which offer richer and more varied forms of internal communication and collaboration. Operating System: Software that controls the flow of information into and from a main processor by performing complex tasks such as memory management, control of displays, networking and file management, and other resource allocation functions between software and system components. Redundancy: The portion of the total information contained in a message that can be eliminated without loss of essential information. It also refers to the provision of backup equipment. Social Media: An online environment in which content is created, consumed, promoted, distributed, discovered or shared for purposes that are primarily related to communities and social activities, rather than functional, task-oriented objectives. Software as a Service: SaaS is a software that is owned, delivered and managed remotely by one or more providers on a one-to-many model and on the basis of pay-per-use. Total Cost of Ownership: TCO includes hardware and software acquisition, management and support, end-user expenses and the opportunity cost of downtime, training and other productivity losses. Sources: “Definition of Access Control,” PC Mag.com, http://www.pcmag.com/encyclopedia_term/0,1237,t=access+control&i=37384,00.asp, accessed January 26, 2013; “IT Glossary,” Gartner, http://www.gartner.com/it-glossary, accessed January 26, 2013; “Authentication Protocol,” Expert Glossary, http://www.expertglossary.com/active-directory/definition/authentication-protocol, accessed January 26, 2013; “The Tech Terms Computer Dictionary, TechTerms.com, http://www.techterms.com/definition,” accessed January 26, 2013.

For the exclusive use of C. DALMEIDA, 2018.

This document is authorized for use only by CARMELIA DALMEIDA in IT 547 Summer 2018 taught by DONNA SCHAEFFER, Marymount University from May 2018 to Aug 2018.