Mobile devices have unique security challenges. Due to their portability, they are easy to
misplace, potentially compromising any unencrypted sensitive data or applications stored locally.
Wireless connectivity allows users to bypass the City’s wired controls and connect directly to the
Internet and other untrusted resources. These problems are not new. The introduction of laptops
into the workforce led to security and data breaches as employees took their electronic devices
mobile. However, the new class of smaller, lighter smartphones and media tablets has elevated
exposure to this risk. The rate of change of mobile operating systems, new updates and
notification capabilities from external hardware and software vendors, diversity of the devices
themselves, and introduction of employee-owned devices (BYOD) also make security (on mobile
devices) more challenging than in a traditional desktop environment and require new approaches
to continuously monitor and manage devices and secure the data itself.
The challenge extends beyond the workforce and into the delivery of services to external
constituents. When deploying applications and other mobile technologies to interact with citizens
and businesses, the City will need to foster trust, accountability, and transparency about how user
information is collected, used, shared, and secured.
New security policies and procedures are being developed and communicated. Business units
need to become familiar with these documents so as to integrate effective security and privacy
measures into the design and adoption of all new technologies introduced to the City environment,
including mobile devices, applications, and wireless networks. To enable business units to share
security testing information and prevent unnecessary duplication, the Information Technology
Services will work with the National Institute of Standards and Technology (NIST) to develop a
security baseline within 12 months that provides standardized security requirements for mobile
and wireless adoption in the City of Detroit. A security goal is to have centralized control with decentralized
Going forward, the City of Detroit data security coordinators must pilot, document, and rapidly
scale new approaches to secure data and mobile technologies and address privacy concerns.
Such pilots and documentation will help advance the City of Detroit security preparedness.
New technologies may be experimented with, such as cloud computing. For example, if
applications, operating systems, and data reside in an appropriately secured cloud environment
rather than on a City device, this will limit the potential impact to an agency in the event a device
is lost, stolen, or compromised. Other opportunity areas include adopting advanced mobile device
management solutions to support continuous monitoring, strengthening identity and access
management, and accepting externally-issued credentials on public-facing websites.
As good stewards of data security and privacy, the City of Detroit must ensure that there are
safeguards to prevent the improper collection, retention, use or disclosure of sensitive data such
as personally identifiable information (PII). For now, if you are using a smartphone for business
purposes, the following controls should be evaluated and continuously reviewed:
If you have any concerns, please send an e-mail to:
Ken Jaworski: firstname.lastname@example.org or (313) 224-1313
Terrence Sims: email@example.com or (313) 224-3354
2004-2013© City of Detroit ITS/Communications and Creative Services Division
For information about the City of Detroit’s Web site, email the Web editor
Content Approval | Login