Although Gartner Dataquest estimates that about 75 percent of personal digital assistants (PDAs) purchased worldwide were sold to individuals buying them with their own funds, analyst Todd Kort expects PDA growth in the corporate market. "The increasing capabilities of these devices and the growing availability of wireless technologies are beginning to stimulate large corporate purchases as solid productivity gains are realized, based on applications such as wireless e-mail or accessing corporate databases from remote locations,” Kort wrote in April 2002.
At the same time they increase productivity, PDAs and other handheld devices also create security and administrative headaches. Employees can easily break the devices, lose them, or allow them to be stolen. The equipment must be replaced (unless the employee was assigned personal responsibility for it), and company data is compromised. In some cases, only contact information is lost. In more serious situations, it’s sensitive corporate data or access to the network.
Set clear expectations and rules
To see how one IT department handles the novel problems that PDAs pose, download this sample policy. It’s based on a submission by TechRepublic member Antoinette L. Taylor, who is a solution center supervisor and certified help desk manager. This sample policy clearly states which devices IT will support, the extent of its support, and employee responsibilities for security.
In this sample policy, the IT department supports only selected Compaq and Palm PDAs. The department will assist users in syncing the devices and in using the Outlook e-mail client, Word, and Excel.
The document also explains the reasons behind various aspects of the policy. For example, departments will purchase devices for its employees, so that "the company can ensure that its policies regarding personal and company-owned information are implemented, thereby improving security and information management."
The policy explains why it's important for employees to send broken PDAs to the IT staff, rather than taking the units to a retail service center themselves. Because broken PDAs are often scrapped rather than repaired, the help desk has to erase all data from the device before it's sent to the manufacturer for service.
Common policy points
This sample policy is a good starting point for developing an individualized set of rules for PDA use at your company. In addition to support issues, your policy should include other aspects of use, such as security and sync frequency.
Rebecca Taylor (no relation to Antoinette), a senior product manager at Palm, Inc., who has worked extensively with security issues, said that the SANS Institute, an IT research and educational organization, is a good source for basic policy information. For example, SANS says that employee rules of behavior are an important part of any PDA security policy. A basic policy might include rules like these:
- Use the device for company purposes only.
- Always encrypt sensitive data.
- Never leave the device in a public place.
- Always lock the device when not in use.
- Use passwords and change them regularly.
- Sync and backup data regularly.
Rebecca Taylor said that a password policy might spell out these specific requirements. “You have to have a password; it has to be eight characters in length; those characters have to be alphanumeric; and you have to change them every 30 days.” Some companies may also specify second levels of password protection to access particular applications.
Security becomes more complex if the employees can connect to the network through their PDAs. “For 802.11, the policy may be to require users to connect into the corporate network with a VPN,” Taylor said.
Some companies may also monitor PDAs to ensure that they contain only required and authorized software. In addition, they may require employees to sync the devices regularly to ensure that the data on the PDA doesn’t become outdated.
Consistency is the key
As Gartner and other analysts have noted, it’s important for companies to own the devices if they expect to be able to enforce these kinds of policies. “Allowing noncompany, unmanaged devices to access corporate data and networks creates a totally untraceable scenario,” Gartner noted in its October 2001 report "Mobile and Wireless Security: Worst and best practices." The enterprise might never know if information was lost or misused. If a problem was discovered, there would be no way to trace and close down the source of the leak.”
Rebecca Taylor advised IT leaders to be as consistent as possible with other corporate policies. “If there are corporate security management policies already in place, if possible, extend the same policies to the handheld,” Taylor said. For example, a wireless messaging server can authenticate against existing user directories. “You don’t want to create two user directories and think, if John leaves, I have to delete him from this one, and then this one.” (As Tim Landgrave noted in a recent article, however, other aspects of the move toward single sign-on passwords require additional vigilance.)
Strong policies, combined with products such as encryption software, can make even wireless PDAs fairly secure. “Everything you need to secure your handheld is available today, but may not be from the same vendors you use on your desktop,” Rebecca Taylor said. She suggested visiting your PDA manufacturer’s Web site for a listing of partners selling security products for the device. (Also check out this TechRepublic roundup of encryption options for PDAs.)