CESG, the information security arm of GCHQ, has advised government that although Bring Your Own Device (BYOD) strategies are possible for public sector organisations, it is not recommended.
The guidance, which is currently in beta and is awaiting feedback, states that if a BYOD approach is used then the government body involved must take control of device management at the point of provisioning.
CESG has issued end user device security guidance for a number of platforms including: Android 4.2, Blackberry 10.1, Apple iOS 6, Windows 7 and 8, Windows Phone 8, Windows 8 RT, Ubuntu 12.04, Apple OS X 10.8 and Google Chrome OS 26.
“Whilst enterprise ownership of a device makes many information security aspects much simpler, it is not a prerequisite of this guidance,” said CESG.
“What is necessary is that the device is placed under the management authority of the enterprise for the complete duration it is permitted to access official information.”
It continued: “Hence, a BYOD model is possible – although not recommended for a variety of technical and non-technical reasons.”
When deploying devices, CESG recommended that systems administrators set up a pilot of devices in a non-operational environment before deployment. It urged that departments simulate as far as possible.
It also said that IT departments should make optimum use of native security functions, avoiding third-party products wherever possible.
CESG recognised that public sector employees will inevitably lose some of their devices and suggested that administrators should establish a helpdesk facility to respond to such a situation by performing remote lock or wipe, and revoke access to enterprise information.
“Modern end user devices provide users with great flexibility and functionality – coupled with security technologies to help protect information. The aim of this guidance is to harness these security technologies in a way that does not significantly reduce this functionality,” said CESG.
“Different devices will expose organisations to different risks and in different ways – by exacerbating existing risks to corporate assets, or introducing new ones.
“Careful consideration of these risks is important to maintaining information security.”