Australian Government Guidance on Enterprise Mobility and BYOD

In the previous article, BYOD: New Guidance on a Big Issue, we looked at the new NIST Guidelines for Managing the Security of Mobile Devices in the Enterprise and at some private contributions. This was mainly from a global perspective, though we did note the high adoption of smart phones and tablets by Australians. In this article we look at how the Australian Government is approaching the BYOD issues at Federal, State and Local Government level.

 

Federal Government Guidance on Enterprise Mobility and BYOD

At top level, the Australian Government Protective Security Policy Framework (PSPF) provides overarching policies covering all forms of protective security, while the Australian Government Information Security Manual (ISM) governs the security of government ICT systems, (see http://www.ag.gov.au/NationalSecurity/ProtectiveSecurityPolicyFramework/Pages/default.aspx and http://www.asd.gov.au/infosec/ism/index.htm.)

The ISM comprises three documents targeting different levels within government organisations, i.e. the Executive Companion, the Principles document and the Controls manual. Further advice is provided in Device Specific Guides, Protect Publications and Australian Communication Security Instructions.

BYOD is considered a subset of enterprise mobility and BYOD guidance is provided under BYOD Considerations for Executives, (see http://www.asd.gov.au/publications/csocprotect/byod_considerations_for_execs.htm) and in a new guide released in June 2013, Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD), (see http://www.asd.gov.au/publications/csocprotect/enterprise_mobility_bring_your_own_device_byod.htm.) These documents complement the advice in the ISM.  The key considerations for Executives relate to the legal, financial and security implications.  Is there a strong business case to justify the additional security risk? Advice to Executives on minimising risk includes:

• Take a risk management approach to BYOD implementation.
• Develop and communicate a sound usage policy.
• Be consultative.
• Educate your users.
• Contact your IT security team. In particular, seek answers to the following questions:
  • How do we protect our sensitive or classified information from being stored on the device?
  • How do we protect information on our corporate network?
  • How do we protect the device and associated network from malicious software?
  • How do we reduce the risk caused by lost or stolen devices?

Reputational risk is not mentioned specifically but well carry some weight in light of the embarrassment caused last year by media reports of an unprotected USB thumb drive containing sensitive DOD information which was left in an airport lounge. (That would be addressed under Educate your users.)

Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD) is a significant document with a good level of detail. It notes at the start that “Enterprise mobility enables employees to perform work in specified business-case scenarios using devices such as smartphones, tablets and laptops, while leveraging technologies that facilitate remote access to data. A well-designed enterprise mobility strategy can create opportunities for organisations to securely improve customer service delivery, business efficiency and productivity. In addition, employees obtain increased flexibility to perform work regardless of their physical location.”

The document makes it clear that BYOD management is one small part of the larger Enterprise Mobility picture, noting that “Business cases for enterprise mobility that involve accessing non-sensitive data might permit employees to use their personally-owned devices, referred to as Bring Your Own Device (BYOD).” The Appendices identify the risks and relevant risk mitigation actions for different business scenarios. For a brief overview of the document, check out ASD Cyber Security Bulletin, August 2013, which has a section titled Think before you BYOD, summarising the four ‘P’s of enterprise mobility as purpose, planning, policy and polish, (see http://www.asd.gov.au/publications/cybersecuritybulletin/ASD-Cyber-Security-Bulletin-2013-08.pdf.)

The Risk Management of Enterprise Mobility including BYOD document and the ASD Cyber Security Bulletin are part of a range of ASD Publications which complement the PSPF and ISM. Another which is relevant to Enterprise Mobility and BYOD is the Network Segmentation and Segregation advice, (see

http://www.asd.gov.au/publications/csocprotect/network_segmentation_segregation.htm.) This document notes that “Network segmentation and segregation is a key enabler for the implementation of workforce mobility and a secure bring your own device (BYOD) strategy as it allows you to better isolate a compromised or potentially compromised device from the key information on your network.”

The document explains what network segmentation and segregation is, why it is so important, and recommends best practices. These include five common themes:

• Apply technologies at more than just the network layer.
• Use the principles of least privilege and need-to-know.
• Separate information and infrastructure based on your security requirements.
• Identify, authenticate and authorise access for entities based on your security requirements.
• Implement whitelisting instead of blacklisting.

