S 3.405 PDA
Description
This module considers palm-size mobile end devices for the acquisition, processing and communication of data which, for the sake of simplicity, are referred to below as PDAs (Personal Digital Assistants). They come in different categories with varying dimensions and performance features, and include the following:
- Organisers used as an address book and appointment diary
- PDAs without a keyboard in which data is input via the screen (using a pointer). These devices are used primarily for recording and managing appointments, addresses and brief notes.
- PDAs in which data is input via a built-in keyboard and/or touchscreen. These devices are intended for e-mail use in addition to recording and administrating appointments, addresses and brief notes.
- PDAs with integrated mobile phone, known as smartphones, which have a built-in interface allowing data transmission. Module S 3.404 Mobile telephones is also relevant to the use of smartphones.
- Sub-notebooks are a miniature version of the "genuine" notebook, being much smaller than normal notebooks and therefore, for example, offering fewer peripherals and connection options. However, they are ideal for giving presentations, amongst other things. Where sub-notebooks are used, reference should be made to module S 3.203 Laptops.
The distinctions between the different types of device are blurred and are constantly changing as technology develops. PDA and mobile phone functions are increasingly being combined in one single device.
PDAs are typically required to support standard office applications, even when the user is out of the office. Variants of word processing, spreadsheet, e-mail and diary programs that have being modified for this purpose are available. However, PDAs are also increasingly being used for security-critical applications, for example as an authentication token for access to corporate networks (e.g. to generate one-time passwords), to store patient data or maintain mailing lists.
This chapter considers those security features of PDAs relevant for the users when using mobile phones. This module illustrates a systematic method for creating a concept for the use of PDAs in an organisation and how its implementation and integration can be ensured.
Threat scenario
The following typical threats to the IT-Grundschutz are assumed to exist regarding the use of PDAs:
Force Majeure
| T 1.15 |
Degradation due to changing application environment |
Organisational Shortcomings
| T 2.2 |
Insufficient knowledge of rules and procedures |
| T 2.4 |
Insufficient monitoring of security safeguards |
| T 2.7 |
Unauthorised use of rights |
Human Error
| T 3.3 |
Non-compliance with IT security measures |
| T 3.43 |
Inappropriate handling of passwords |
| T 3.44 |
Carelessness in handling information |
| T 3.45 |
Inadequate checking of the identity of communication partners |
| T 3.76 |
Errors during the synchronisation of mobile devices |
Technical Failure
| T 4.42 |
Failure of the mobile phone or PDA |
| T 4.51 |
Inadequate security mechanisms on PDAs |
| T 4.52 |
Loss of data when using a portable device |
Deliberate Acts
| T 5.1 |
Manipulation or destruction of equipment or accessories |
| T 5.2 |
Manipulation of information or software |
| T 5.9 |
Unauthorised use of IT systems |
| T 5.22 |
Theft of a mobile IT system |
| T 5.23 |
Malicious software |
| T 5.123 |
Bugging of indoor conversations using portable terminal devices |
| T 5.124 |
Misuse of information on portable terminal devices |
| T 5.125 |
Unauthorised transfer of data using portable terminal devices |
| T 5.126 |
Unauthorised photography and filming with portable terminal devices |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
A series of security safeguards must be implemented when using PDAs, starting in the conception phase and continuing through the purchasing phase to the operation phase. The steps to take to accomplish this as well as the safeguards to consider in each of the steps are listed in the following.
- In order to be able to use PDAs securely and effectively in the government agency or company, a policy should be drawn up on the basis of the security requirements of the existing IT systems and any requirements arising from the planned operational scenarios. This should then form the basis for rules as to the use of PDAs and a set of security guidelines (see S 2.304 Security policy and rules governing PDA usage).
- When purchasing PDAs, the requirements for the particular products resulting from the concept must be formulated, and suitable products must be selected based on these requirements (see S 2.305 Selection of suitable PDAs).
- Depending on the security requirements, the software components involved (PDA, synchronisation software, software for the central management of PDAs) must be configured differently. This primarily affects the PDAs themselves (see S 4.228 Using the built-in security mechanisms on PDAs), the synchronisation environment (see S 4.229 Secure operation of PDAs) and any special software used for central PDA management, if applicable.
The secure use of PDAs also depends on the secure configuration of the synchronisation interface in particular and of any workstation computers to which the PDAs are coupled.
Appropriate security recommendations for standard workstation PCs are covered in the Layer 3 client modules.
In the following, the bundle of security safeguards for the use of PDAs is presented.
Planning and design
| S 2.218 |
(C) |
Procedures regarding the personal transportation of data media and IT components |
| S 2.303 |
(A) |
Determining a strategy for the use of PDAs |
| S 2.304 |
(A) |
Security policy and rules governing PDA usage |
Purchasing
| S 2.305 |
(B) |
Selection of suitable PDAs |
| S 4.231 |
(Z) |
Use of additional security tools for PDAs |
Implementation
| S 5.121 |
(B) |
Secure communication when travelling |
Operation
| S 1.33 |
(A) |
Safe keeping of laptop PCs during mobile use |
| S 4.3 |
(A) |
Use of virus protection programs |
| S 4.31 |
(A) |
Ensuring power supply during mobile use |
| S 4.228 |
(A) |
Using the built-in security mechanisms on PDAs |
| S 4.229 |
(C) |
Secure operation of PDAs |
| S 4.230 |
(Z) |
Central administration of PDAs |
| S 4.232 |
(Z) |
Secure use of extended memory cards |
| S 4.255 |
(A) |
Use of the IrDA interfaces |
Disposal
Contingency Planning
| S 6.95 |
(C) |
Data backups and other precautions relating to PDAs |
© Federal Office for Information Security. All rights reserved.
