The UK government has published security approval for public sector organisations to offer bring your own device (BYOD) schemes for employees to access data and applications using Windows Phone and tablets.
The new End User Devices Security and Configuration Guidance policy was issued by CESG, the information security arm of GCHQ. It follows requests by public bodies such as local authorities wanting to introduce BYOD schemes to their staff.
The policy, which is in draft form, details the security rules that must be followed for any mobile devices, but for the first time allows the use of employee-owned computers.
“Whilst enterprise ownership of a device makes many information security aspects much simpler, it is not a prerequisite of this guidance,” said the CESG documentation.
But the policy places a number of restrictions on how staff-owned devices must be used – and implicitly acknowledges that CESG would prefer public bodies not to offer BYOD if possible.
“What is necessary is that the device is placed under the management authority of the enterprise for the complete duration it is permitted to access official information. Hence, a BYOD model is possible – although not recommended for a variety of technical and non-technical reasons,” it says.
The guidance demands that any mobile device must be returned to factory settings before it can be used to access government data, and that the device must be able to be fully managed by the employing organisation throughout the life of its use for mobile working.
“To ensure information security when using devices not owned by the enterprise, the enterprise must take control of device management at the point of provisioning, ensuring that the device is placed into a ‘known good’ state prior to allowing it to access official information,” says the policy.
“The device must be returned to an understood state such as via a firmware reinstall or wipe to factory state and any existing configuration on it replaced. It is only by taking over the enterprise management of the device that an organisation is able to ensure that information security policies are being applied.”