Government Cyber Security Policy: ‘Corporate by Default’ Device Deployment Policy
This policy requires that Lead Government Departments (LGDs) and their arm's length bodies (ALBs) must by default issue users with corporately owned and managed devices in favour of any other device deployment model.
1.1 All government organisations and their Arm’s Lengths Bodies (ALBs) shall:
- determine who has a business need to access, process or store corporate data on a mobile phone, tablet, laptop or desktop PC in order to carry out their work duties
- by default provision these users with corporately owned and managed device(s) in favour of any other device deployment model
- provision corporately owned and managed device(s) which are fit-for-purpose and comply with the Government Cyber Security Standard
1.2 This policy applies to data at OFFICIAL.
2.1 In general, it is expected that government systems will be used for government business.
2.2 Issuing users with corporately owned and managed devices gives the organisation greater control over how those devices access, process or store corporate data and greater ability to keep those devices secure.
2.3 Making corporately owned and managed devices the default IT solution across the organisation will help government organisations and their ALBs to reduce the risk posed to corporate data and help to prevent data breaches.
3.1 This policy is intended for:
- Security advisers responsible for the overall security of an organisation
- Chief Digital and Information Officers and/or Chief Technology Officers responsible for funding and maintaining the organisation’s corporate IT
- Cyber security professionals responsible for advising technical teams on the secure management of IT assets and infrastructure
- Technical delivery teams responsible for managing IT assets and infrastructure
Organisations
4.1 This policy applies to government organisations and their ALBs.
Devices and data
4.2 This policy applies to mobile phones, tablets, laptops or desktop PCs which are used to access, process or store corporate data.
4.3 This policy applies to data at OFFICIAL.
Users
4.4 Users with a business need to access, process or store corporate data on a mobile phone, tablet, laptop or desktop PC in order to carry out their work duties.
5.1 Data breaches pose the following risks:
- Risk of reputational damage to government organisations, ALBs and/or the individuals affected
- Legal liability for government organisations, ALBs and/or the individuals affected
- Negative impacts on the rights, freedoms and safety of private individuals
- Negative impacts on the operation of government and ALBs’ essential functions and delivery of public services
6.1 This policy contains both mandatory and advisory elements, using the same language as Functional Standard GovS 007: Security:
- shall means a requirement: a mandatory element
- should means a recommendation: an advisory element
- may means approval
6.2 All government organisations and their Arm’s Lengths Bodies (ALBs) shall:
- Determine who has a business need to access, process or store corporate data on a mobile phone, tablet, laptop or desktop PC in order to carry out their work duties.
- By default provision these users with corporately owned and managed device(s) in favour of any other device deployment model.
- Provision corporately owned and managed device(s) which are fit-for-purpose and comply with the Government Cyber Security Standard.
- In relation to mobile phones and tablets specifically, follow the decision-making process set out at Annex A below to determine whether a different GSG mobile device security policy or other controls may apply.
7.1 Organisations shall ensure a threat-driven, risk-based approach to implementation, proportionate to the prevailing level of cyber risk, within practicable timescales, and in line with their organisation’s business objectives and priorities.This means that organisations have the flexibility to decide how to meet the requirements of this policy in practice.
7.2 Where an organisation is not compliant with the requirements of this policy, this risk shall be formally managed and the appropriate risk mitigations put in place in line with the organisation’s risk tolerance.
7.3 Organisations should have a plan in place to work towards future compliance with this policy, in a way that meets their business objectives and priorities and to ensure continuous improvement over time.
