iOS 6 iPhones and iPads get security thumbs-up from UK government
The UK government's IT security arm CESG has published guidance for the public sector on how to use Apple devices running iOS 6 to share confidential information - and what to do if there are problems with a rollout.
Government security authorities have published details on how public sector agencies should use iOS 6 devices for confidential information.
CESG, the government's IT security arm, has published documents setting out how iPads, iPhones and iPods running iOS 6 can be used to pass on sensitive information, a spokeswoman for CESG, part of intelligence agency GCHQ, confirmed on Wednesday.
"CESG is currently working on updates and enhancements to a number of our mobile security guidance documents," the spokeswoman said. "As part of this work, CESG has published risk management guidance for iOS 6 devices for protecting sensitive emails - up to and including Impact Level 3 depending on local risk management decisions.
"The guidance is based on existing CESG security procedures for iOS, but includes updated guidance, additional technical controls and improvements to user guidelines to more effectively manage identified risks with mobile working," she added.
The CESG has effectively given iOS 6 devices clearance to carry Impact Level 3 (IL3) information – data deemed 'restricted'. Information handled in the public sector can be one of six impact levels, from unrestricted (zero) to top secret (six).
This isn't the first time that Apple has featured in such guidance – CESG wrote similar documents for iOS 4 in April 2011.
"Our recent publication takes advantage of new security features within iOS, and builds on CESG's increasing understanding of the security properties of this platform," the spokeswoman said.
CESG has also previously published guidance on some BlackBerry, Windows Phone and Symbian platforms.
The guidance documents list the elements that public sector organisations should consider prior to rolling out devices on any of the platforms. These include recommended network architecture for their enterprise services, the provisioning and deployment process for the devices, their configuration and ongoing management, and user guidance and education. The documents also set out the relevant technical and procedural mitigations that can be put in place to help tackle security threats such as device loss.