S 2.304 Security policy and rules governing PDA usage

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

Once the decision has been taken to use PDAs in an organisation, these must be integrated into the general security strategy.

A number of different ways of protecting PDAs against misuse are available. In order to ensure that these possibilities are actually used, a security policy specifying all security mechanisms to be implemented should be drawn up. Every organisation should make a point of knowing the opportunities and risks posed by the use of PDAs. There are two primary security aspects here:

• the security of the data held on PDAs and
• the effect of PDA usage on the security of other IT systems within the organisation.

In addition, a short, clear instruction sheet covering the secure use of PDAs and based on the PDA security policy should be prepared for the users.

Protection against misuse

The fact that PDAs are easy to transport and inconspicuous is an advantage not just for the owner but also for a thief. Hence, PDAs must always be kept secure. They should never be left unsupervised during business trips. In particular, they should not be left in vehicles.

Virtually every variant of PDAs and organisers can be protected against unauthorised access through PINs or passwords. Unfortunately, not all the security mechanisms offered by the manufacturer are as secure as one might wish. Hence, PDA users should find out how reliable the security mechanisms provided are, for example, over the internet.

As long as no better security tools are installed, however, the security mechanisms that are provided should always be used (see also S 4.228 Using the built-in security mechanisms on PDAs). All the users should be clear about how effective these mechanisms are and especially about their limitations. Passwords and PINs should be chosen carefully, i.e. should be long enough to ensure that they cannot be easily defeated. Under no circumstances should passwords be kept together with the PDAs.

Raising user awareness

All PDA users should be informed not only about the benefits of PDAs but also about potential risks and problems relating to their use and about both the benefits and limitations of the security safeguards used.

New security gaps in the operating systems used on PDAs (for example Palm OS, Windows CE, Windows Mobile, Symbian OS) are constantly coming to light, so the IT security management should stay informed about the latest risks. If necessary, it may be appropriate to inform the employees at regular intervals about the latest dangers that have been published and thus to make them fully aware of the issues.

Rules on the use of PDAs

General rules

Usually data is less well protected on a PDA than on the regular IT systems within the organisation. Irrespective of whether the PDAs used have been purchased privately or by the business, the employer should issue rules in writing on the following topics:

• what data may not be stored on a PDA
• the fact that data should not be input or retrieved anywhere, as it might be possible for other people to read as well
• how, when and by whom data backups of PDAs are to be carried out
• under what technical operational conditions PDAs may be used. These include in particular the specification of security safeguards, the selection and installation of the necessary security hardware and software, as well as specifications for the secure configuration of the affected IT systems.

If possible, PDAs should not be left unattended. If a PDA must be left in a vehicle, the device should not be visible from the outside. The device can be covered or locked up in the boot. A PDA is of sufficient value to attract potential thieves.

If PDAs are used on site in third party offices, the security policies of the visited organisation must be observed.

PDAs should not be left unprotected in external premises such as hotel rooms. All password protection mechanisms should be enabled at this point, at the latest. Locking the device up in a cabinet will discourage casual thieves.

Use of private PDAs

When private PDAs are used in a government agency or company, the following points need to be regulated amongst others:

• If PDAs are to be used intelligently, then generally they need to be synchronised with a PC, for example, for appointments calendar, address books, e-mail support etc. Hence, clarification is required as to whether installation of the necessary hardware and software is permitted and, if so, who will install it. This should not be left to the users themselves.
• Clarification is required as to the extent to which user support should provide assistance in case of problems arising from the use of private PDAs. It should also be decided in advance how private PDAs will be integrated into the IT strategy of the organisation.

Use of work PDAs

Where work PDAs are used, the following are some of the points that need to be regulated:

• Clarification is required as to whether work PDAs may be synchronised with private PCs. Although this will facilitate the setting of appointments, it could result in malicious software being introduced into the office systems, and internal documents could end up on private PCs.
• Users should be informed as to the care they should take with their PDAs to avoid loss or theft and to ensure that the equipment has a long service life (e.g. looking after batteries, storage of PDAs outside office or home premises, sensitivity of equipment to excessively high or low temperatures).
• The administration, maintenance and passing on of PDAs should be regulated.

Integration into other security solutions

Where PDAs are used, it is not only necessary to consider whether the use of security software to protect the PDAs would be a good idea, but also how the PDAs will interact with the security software of the operational environment. Two examples will illustrate some of the issues:

• A user frequently reads and writes e-mails that are encrypted and/or signed on her desktop PC. She would like to be able to use her PDA to deal with e-mail when she is out of the office. However, for various reasons she has problems in processing encrypted or signed e-mail on her PDA. Thus, for example, up to now there have been very few encryption or digital signature applications that are compatible both with the commonly used e-mail programs on office systems and also on PDAs. Moreover, such applications often entail the use of chip cards or other security tokens as secure memory for the cryptographic keys required. Very few PDAs can be extended to include a chip card reader. Moreover, many PKI applications are server-based and therefore require access to a server, for example, to check certificates or retrieve the public keys of communication partners.
• In the company, all data, both on clients and servers, are held encrypted, without exception. If users now wish to transfer internal data to their PDAs, it can happen that they only realise when they are out of the office that they have loaded access-protected files which he cannot read on the PDA. This is the best case as regards the confidentiality of the data. Typically the data transferred to the PDA is not encrypted there or only weakly encrypted, so that it is less strongly protected than on the internal systems.

It is therefore imperative that such cases, and also the integration of PDA applications into other security software in the company, are dealt with in the PDA security policy so as to avoid the situation where the prescribed security level is reduced as a result of PDA usage.

Where necessary, ban the use of PDAs

The question of whether the use or even the carrying of PDAs should be restricted in all or certain areas of the company/agency should be considered. This could be sensible, for example, if the recording of conversations or taking photographs is to be banned.

If the organisation's IT security policy does not allow extraneous IT systems such as PDAs to be brought into the building, clear notices to this effect must be placed on all the entrances. Checks should then be made at regular intervals to ensure that the policy is adhered to. In this case, facilities should be provided allowing mobile phones, PDAs or notebooks that visitors have bought with them to be securely held. For example, lockers could be provided at the entrances.

Review questions:

• Is there an up-to-date PDA security policy that describes all security mechanisms to be implemented?
• Are the passwords and PINs for use of PDAs complex enough and are they stored separately from the PDA?
• Does IT security management stay informed about the latest risks relating to the use of PDAs and are the employees also informed, if required?
• Use of work PDAs: Is the administration, maintenance and passing on of PDAs regulated?
• Is the integration of PDA applications into other security software regulated in the PDA security policy?