The importance of cell phone and PDA policies

Cell phones and PDAs are becoming vital business tools that users want. This article points out the importance of having a cell phone and PDA policy in place to control these devices.

Technological innovations are empowering workers like never before. One need look only at new classes of cellular telephones and personal digital assistants (PDAs) to witness how powerful simple handheld devices have become.

An employee now enjoys all the power and benefits of being in the office – clear voice lines, fast Internet access, network connectivity, electronic messaging, contact and calendaring management and more – in the palm of his or her hand while on the go. New Blackberry, Smartphone and Treo devices pack significant punch into combination cellular telephone-PDAs.

The result is no surprise: everybody wants one.

As cell phones and PDAs often fall under the realm of the Information Technology department, IT professionals are being tasked with allocating costs, supporting various platforms and even determining which employees are eligible to receive organization-provided cell phones and PDAs. In addition, IT pros are being forced to manage the crisis that inevitably arises when an executive's PDA, packed with confidential and proprietary data, becomes lost.

Security biggest threat

The security threats today's cellular phones and PDA devices pose may be their greatest administrative challenge. More than 85,000 cell phones and 21,000 PDAs and PocketPCs were left in Chicago cabs during just a six-month period in 2004, according to a survey released by mobile security company Pointsec.

According to Pointsec, the average mobile device holds 80 MB of data. While a seemingly low amount, that's enough to jeopardize 6,000 Microsoft Word documents, more than 700,000 e-mail messages, 360,000 contacts or 7,200 compromising images per lost device. That's a lot of data to lose, especially if it ends up in the wrong hands.

More disconcerting is the fact the problem is getting worse. Data from the company's London surveys show lost cell phone and PDA cases have increased 350 percent since 2001.

Technology solutions can help

New mobility features in Microsoft Exchange Server 2003 SP2 enable remote wiping, or remotely triggered destruction, of data on lost handhelds. The key, of course, is to properly configure devices beforehand to ensure data can be remotely destroyed in the event a device is lost or stolen.

Other technology solutions are also available for helping protect the contents of a cell phone/PDA. Software manufacturers, such as Credant Technologies, GuardianEdge Technologies, Ultimaco SafeWare and Pointsec Mobile Technologies, can encrypt cell phone/PDA data, making it much more difficult for unauthorized parties to access data on a lost or stolen device.

But technological solutions aren't foolproof. And, technology solutions do nothing to solve issues associated with determining who's responsible for selecting the organization's PDA platform, determining which employees are eligible to receive organization-provided cell phones and PDAs and who's responsible for paying the bills those devices generate. Nor do such technology solutions do much to ensure employees use these devices as intended for business purposes only.

That's where policies come in.

Policies cover multitude of sins

A well-crafted cell phone and PDA policy can eliminate the various administrative headaches that so often arise with these devices in corporate environments. For help gauging your organization's need for such a policy, review TechRepublic's Cell Phone & PDA Vulnerability Assessment.

The interactive Microsoft Excel spreadsheet presents several criteria; provide rankings, according to level of importance within your organization, and you'll be rewarded with a total score you can use to make a more objective determination. And, should you decide a policy is required, the assessment provides some additional justification for rolling out the policy.

When preparing a cellular phone and PDA policy, be sure to address all of the following issues:

  • The process for determining which employees are eligible for organization-provided cellular telephones and PDAs
  • Statements indicating that organization-provided cell phones and PDAs are to be used only for fulfilling business tasks and responsibilities
  • Acknowledgement by the employee that organization-provided cell phones and PDAs remain the organization's property, although employees are responsible for replacing the devices if lost or stolen
  • No cellular phones or PDAs may be connected or synchronized with organization-provided computers, laptops, servers, systems or networks without the prior written consent of the Information Technology department manager
  • No proprietary, sensitive or confidential data is ever to be stored on a cell phone or PDA
  • Lost, misplaced and stolen cell phones and PDAs should be reported to the Information Technology department immediately upon discovering that the device is missing
  • Potential penalties resulting from violations of the organization's cell phone and PDA policy

For help creating your policy, check out TechRepublic's Cell Phone & PDA Policy. The ready-made template can be used as-is or customized to meet your organization's specific needs.

Remember, too, that just rolling out the policy won't eliminate risks. The Information Technology department must diligently enforce the policy.

You can quickly implement a Cell Phone and PDA policy in your organization by downloading TechRepublic's Cell Phone and PDA Policy. Included you'll find a risk assessment spreadsheet that will help you determine the importance of such a policy to your organization's security along with a basic policy that you can use and modify. You can purchase it from the TechRepublic Catalog or download it for free as part of your TechRepublic Pro membership.

Editor's Picks

Free Newsletters, In your Inbox