The NSW Government has outlined the minimum security standards it expects from agencies issuing smartphones, tablets and laptops to staff – or allowing them to bring their own.
Automatic locking and two-factor authentication for connection to external networks will be required on all data enabled devices that are likely to be taken out of the office.
All tablets and smartphone devices, whether agency owned or staff owned, will be expected to be governed by some sort of mobile device management platform, such as Blackberry Enterprise Server.
The state’s Department of Finance and Services (DFS) has also made a series of suggestions about what should and shouldn’t qualify as a password, rejecting 123456, 000000 and the words “password” and “department” among others.
The rules (download here) will apply to all NSW departments, statutory bodies and shared service providers, and will govern the types of devices that can and can’t be procured through the whole-of-government ICT Services Catalogue.
The policy also sets out the central IT agency’s stance on BYOD.
The DFS has left the final decision of whether or not a device should be approved for use of the job up to the agency CIO “provided it meets the minimum requirements of the agency”.
“BYOD device capabilities and device profiles need to be matched to business requirements/user scenarios. For example, if the staff member is primarily a consumer of information when mobile, the profile of a tablet or smartphone would be a good match. If the staff member is a ‘creator’ of information, a laptop/desktop profile would be a better match,” the standards suggest.
However the NSW government will require some basic concessions from staff members wanting to connect their own device to agency networks.
“Owners of BYODs that are registered and used for BYO agree to surrender limited authority over the device for the sole purpose of protecting government/agency data and access on the device.”
This includes a commitment from BYOD participants that they will report lost or stolen devices “immediately”.
The default approach for a agency owned device that is being deregistered from an agency fleet will be a full wipe of all contained data and applications. BYOD devices with some sort of containerisation enabled will be party wiped as default.
The NSW government also wants agreement that it can wipe any staff-owned devices before they are sold or given to another individual.