S 6.95 Data backups and other precautions relating to PDAs

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User, Administrator

There are a number of reasons why a PDA could fail or its operational capability could be impaired. Naturally, this is especially annoying when it is needed urgently or important data are lost because it is unserviceable. Therefore, corresponding precautions should be taken in advance in order to prevent a failure and/or minimise the problems.

The state of charge and functional condition of the PDA battery should be checked regularly (see also S 4.31 Safeguarding the power supply of mobile phones).

All data stored on the PDA such as telephone book entries, notes, etc. should be backed up to another medium at regular intervals so that they can be recovered if need be. A number of possibilities are available here:

• The most important settings such as passwords and the configuration of security mechanisms should be documented in writing and kept securely in accordance with their protection requirements.
• The PDA should be synchronised with a PC on a regular basis, so that calendar entries, addresses and the like can be rapidly and conveniently aligned with those on the PC. However, this is no substitute for a full backup.
• A full backup of the PDA should therefore be carried out at regular intervals with another IT system, e.g. a notebook or a desktop.
• The PDA may also be connected to another IT system, e.g. a notebook or a desktop, and the data to be backed up can be exchanged this way (see also S 5.121 Secure communication when travelling).
• As the available memory space is limited on PDAs, most models can be extended with external storage media (see also S 4.232 Secure use of extended memory cards). Memory cards that have the advantage that they can be rapidly changed are widely used for this purpose. These can also be used to make backups out of the office, which is strongly recommended where a PDA user is frequently absent for long periods so that IT system and PDA are not synchronised for extended periods. As in the case of backups in general, these memory cards must also be stored securely. If the memory cards could be left unattended in the PDA or elsewhere, unauthorised persons could use them to load the data stored on them onto a similar system. When the memory card is then returned to the original machine, there will be no trace of the operation left behind.
• All data stored on replaceable memory cards must itself be protected, at the latest during the next synchronisation.

On most PDAs, the operating system is held in a flash memory which frequently also has sufficient space for a backup of at least the most important data such as that of the Personal Information Manager. Depending on the manufacturer, tools for doing this conveniently are either supplied with the equipment or can be purchased as add-ons. It should be noted here that after a complete reset all data outside the flash memory is deleted, i.e. including all the passwords for access protection. This means that an attacker could easily gain access to the flash memory and the data stored there. Before a PDA is relinquished, e.g. for repair purposes or to be given to another user, all data including the data in the flash memory should therefore be deleted.

If a PDA needs to be continuously available, a replacement battery should always be carried.

Repair

With a PDA, the entire device or only individual components may be faulty. The repair should only be performed by trustworthy specialised companies. For this reason, there should be an overview of corresponding specialised companies.

Many dealers offer replacement devices for the duration of the repair work. For fast-paced devices such as PDAs, repair often is not worthwhile, and so an alternate device sometimes is offered. Since a PDA in particular should be available continuously, only mobile phones and/or dealers offering such services should be selected.

Before the PDA is handed over for repair, all personal data should be deleted from the device, i.e. stored e-mails and the telephone book (see also S 2.4 Maintenance / repair regulations), to the extent this is still possible. The data should be backed up in advance, of course. Expansion cards should also be removed.

Review questions:

• Is the state of charge and functional condition of the PDA battery checked regularly?
• Is the data stored on PDAs backed up regularly?
• Is all data deleted before a PDA is handed over?