Last week GDS helped launch new guidance for securely using 11 common desktop and mobile operating systems in public sector organisations. CESG (the UK government’s National Technical Authority for information assurance) have led this, working closely with the team in the Office of the CTO.
The guidance was presented to the civil service security and IT community and to industry, with welcoming addresses by Liam Maxwell, the government CTO and Stephen Kelly, the government COO and SIRO (Senior Information Risk Owner).
My role was to explain how the guidance fits with our End User Device approach and how it supports the wider rebalancing of government IT.
The guidance is remarkable and important because:
- it has been written to put user needs first – not something that security policy is known for
- it enables real choice of IT for civil servants – there is guidance for Mac OS X, Ubuntu and Android alongside more expected platforms like Windows and BlackBerry
- it is published on GOV.UK – which is important in ensuring it gets to the people who need to see and use it
- it is written as guidance rather than rigid instructions, which will allow users to make informed, risk based decisions on their particular deployments
- it is designed to be iterated based on user feedback
Feedback on the guidance
The feedback at the events was generally very positive, with a number of delegates describing it as ‘revolutionary’. Naturally there was also a degree of scepticism that the guidance could change a deeply rooted risk averse culture in departments.
While there will clearly be more to do to achieve all the benefits of the end user device approach, this new guidance is a very positive step in the right direction. With the support of IT and security teams in departments it will lead to a better, more secure user experience for civil servants. GDS IT and the Cabinet Office Technology Team already have pilot projects underway to put it to the test.
Read the End User Device Security Guidance, and send feedback to firstname.lastname@example.org.