Government approves BYOD for public sector staff

The government has issued security approval for public sector organisations to offer bring your own device (BYOD) schemes for employees

The government has issued security approval for public sector organisations to offer bring your own device (BYOD) schemes for employees to access data and applications using their own smartphones and tablets.

The new End User Devices Security and Configuration Guidance policy was issued this week by CESG, the information security arm of GCHQ. It follows numerous public bodies such as local councils seeking to introduce BYOD schemes to offer more flexible working for staff.

At this stage, the new policy has been published as a draft or "beta" version, so may be amended before a final document is produced. 

The policy details the security rules that must be followed for any mobile devices, but for the first time allows the use of employee-owned computers.

“Whilst enterprise ownership of a device makes many information security aspects much simpler, it is not a prerequisite of this guidance,” said the CESG documentation.

But the policy places a number of restrictions on how staff-owned devices must be used – and implicitly acknowledges that CESG would prefer public bodies not to offer BYOD if possible.

“What is necessary is that the device is placed under the management authority of the enterprise for the complete duration it is permitted to access official information. Hence, a BYOD model is possible - although not recommended for a variety of technical and non-technical reasons,” it said.

The guidance states that any mobile device must be returned to factory settings before it can be used to access government data, and that the device must be able to be fully managed by the employing organisation throughout the life of its use for mobile working.

“To ensure information security when using devices not owned by the enterprise, the enterprise must take control of device management at the point of provisioning, ensuring that the device is placed into a ‘known good’ state prior to allowing it to access official information,” said the policy.

“The device must be returned to an understood state such as via a firmware reinstall or wipe to factory state and any existing configuration on it replaced. It is only by taking over the enterprise management of the device that an organisation is able to ensure that information security policies are being applied.”

The policy also provides detailed advice for a wide range of possible products and operating systems. Devices using Android 4.2, BlackBerry 10.1, Apple iOS6, Windows 7 and 8, Windows Phone 8 and RT, Ubuntu 12.04, OS X 10.8 and Google ChromeOS 26 are all on the list.

CESG has recommended 12 security controls that need to be considered, including in-transit and at-rest data assurance; authentication; secure boot; application sandboxing; whitelisting apps; malicious code detection and prevention; and an incident response plan for security issues such as lost devices.

The policy recognises that “networks that the device connects to will not necessarily be trustworthy”, such as public Wi-Fi services – a break from the past when government employees were expected to only use in-house secure networks.

“The critical aspect is that the enterprise takes over the management of the device via a device provisioning process and is able to control all relevant aspects of it throughout the time it accesses official information,” said the document.

CESG is seeking further feedback on the policy from government departments that want to offer mobile working.

Read more on Mobile apps and software