The DOD’s National Security role has ensured the management commitment and the budget to put in place best practice enterprise mobility policies, procedures and guidance. These are available to State and Local Government (and to private sector organisations) and can be seen as a longer term goal for all levels of Government. In the meantime, however, most of the States and Local Governments have no overarching enterprise mobility framework in place and are tending to treat BYOD as in isolated issue.

State and Local Government Guidance on Enterprise Mobility and BYOD

Of the States, WA appears to be most advanced. At this point, others are making moves in the right direction but often in an uncoordinated way, Department by Department, e.g.

NSW Education & Communities has a presentation on BYOD in NSW Public Schools, which notes that NSW DEC is preparing a BYOD Policy template, a first draft of which is being considered by the NSW Secondary Principals’ Council and Primary Principals’ Association  (see http://sts.sydneyr.det.nsw.edu.au/files/CC/2013/T1/BYODhandout.pdf.)

The Queensland Office of the Information Commissioner’s Policy on the use of portable storage devices includes BYOD, noting that  ”registered BYOD Officers may apply to MCES to use BYODs for work purposes. In general, this will be limited to the use of home computers/laptops, smart phones or tablets to assist with conducting genuine OIC business. For example, enabling officers to work part time at home or to have access to OIC email on their smartphone , or permitting tablets to be connected to the OIC network to transfer meeting notes and other documents. Corporate PSDs should be used in preference to BYOD wherever this is possible. Officers should not use their own USB keys for work purposes but should instead use a corporate-issued USB key. MCES will maintain a register of approved BYOD arrangements.” (See http://www.oic.qld.gov.au/__data/assets/pdf_file/0012/21306/portable-storage-device-policy.pdf.)

Queensland State Archives has issued an April 2013 guideline for Queensland public authorities, Recordkeeping implications of mobile and smart devices, which includes a checklist of criteria to consider in managing the recordkeeping implications of mobile and smart devices, (see http://www.archives.qld.gov.au/Recordkeeping/GRKDownloads/Documents/MobileDeviceGuideline.pdf.)

The VIC Government website provides a topics A-Z listing of articles and resources about various approaches used by organizations and government agencies in adopting BYOD in the workplace but for  BYOD it consists of external links, (see http://www.egov.vic.gov.au/topics-a-z/b/bring-your-own-device-byod.html?env=l.546445521–2-15–http://go.vic.gov.au/DSQDZ0.)

The WA Department of Local Government and Communities is further advanced, with an Integrated Planning and Reporting Framework and Guidelines which includes BYOD in its ICT Strategic Framework. BYOD advice includes:

Introducing a BYOD policy will inform staff:

• whether they can connect a personal device to your network
• what devices are acceptable to connect to your network
• What systems they can have access to using a personal device
• Acceptable usage of systems and resources using a BYOD device
• What support they can expect from the IT Help Desk
• How data will be secured
• Procedures for lost or stolen devices and when leaving employment (e.g. will the device be wiped?)

Further advice on managing BYOD includes:

What does managing BYOD involve?

• Policy – having an approved BYOD policy in place
• Research – different BYOD models, trend or hype, leading edge or bleeding edge?
• Benefit Analysis – what are the tangible and intangible benefits?
• Applicability – would BYOD be introduced across your LG or be limited to specific departments, or roles (e.g. Executive Management, Elected Members)
• Risk assessment – what risks are involved? How can risks be mitigated?
• Security – what changes to ICT security are required to manage the use of personal computing devices? How will personal mobile computing devices be secured? How will access be removed if staff leave Council or if the device is lost (egg will the device be wiped and is this acceptable to staff?)
• Extent – would BYOD be in addition to, or replace council issued equipment?
• Return-on-investment – what costs are involved? Would an allowance be payable to staff bringing their own device, and if so, how should this be calculated?
• Communication – how will BYOD policies, procedures and processes be communicated to staff?

(See http://integratedplanning.dlg.wa.gov.au/Content/ICTFramework/BYODevice.aspx.)

Conclusion

The Australian Federal Government’s best practice, no-expense-spared approach to Enterprise Mobility including BYOD is available to State and Local Government (and the private sector) but due to resource and budget constraints it may not be feasible except as a longer term goal.  In the meantime, the State Government sites provide some immediate, practical advice on implementing and managing BYOD.