Modern smartphones, laptops and tablets provide users with great flexibility and functionality, and include security technologies to help protect information.
This security guidance is general to all End User Device (EUD) deployments and aims to help organisations harness these security technologies in a way that does not significantly reduce their functionality.
Who is this guidance for?
This guidance is for any organisation wishing to secure the EUDs they use, but it is primarily to help system administrators make informed decisions about the configuration, management and use of EUDs, and risk owners understand the overall risk to their networks presented by their use.
What does this guidance do?
It builds upon the most important elements of the strategic goals described in End User Device Strategy: Security Framework & Controls:
- make optimum use of native security functions, avoiding third-party products wherever possible
- allow greater user responsibility to reduce security complexity, maintaining user experience for the majority of responsible users
- logging and audit preferred over prevention and control, to maintain user experience and flexibility for the majority of responsible users
- enable greater interoprability of IT systems through a more common and consistent approach to securing information
There are also guidance documents for specific platforms (we’ll put a collection link in here). Each platform we provide guidance for has been considered as part of a remote working deployment to see how effectively it is able to protect information. The guidance is not simply about applying settings to a device, but is also about making informed network architecture decisions; providing appropriate guidance and training for users; and performing operational maintenance, monitoring and defence of the network.
System Administrators may also use this guidance as a starting point for other security configurations for different devices such as desktops and servers. Consideration should be given to how applicable the recommendations are to their particular scenario and the guidance customised accordingly.
- devices are corporately-managed and issued to users individually
- only a single user account will be present on each device. Multi-user devices are not addressed in this guide.
- devices will be used to access corporate services (email, calendar, collaboration tools…) both in and out of the office.
- the devices will be used to access various Internet-based services, both for work and some personal use
- users will be made aware of the appropriate use of the system prior to receiving the device
- some devices will inevitably be lost or stolen (though precautions in this guidance should help ensure that data loss is minimised)
- devices will connect to a range of networks. Not just those provided by the organisation itself
- networks to which the device connects will not necessarily be trustworthy, so protection of the data in transit on these networks is important
- devices will be deprovisioned when no longer used for their original purpose.
Although devices are expected to be corporately managed, the ownership model is not particularly relevant here. The critical aspect is that your administrators take over the management of the device via a provisioning process and are able to control all relevant aspects of it throughout the time it accesses your organisation’s data.
Since we assume only a single user account, you will need to think about customising the configurations given here if dealing with multi-user scenarios.
We recommend that you carefully consider the risks from allowing EUDs into high-security locations. This guidance doesn’t cover the use of these devices in that type of environment.
How to get the most from this guidance
- Read the guidance for your selected device(s) in full.
Consider how applicable the usage scenario and recommendations are for your intended use.
- Set up a pilot of devices in a non-operational environment before deployment.
Try to simulate the environment where the devices will be deployed.
- Determine the business functions that devices need to perform before deciding on theconfiguration.
Apply security configurations to the device or supporting infrastructure where applicable.
- Produce security operating procedures, user education packages and training documents.
This will help your staff to keep information secure on mobile devices.
- Establish a helpdesk facility to respond to the loss or theft of devices.
Remotely lock or wipe devices, and revoke their ability to access your organisation’s information.
- Prepare a system management plan to deal with security critical updates and patches.
Updates will be released by the vendor throughout the lifecycle of the deployment.
- Regularly iterate your design, architecture and configuration.
Base any changes on your experience of using and managing the network.