by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : November and December 2014
Month XX, 2012 FCW.COM 33 For a security regimen to click, a mobile device’s essen- tial features — making calls, managing address books and maintaining calendars — must meet the users’ expectations. “If the controls we implement make it so the device no longer seems to provide the easy use that people expect... we lose the support,” Ruland said. “When you implement something, it can’t be so draconian that the users can’t use it,” said David Shepherd, senior consultant for systems engineering at LMI. He added that organizations should recognize that users are being encouraged “to pay the freight” when conducting business on their own smartphones and tablets. In BYOD scenarios, agencies are essentially borrowing their employ- ees’ mobile gear to get work done beyond the confines of the office. NIST’s NCCoE recognizes the need to keep users on board with mobile security. Its “Mobile Device Security for Enterprises” guide, which it describes as a building block, lists a number of security capabilities that promote usability. They include making remediation procedures, the establish- ment of protected connections and authentication methods as unobtrusive as possible. An unobtrusive remediation procedure, for instance, would let an organization perform remediation in the event of a security incident “with little to no loss of personal functionality on the device,” the document states. A protected connection feature would give users the abil- ity to quickly and easily establish a secure link between their devices and enterprise resources. And unobtrusive authentication methods have two characteristics: Authen- tication to applications and services is accomplished in the background with no need for user interaction, and complex password requirements are not necessary to unlock a device. “Within our document, we enumerated functional char- acteristics that are intended to promote secure behavior while minimizing the impact on a user’s daily workflow,” said Joshua Franklin, an IT security specialist at NIST who has been working on the mobile device security building block. The building block is designed to apply to any public- or private-sector entity seeking guidance on securing mobile devices, but officials also plan to offer a flexible design that can suit different types of organizations and users. Fisher said that’s because NIST recognizes that user expectations vary from organization to organization. “Users operating a mobile device within a classified envi- ronment understand that security takes precedence, and the expectations for functionality are tempered,” he said. “However, users working for a small tech startup with a BYOD policy will likely want to leverage mobile devices for a wide range of functionality.” For data that cannot be replaced or access that “must have continu- ity beyond the employee,” default encryption could pose problems, Carroll said. He also warned that the most advanced, persistent cyber adver- saries will find a way through the encryption. Linus Barloon II, who in his for- mer role as chief of cyber operations at the White House Communications Agency was responsible for securing the devices of military users, agreed that the added layer of security could be a boon for most users. But he added that there are potential gray areas for employee- owned devices if a federal employ- ee becomes the subject of a crimi- nal investigation or is probed as an insider threat. Barloon, who is now a senior cybersecurity engineer at Virginia Tech Applied Research Corp., wants law enforcement agencies to have legal access to encrypted data. He added that federal users are already subject to monitoring “when they log into the govern- ment side of the phone” and do not have the same expectations of privacy as ordinary users. Carroll said he expects native encryption to catch on in the federal workplace, and it can be implement- ed in a well-managed BYOD program. Mobile devices can be compart- mentalized into containers, with control over some elements being administered remotely. “While the native encryption pro- tects the device in general from loss of confidentiality, the access to the container can be separated for many device and mobile operating system implementations,” Carroll said. Although he’s no longer a fed and no longer involved with the CIO Council, Carroll said he does not believe default encryption requires a policy rethink or big changes to the MSRA. “In general, this is why the secu- rity decision framework and refer- ence model exist,” he said. “These tools help make those decisions when technology changes or mis- sion needs change.” — Adam Mazmanian November/December 2014 FCW.COM 33