8.1 This policy is supported by and relates to:
- Functional Standard GovS 007: Security, which sets expectations for what security activities organisations need to carry out and why in order to protect government assets
- The Cyber Security Standard, which sets out how organisations need to do this in relation to cyber security, specifying the particular procedures organisations need to follow and the performance criteria to be met
- Cabinet Office guidance on use of non-corporate communication channels (NCCCs) such as as WhatsApp or private email for government business
- Government Security Group Mobile Device Management (MDM) Policy on the secure management of corporately owned mobile phones and tablets
- Government Security Classifications Policy and associated guidance on the required security controls and baseline behaviours for the OFFICIAL tier
- Other applicable cross-government policies published on this site and on GOV.UK
- Guidance for organisations from the Information Commissioner’s Office on how to uphold information rights in the public interest
9.1 The controls described in this and associated policies will help government organisations demonstrate that they have met the required security outcomes in the NCSC Cyber Assessment Framework (CAF), including but not limited to:
- A2.a Risk Management Process
- A3.a Asset Management
- B2.a Identity Verification, Authentication and Authorisation
- B2.b Device Management
- B2.d Identity and Access Management
- B3.a Understanding Data
- B3.b Data in Transit
- B3.d Mobile Data
- B4.b Secure Configuration
- B4.c Secure Management
- C1.a Monitoring Coverage
9.2 The mandatory elements of this and associated policies are aligned with or exceed the Baseline Government CAF profile. Those that exceed the requirements of the profile do so because they are essential to achieving the policy’s core aims.
9.3 Further guidance for government organisations on meeting the required security outcomes of the CAF is provided on the Cyber Security Policy Handbook.
Decision flow for government organisations and their Arms Length Bodies (ALBs):
Question: Does the user have a business need to access, process or store corporate data on a mobile phone or tablet in order to carry out their work duties?
- Answer: Yes – The default position is to apply the corporate solution in the GSG Mobile Device Management (MDM) policy. Proceed to next question below to determine if a different GSG mobile device security policy or other controls may apply.
- Answer: No – No mobile phone or tablet solution required. This policy does not apply.
Question: Is the user a Cabinet minister?
- Answer: Yes – Apply the specific COPE solution (Corporately Owned, Personally Enabled) in the VIP Mobile Phones Policy, using the GSG VIP Mobile Technical Pattern. We advise you to contact your security team for more information on how the VIP Mobile Phones Policy is being implemented locally.
- Answer: No – Proceed to next question below
Question: Is the user a Permanent Secretary, or in another critical role deemed to be at risk? For example: junior ministers, senior officials, Private Offices, special advisers, employees in National Security roles. (This is not an exhaustive list.)
- Answer: Yes – Choose between the following policies, based on the organisation’s assessment of the user’s risk profile, business needs and preferences:
- Apply the specific COPE solution (Corporately Owned, Personally Enabled) in the VIP Mobile Phones Policy, using the GSG VIP Mobile Technical Pattern
or - Apply the corporate solution in the Mobile Device Management (MDM) policy
- Apply the specific COPE solution (Corporately Owned, Personally Enabled) in the VIP Mobile Phones Policy, using the GSG VIP Mobile Technical Pattern
- Answer: No – Proceed to next question below
Question: Is the user a third-party supplier contracted by a government organisation or an ALB?
- Answer: Yes – Choose between the following policies, based on the organisation’s assessment of the sensitivity and business criticality of the corporate data in scope, the security standard of the third-party supplier’s IT, and value for money:
- Impose relevant security obligations via contractual terms and conditions and/or Security Aspect letters. These may make reference to existing organisational policies and/or impose bespoke controls
or - Apply the corporate solution in the Mobile Device Management (MDM) policy
- Impose relevant security obligations via contractual terms and conditions and/or Security Aspect letters. These may make reference to existing organisational policies and/or impose bespoke controls
Answer: No – Proceed to next question below
Question: Do you have formal approval from the Senior Officer accountable for security in the organisation (or person with delegated authority) to apply BYOD (Bring Your Own Device) for this specific use case, in line with the BYOD (Bring Your Own Device) Mobiles policy?
- Answer: Yes – Apply the BYOD solution in the BYOD (Bring Your Own Device) Mobiles policy.
- Answer: No – Revert to default position and apply the corporate solution in the Mobile Device Management (MDM) policy.