| > |
In a nutshell, there are physical security, data encryption, security policy, and user awareness issues to be concerned with here. There are so many things to cover here, it will be difficult to go in-depth in all of these areas. I have bulleted some key items to consider for each area below. Beyond these, stay tuned to SearchMobileComputing.com for more information on these areas in the near future.
Before you start with any of this, you'll need to perform a risk assessment to document exactly what you're trying to protect on your PDAs along with the associated threats and vulnerabilities. This will help you in establishing your physical security and encryption requirements as well as determine what to include in your security policies and in your training programs for your end users.
Physical Security
- Physical security for PDAs could be considered the weakest link in the PDA information security chain.
- Most, if not all, of the physical security of PDAs is dependent upon the end user (see User Awareness Issues below).
- Must consider possibility of user installing malicious software on PDA via synchronization, infrared beaming, or network access that ultimately finds its way to the inside of your network.
Data Encryption
- If it's available, turn on encryption for both data stored on the PDAs as well as data transmitted via wireless. Don't focus so much on encryption algorithms and key lengths. 128-bit encryption is more than enough for now. Consider 3rd party products for encryption above and beyond the built-in options if necessary.
- You may also want to consider using biometric, smart card, or digital certificate authentication add-ons to supplement usernames/passwords for stronger authentication.
Security Policies
- First off, make it policy for your company to purchase the PDAs. This will really help with policy enforcement down the road.
- Key policies to consider are ones that define minimum password complexity, encryption requirements, anti-virus software requirements, physical security requirements, data backup requirements, data ownership, software installation, and what software/data/equipment must be surrendered if questions or conflicts arise.
User Awareness Issues
- Explain to your end users that PDAs are no different, and should be treated no differently than, any other computer that accesses or stores business information.
- Train your users on how to securely use the devices (encryption, logging in, etc.).
- Explain the risks of using PDAs in your business setting
Outline the consequences of not adhering to policies
Keep them informed and updated on changes.
|
|
