Have a plan for managing portable and personal devices

A mobile device is any portable device that can access and hold organisational data.

A mobile device management (MDM) plan, or equivalent plan, outlines how an organisation manages, monitors and tracks devices. It should be linked to an organisation’s broader security plan and include:

• managing authorised devices centrally
• setting rules and policies to control access
• ensuring devices have the necessary software
• identifying which devices can hold or access organisational data, including bring-your-own-devices (BYOD) or personal devices.

Mobile device management — CERT NZ

Have policies and procedures for personal devices

Allowing the use of personal devices for work purposes is the organisation’s decision. A BYOD policy may be available for workers or may be an option if work devices aren’t available, for example, because of a lack of supply.

Device security policies

The right level of device security should match the type of work being done. If personal devices are allowed, make sure staff are aware of the sort of work they can and cannot do. For example, if a person needs to work on sensitive documents, using their personal device may not offer enough security.

Inform staff of policy expectations

If staff are using personal devices for work, it’s important to have specific policies and practices to manage use and expectations in an organisation’s MDM plan. Share this information with personal device users so they understand what is expected.

What to cover 

Policies about personal devices can be included in a mobile device management plan. Areas to cover include:

• privacy and confidentiality
• keeping business records
• destruction of information
• updates and security.

Mobile device management — CERT NZ

Supplying devices and hardware

People need the right tools to do their jobs when working remotely. For work that cannot be done on a personal device, or when a person does not already have appropriate equipment at home, agencies may consider providing the following items of equipment:

• laptop
• keyboard
• mouse
• monitor.

Te Kawa Mataaho Public Service Commission has guidance on providing equipment for working remotely. This guidance relates to employee requests to work remotely, rather than employer-required remote working (for example, following an incident).

Provision of equipment for working from home

Replacing, updating and patching devices

Asset lifecycle management can help keep track of new and existing technology such as devices or software, anticipate when updates are needed, and plan for when devices need replacement. CERT NZ has further guidance about asset lifecycle management.

Asset lifecycle management — CERT NZ

Updates and patches

Keeping device and system software up to date is one of the most effective ways to keep organisations secure. There are various ways to configure a system to process updates and patches. Each organisation will need to determine their own method.

When devices are not in a central location because of remote working, the following points should be considered:

• Can the system patch and update portable devices?
• Are the portable devices capable of being patched and updated?
• If the worker is using a personal device, how can the organisation ensure they keep it updated and patched?
• Are devices in storage updated and patched for an emergency?

Patching — CERT NZ 

Guide to managing updates on remote endpoints — Digital Public Service Branch technical guidance

Limit access to devices

Limiting access and ensuring authentication of a device user is one of the best ways to keep the system and people secure. Some best practice measures to have in place include:

• multiple-factor authentication (MFA) or cloud-based identity applications
• device encryption
• single sign-on functionality
• virtual private network (VPNs) with firewalls and anti-malware software to protect the network.

Manage authentication — CERT NZ

Make device security everyone’s responsibility

Be open and clear with staff about why device security is important. Support them with training and resources. Make sure they know what to do if an incident does occur.

Taking the time to lay a strong security foundation from the start may help overall compliance in the future.

Examples of device security include:

• when a worker is prompted to change their password, they may be more likely to do so and choose a strong password if they understand why it’s vital and how to do it effectively
• if a worker receives a suspicious email, they know how to handle it safely
• staff know what work they can and cannot do from a personal device.

Keep in mind that if it’s not easy for people to do their work remotely, they may be less likely to follow the security procedures and requirements.

Making it work for people will boost security

Ready for remote following an incident — devices

Each organisation’s assets management plan and mobile device management plan (or equivalent) as well as business continuity plan should document expectations and issues to be ready for remote working following an incident.

Organisations that have invested in portable devices are generally better placed for remote working. If the workforce is not normally equipped with portable devices, organisations’ business continuity plans may need to consider a wider range of issues, such as prioritising access to devices and policies for BYO device use.

More information

Working offsite and mobile devices — New Zealand Information Security Manual