S 2.303 Determining a strategy for the use of PDAs

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: IT Security Officer

Before any PDAs are used in an organisation, it is necessary to determine what general strategy the organisation will adopt with regard to use of the devices. In particular, the following questions need to be answered:

The question as to the purposes for which PDAs are to be used is especially important for later decisions, as it can have a decisive influence on the choice of devices to be purchased and in any case must be taken into account when drawing up the security policies and rules for PDA usage.

Classification of data

Every user and every organisation should consider what data should be allowed to be held on a PDA and what protection requirements these data have. In a company or government agency, this should be clarified not just as regards the data on PDAs but generally. Thus, some application fields and business processes will generate data which have a higher protection requirement or is subject to special restrictions, e.g. personnel-related, financial, confidential or copyright-protected data.

Hence, every kind of data in the organisation should be categorised according to how much protection is required and what restrictions need to be observed when handling these data (for further information on this point, see also S 2.217 Careful classification and handling of information, applications and systems).

To ensure that employees are able to handle these classifications properly, it is recommended that they are given tables and examples that are easy to understand and explain what types of data may be held or processed on the various IT systems or applications and also to whom these data may be passed on.

Use of private PDAs

If there are not enough PDAs to go round or there is a lot of user pressure, it is possible that private PDAs could be used for business purposes. However, the IT security management or persons responsible for IT should in every case ensure that private usage within the organisation is not allowed unbounded, but is clearly regulated. If PDAs are only to be used for applications like appointment and address administration or for e-mail communications, then normally the use of private PDAs can be allowed unless other reasons dictate otherwise.

If the PDAs are to be used for an application which means that the devices require strong protection, then it is highly questionable whether the use of private PDAs should be permitted for this. The reason for this is that private devices are largely outside the control of central configuration and administration, so that it is virtually impossible to guarantee an acceptable level of security for the devices. It is therefore strongly recommended that the use of private PDAs is forbidden in this case.

When making the decision, it should also be borne in mind that the decision to allow private PDAs could have repercussions on an organisation's IT strategy at some future date.

Example:

In one company, no PDAs were purchased for employees, but they were allowed to purchase their own private devices and to connect them to their work PCs. When the company migrated the PCs from Windows NT to Windows 2000, it turned out that Windows 2000 did not provide any suitable drivers for the existing PDAs. As a result of massive complaints from the users, the company was faced with choosing between paying for new PDAs for the users and continuing to provide them with NT-based PCs.

Where a policy decision is taken to ban the use of private PDAs for business purposes and to not allow them to be brought into the office, it should be borne in mind that such bans have to be monitored and could also be ineffective.

The decision should be documented along with the rationale behind it and communicated to the employees in a suitable way.

Review questions: