The organisation claims the revision was necessary due to the rapid increase in the use of mobile devices and the growth of remote and flexible working staff, where employees expect to be able to conduct business via their own technology equipment.
CESG urges organisations considering a BYOD policy to understand relevant legal issues, limit the information shared by devices, consider technical controls and plan for security incidents.
“The legal responsibility for protecting personal information is with the data controller, not the device owner,” claims the guidance document.
“The Information Commissioner’s Office (ICO) can compose fines of up to £500,000 for serious data breaches,” it adds.
Its document also highlights how personally owned mobile devices can often facilitate the easy and sometimes automatic sharing of data with other users and the cloud, claiming “this is a risk that needs to be managed.”
The guidance notes that technical services such as Mobile Device Management (MDM) can help with remote security, management and support of personally owned devices.
It also claims it is important to remember that mobile devices are lost, stolen and compromised every day and this can affect business data protection.
The document recommends that organisations should always act immediately to limit losses, prevent the spread of any compromise and learn lessons from the incident.
“Plan for and rehearse incidents where a personally owned device that has access to sensitive business information is lost, stolen or compromised,” it says.
“Ensure you are able to revoke access to business information and services quickly and understand how you will deal with any data remaining of the device.
“Consider using a remote wipe feature for business data,” it adds.