This section of the guidelines covers the types of mobile services which social security institutions might offer, and their technological and organizational implications. These may vary according to the current level of deployment of mobile technologies in the country and institution concerned. The five guidelines which follow will assist those responsible for developing mobile services to focus on the technical decisions and choices to be made. They take account of success stories in both social security and other types of institutions, and of all existing technologies.

The institution establishes mechanisms to enforce security policies in ICT operations.

This includes software and patch management, protection against computer viruses and malicious codes, administration of operating systems and backups.

The institution implements security measures in software application development, especially for Internet-based applications.

The institution includes security measures in networks and communication systems, especially those linked with critical systems and information resources.

This involves the security of local area networks, the Internet, and wireless, FTP, email and mobile technologies and systems.

The institution incorporates security measures in its database systems, especially those storing critical data.

This involves: database administration procedures and practices; system accounts, privileges and roles; identification of users of applications; and database infrastructure.

The institution implements a comprehensive system to control access to technological equipment and devices and software systems.

This includes mechanisms for data access control, endpoint access control, authentication and identification, user privilege management, network access control, password management and logs.

The institution establishes security measures to enforce data privacy policies for personal and sensitive data in particular.

This covers specific security issues affecting the implementation of a global system for the protection of privacy and personal data, and measures specifically related to privacy and personal data (covering both routine files containing personal data and sensitive personal data files).

The institution establishes policies on data privacy management based on the corresponding regulations.

This refers not only to national regulations but also to requirements related to international data exchange.

The institution establishes an information security management framework which defines the main procedures, duties and responsibilities in this domain.

This section of the guidelines provides a high-level reference point for the management of information security and privacy in social security institutions. The eight guidelines which follow form a starting point from which institutions can develop their own policies and plans, and will assist in addressing the challenges of information security through a consistent and standards-based approach. They are also intended to raise awareness of the security risks to information assets and to indicate how to deal with them.