Government BYOD and Mobility Initiatives Vetoed by Security Standards Bodies

LONDON - March 24, 2014 - PRLog -- Auriga Consulting Ltd (Auriga), the expert data, ICT and security consultancy, today warned that Bring Your Own Device (BYOD) and other mobile initiatives are stalling due to the risk averse approach of government security and accreditation regimes/risk owners. Government departments have been actively encouraged to outsource public services in order to benefit from the innovation and cost consciousness of the private sector. Mobile working is often cited as one of the best ways to generate efficiency and cut costs but such recommendations are being repeatedly delayed through a lack of appetite to assess the threats and risks presented by such devices within their current operating environment. The risk averse nature of the regulators is in direct contrast to the needs and risk appetite of government departments, causing many public-private projects to founder.

HMG departments and agencies now put out to tender proposals to reform working practices as a matter of course. Key terms of reference within the proposals will focus upon the use of mobile computing and private sector partners will seek to advise upon and offer solutions that facilitate mobile working. Within the UK care and justice environment, for example, such initiatives seek to allow designated staff to work in the community directly with offenders and ex-offenders, focusing on key government objectives in order to cut reoffending and reduce the number of people in custodial and non-custodial sentence plans. However, the innovative, pragmatic approaches to security and obvious efficiency gains of such mobile working projects are being vetoed by HMG security and accreditation regimes which have a much lower risk appetite.

HMG security and accreditation policies and guidance such as the Security Policy Framework, including: Information Assurance Standards, Good Practice Guides and Architectural Patterns; and, the Public Services Network (PSN) and End User Devices Security and Configuration Guidance all provide the information and mandates needed to assess and implement a risk balanced approach deploying mobile devices within a wider technical solution.

“HMG security and accreditation schemes, when misinterpreted, used out of context or not used to correctly analyse the business requirements under the relevant threat model, can be seen as the nay-sayers of the risk management lifecycle and fail to move with the times. The irony is that in taking such a risk averse stance government security standards authorities are failing to fulfil their remit. They are failing to empower public servants, failing to encourage public/private partnerships, failing to embrace more efficient and cost effective ways of working and are ultimately failing the taxpayer by shackling staff to their desks,” states Nigel Wilkinson, Lead Consultant, Auriga.

Nigel further states: “With the introduction of the new Government Classification Scheme on 2 April 2014, this risk averse approach is only likely to increase, as data and risk owners are already struggling to understand the boundaries of technical control to be implemented on traditional systems let alone the concerns they may have with BYOD and Mobile Devices.  A recently released FAQ describing management activities concerning information risk at the new ‘OFFICIAL’ classification does discuss a BYOD model and management, technical and legislative considerations.  Until all the risks are accurately articulated to risk owners in a way that they can fully understand the threat model, values and sensitivities related to the information and the consequences of loss or compromise, progress of the use of such devices within government will continue to be seen as ‘taboo’.  Additionally, until it becomes possible to express the overarching cost and risk of not doing business in a more innovative way within the risk management life-cycle, the accreditation regime will continue to cling to prior security policy because this represents the route of least blame should something go wrong.”

About Auriga

Auriga Consulting Ltd (Auriga) is an expert consultancy specialising in Data Management, Information Assurance, Corporate Governance, Business Process Modelling, Analysis, ICT and Security. We advocate data as the most valuable part of your business and combine superior security and assurance knowledge with a wealth of business management consultancy and efficiency skills. Using a unique set of methodologies we embed security by overlaying it onto business process and analysing data.

Auriga reported a turnover of more than £1million in its first full year of trading, cementing its reputation as one of the most dynamic and versatile solutions providers in the marketplace today. We have worked on some of the most demanding projects in the UK for customers from the public and private sectors, advising upon the architectures and business processes adopted for the G-Cloud project, NHS and social services databases, and leading the BSi’s largest audited UK organisation successfully through ISO 27001. To find out more, please go to www.aurigaconsulting.com or follow us on Twitter @AurigaConsult.