The institution establishes a legally valid, efficient and secure means of maintaining an association between a user and a mobile device when a transaction is performed.

Such user identification will be required for several intermediate and advanced services.

The institution develops mobile-based services according to institutional plans, taking into account the main types of user interaction and system integration approaches.

The institution establishes a framework for the application of mobile technologies which defines the main procedures, duties and responsibilities, and technical standards, and includes an application strategy plan.

The application strategy could be a medium-term, three- to five-year plan.

This section of the guidelines covers the types of mobile services which social security institutions might offer, and their technological and organizational implications. These may vary according to the current level of deployment of mobile technologies in the country and institution concerned. The five guidelines which follow will assist those responsible for developing mobile services to focus on the technical decisions and choices to be made. They take account of success stories in both social security and other types of institutions, and of all existing technologies.

The institution establishes mechanisms to enforce security policies in ICT operations.

This includes software and patch management, protection against computer viruses and malicious codes, administration of operating systems and backups.

The institution implements security measures in software application development, especially for Internet-based applications.

The institution includes security measures in networks and communication systems, especially those linked with critical systems and information resources.

This involves the security of local area networks, the Internet, and wireless, FTP, email and mobile technologies and systems.

The institution incorporates security measures in its database systems, especially those storing critical data.

This involves: database administration procedures and practices; system accounts, privileges and roles; identification of users of applications; and database infrastructure.

The institution implements a comprehensive system to control access to technological equipment and devices and software systems.

This includes mechanisms for data access control, endpoint access control, authentication and identification, user privilege management, network access control, password management and logs.

The institution establishes security measures to enforce data privacy policies for personal and sensitive data in particular.

This covers specific security issues affecting the implementation of a global system for the protection of privacy and personal data, and measures specifically related to privacy and personal data (covering both routine files containing personal data and sensitive personal data files).