S 2.305 Selection of suitable PDAs

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Purchasing Department, Head of IT, Administrator

There are numerous types and device classes of PDAs. These not only differ in terms of their dimensions and functional range, but also in terms of their security mechanisms and ease of use. In addition, they place different requirements on hardware and software components in the operational environment.

Given the large number of different PDA models equipped with a wide variety of operating systems, compatibility issues regarding hardware, software on PDA and PC, as well as interfaces are natural.

If the use of PDAs has been decided on within an organisation, a list of requirements should be drawn up that can be used in order to evaluate the products available on the market. The products to be purchased should then be selected based on the evaluation. Based on various requirements for use, it has been shown in practical applications that it may be perfectly sensible to select several types of devices for purchase. The variety of devices should be limited, though, to simplify support.

Moreover, steps should be taken to ensure that facilities are available for the central, effective administration of the individual end devices and the software used on them. The necessary server infrastructure should require as little administrative effort as possible.

Some functions on PDAs can only be used in conjunction with external service providers. No internal data should be exchanged via an external service provider unless the confidentiality and integrity of the data can be guaranteed. For example, although transmissions over a cellular network are usually encrypted ("air interface"), the data is then often transmitted unencrypted within the network of the mobile communications provider and stored unencrypted on the server of the service provider. In case of doubt, such services should therefore not be used.

Initially, a requirements analysis should be performed. The goal of the requirements analysis is to determine possible operational scenarios which come into question for the specific case on the one hand, and to derive the requirements for the necessary hardware and software components from these on the other hand.

The following list provides an overview of possible general evaluation criteria, but it is by no means complete and additional general requirements may be added to it.

General criteria

• Maintainability
  • Is the product simple to maintain?
  • Does the vendor offer regular software updates?
  • Is it possible to conclude maintenance contracts for the product?
• Reliability/failure safety
  • How reliable and fail-safe is the product?
  • Is it possible to use the product in continuous operations?
  • Is a backup mechanism integrated in the product?
  • Can any automatic data backup be carried out?
• User-friendliness
  
  • Can users use the systems effectively, securely and without errors without extensive training?
  • Is it possible to configure the software synchronisation in such a way that as far as possible users do not have to bother with technical details?
  • Is security still guaranteed if this is the case? Are the dimensions and weight reasonable in relation to the intended purpose? Is the battery life adequate for daily work?
• Cost
  • How much do the hardware and software cost to purchase?
  • What are the expected ongoing costs of the hardware and software (maintenance, operation, support)?
  • What are the expected ongoing personnel costs (administrator/support)?
  • Do additional software or hardware components need to be purchased (e.g. docking station, conversion software)?

Functions

• Installation and initial operation
  Is the product simple to install, configure and use?
  • Can the device and the synchronisation software be configured so that the defined security objectives can be achieved?
  • Can important configuration parameters be protected against modification by unauthorised users?
  • Does the product work with commonly available hardware and software (operating systems, drivers)?
• Administration
  • Does the documentation delivered with the product contain a full description of all the technical and administrative details?
  • Can PDAs be administered using a centrally controlled management software package? Is the administrative interface designed so that attention is drawn to any incorrect, insecure or inconsistent configuration settings or so that these are prevented?
• Logging
  • Does the product offer logging facilities?
  • Is it possible to configure the amount of detail logged?
  • Is all the relevant data captured by the logging?
• Communication and data transmission
  • Does the PDA support all the necessary data transmission technology (e.g. infrared, Bluetooth or GSM)?
• Security: Communication, authentication, and access
  • Does the PDA have suitable mechanisms for identification and authentication of the users?
  • Can data be transmitted securely to other terminal devices with the product? Does this apply to all interfaces, e.g. including wireless connections?
  • Can additional security mechanisms (e.g. encryption or virus scanning programs) be used?
  • Does the product architecture allow subsequent installation of new security mechanisms?
  • Are mobile users granted access to local terminal devices only after successful authentication?
  • Are there any user-friendly facilities for backing data up?

Even though the IT management may have decided on a particular product, it is to be expected that some employees will prefer other PDAs and attempt to use them at work and possibly even seek support for them. A suitable procedure should be defined to cover such cases.

Review questions:

• Before purchasing PDAs, is a list of requirements drawn up that can be used in order to evaluate and select the products?
• Has it been ensured that facilities are available for the central, effective administration of PDAs and associated software?
• Has it been ensured that no internal data can be exchanged on the PDA via an external service provider?