When it comes to government, everybody talks about the “movers and shakers” — the people who make things happen. When it comes to technology in government today, though, the thing that’s “moving” is the growth of mobile use and what is “shaking” that up is the rapid increase of BYOD — Bring Your Own Device.
Although the government does not keep specific statistics on mobile implementation, Michael Mullen, senior tech editor at GovWin, reports that, “From FY 2008 through FY 2011, government data show a 7% CAGR (Compound Annual Growth Rate) in funds spent on procurements that are clearly identifiable as mobile. That equates to roughly $615 million”.
He adds, however, that in 2012, the figures for such expenditures are down drastically. While he admits part of the reason might be due to the year not being over and not all figures being reported, he also posits that the government’s embrace of BYOD could be a significant factor.
“The government’s recent embrace of BYOD policies may also be a factor, as employees using their personal mobile devices to access their government data lowers the cost of hardware and shifts mobile user provisioning, network services, VPN and mobile security to a more IT-centric services and support budget.”
But with all of those outside devices accessing highly secure information, who or what is overseeing the access? In other words, where is the identity and access governance in government BYOD?
Just like the private sector, BYOD is so new that, in all likelihood, a formal system for compliance risk management has yet to be established. Furthermore, traditionally GRC software assumes company owned devices and equipment.
When it comes to governance governance risk and compliance management of BYOD, it would be a prudent for government to adopt a cyber security constitution that includes a platform of Identity and Access Management for user provisioning and access certification software along these lines:
- All Users are Not Created Equal: identify which employees have the appropriate access for their positions and what files they are authorized to access for comprehensive compliance risk managemnt
- Access is Not an Unalienable Right: just as important as the ability to grant rights is the ability to revoke them. This keeps access certifications as a closed-loop process and allows organizations to revoke functionalities from previously authorized users, while ensuring the process is fully integrated within the identity management system
- Define Your Borders: dynamically ensure access risk is under control through the implementation of defined data points and rules engines that leverage business data and rules exceptions
- Make Membership Self-Evident: enable automatic group management membership by granting privileges according to employee attributes, end-user account property values found in directories and even Web service feeds to ensure group membership compliance risk management accountability.
- Patrol Your Borders: consistently and repeatedly check rule based group management that determine access to ensure they are still appropriate, while also viewing identity matches including missing, removed and new members for possible errors in determinations.
Watch Ryan Ward, Chief Innovation Officer at Avatier, describe how to return identity and access management to the business user with Avatier’s Identity Access Management software.
Learn the top 10 Access Governance Best Practices for successful implementations from experts. Sidestep the challenges that can derail GRC software and compliance management projects.