GCHQ produces BYOD guidelines for organisations

GCHQ's IT security arm provides guidance to organisations who want to allow employees to use personal devices at work

GCHQ has provide new guidance to private and public sector organisations who want to allow employees to use personal devices at work.

The draft of the Bring Your Own Device (BYOD) Collection guidance is part of the wider National Cyber Security Programme by the Communications-Electronics Security Group (CESG) - the IT security arm of GCHQ - and the Centre for the Protection of National Infrastructure (CPNI).

The document aims to detail “the key security aspects to consider in order to maximise the business benefits of BYOD while minimising the risks".

“With the rapid increase in the use of mobile devices - and the growth of remote and flexible working - staff now expect to use their own laptops, phones and tablets to conduct business,” said the document.

The guidance has been produced for both public and private organisations. Due to the involvement of the CPNI, the guidelines will be also aimed at companies involved in the UK’s critical national infrastructure, such as energy, transport and banking firms.

But the document also encourages public sector organisations working at the lowest security standard (official) to seek further guidance from CESG before implementing BYOD.

There are now three security classifications official, secret and top secret and 'official' as the lowest standard, includes all public sector organisations. 

It is not clear where this would leave public sector organisations that have already put BYOD policies in place, such as Camden Council which has recently seen its BYOD adoption soar by 240%.

The guide provides eight security aspects organisations must consider before implementing a BYOD scheme:

  1. Understand the legal issues
  2. Create BYOD policy
  3. Limit the information shared by devices
  4. Encourage staff agreement
  5. Consider using technical controls
  6. Anticipate increased device support
  7. Plan for security incidents
  8. Consider alternative ownership models

The guidelines go into brief detail about how organisations should plan for BYOD policies and considering the risks, while having actions in place to mitigate security breaches if phones are lost or stolen.

It highlights how the legal responsibility for protecting personal information is with the data controller, not the device owner, and advises organisations to understand the law surrounding data protection.

The guidelines also suggest organisations consider other options, including letting staff choose their own corporately owned device, or allowing staff to use corporate devices for personal tasks.

The guide has been designed as a draft and invites readers to get in touch with comments that could help improve future revisions. Readers can get in touch at [email protected] to comment on whether the guide provided useful information and whether or not it was easy to understand.

Last year, the government officially allowed public sector organisation to implement a BYOD scheme for employees to access data and applications using their own mobile devices.

But the End User Devices Security and Configuration Guidance policy published by CESG, placed a number of restrictions on how staff-owned devices must be used – and implicitly acknowledged that CESG would prefer public bodies not to offer BYOD if possible.

The guidance said that any mobile device must be returned to factory settings before it can be used to access government data, and that the device must be managed by the employing organisation throughout the life of its use for mobile working.

The policy was more focused on corporately owned devices and did not encourage BYOD in the public sector.

The old guidelines said: “What is necessary is that the device is placed under the management authority of the enterprise for the complete duration it is permitted to access official information. Hence, a BYOD model is possible, although not recommended for a variety of technical and non-technical reasons.”


* UPDATE 9am 26/08/2014: CESG has contacted Computer Weekly saying that it had an editing error in its guidance document. While the document states: "Public sector organisations working at OFFICIAL should seek further guidance from CESG" we have now been told that it should read: "Public sector organisations working at OFFICIAL could seek further guidance from CESG."

Read more on IT for government and public sector