S 4.228 Using the built-in security mechanisms on PDAs
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: User
PDAs and associated applications can be protected at various points by means of PINs and passwords. The facilities offered include the following:
Access protection for the PDA
All PDAs, whichever variant is used, have some form of access control. Usually this is implemented through a password query.
Unfortunately, not all the security mechanisms offered by the manufacturer are as secure as one might wish. Therefore, PDA users should find out how reliable the security mechanisms provided are, for example, over the internet.
Unless any better security tools are installed, the existing security mechanisms should always be used. All the users should be clear about how effective these mechanisms are and especially about their limitations. Passwords and PINs should be chosen carefully, i.e. should be long enough to ensure that they cannot be easily defeated. Under no circumstances should passwords be kept together with the PDAs.
Usually PDAs come with the password query disabled and only a trivial password preconfigured. It is imperative that the first time the device is used the password is changed and activated, so that, as a minimum, a password has to be entered every time the device is powered up. The same rules apply to these passwords as to passwords on other IT systems (see also S 2.11 Provisions governing the use of passwords). Under no circumstances should the password be too short or too simple.
Automatic activation of blocking/power save
Usually PDAs also incorporate the possibility of an automatic block that is activated shortly after work is interrupted. Further use of the PDA requires the entry of the relevant password. Where a power save function is offered, it must be used. The access protection should be switched on soon after user activity has ceased, for example, after a maximum of five minutes. If a longer break is foreseeable, the PDA should be directly switched off.
User information
To ensure that an honest person finding the PDA knows who to return it to, the device should be configured so that when it is switched on the appropriate information appears on the screen. In the case of privately used PDAs, if possible the private address should not be shown in full so as to avoid the possibility that a thief uses this information to break in to the person's home during his/her absence (the owner's calendar information will be available to the thief).
Additional security mechanisms
There are many different security mechanisms on PDAs, such as encryption or time-controlled deactivation. Which of these are provided and can be activated will depend on the particular PDA used. Hence the instruction manual should be carefully studied to see what facilities are provided. If data with a high protection requirement as regards confidentiality are to be stored on a PDA, then these must be encrypted. If the PDA does not offer any "built-in" encryption function, then an additional encryption product should be used.
When PDAs are used in government agencies or companies, it is recommended that the most important security mechanisms are preconfigured and also documented in a leaflet that is easy for the users to understand.
Review questions:
- Are the existing security mechanisms of the PDAs used?
- Have the users been informed about the effects and limitations of the security mechanisms of PDAs?
- Does a password have to be entered every time the PDA is powered up?
- Automatic block available: Is the PDA blocked after a maximum of five minutes?