Security guidance issued by GCHQ
CESG, the Information Security Arm of GCHQ, has released new security guidance for more than ten different end user devices to ensure they are configured and used in the most efficient way compatible with meeting security demands.
The new online guidance for UK public sector security architects, system administrators and end-user public sector mobile knowledge workers accessing official data remotely, aims to ensure new mobile devices are deployed and used in accordance with the Cabinet Office's End User Device Security Framework recommendations.
More than 33,000 malicious emails are blocked at the Gateway to the Government Secure Intranet (GSI) every month and a far greater number of malicious, but less sophisticated emails and spam are blocked each month. Mobile devices can potentially introduce new vulnerabilties, hence good practice advice is given on system architectures for remote and mobile working; details of particular configuration choices are provided for each platform, and specific security risks and issues are highlighted.
Jonathan Hoyle, Director General for Government and Industry Cyber Security at GCHQ comments: “Finding the right balance between security and usability is critical for all organisations and we have put this principle at the heart of our work. This guidance is the result of close collaboration between CESG's cyber security experts, our partners in industry and the public sector. It provides an excellent set of recommendations for anyone trying to enable secure business using the latest technologies in a cost-effective way.”
Liam Maxwell, the UK Government's Chief Technology Officer adds: "This is precisely the sort of approach to security we need - simple, pragmatic, understandable."
The security guidance does not endorse any platforms, but aims to ensure risks are minimised when using the following devices:
- Samsung Devices with Android
- BlackBerry 10
- Apple iOS
- Windows 7, 8 and RT
- Apple OS X
- Windows Phone
- Chrome OS
Even BYOD is covered – though clearly not recommended – with the proviso that the device is placed under the management authority of the enterprise for the complete duration it is permitted to access official information. In fact the advice ranges from the basics such as making optimum use of native security functions, avoiding third-party products wherever possible, and ensuring physical security of devices to avoid installations such as key logging, to more specific vulnderabilities to be aware of when using wireless technology. Three specific sections cover introduction, general recommendations and enterprise considerations.