This excerpt is from Chapter 4, When a Handheld Becomes Information Security's Problem of PDA Security written...
by David Melnick, Mark Dinman, Alexander Muratov and Robert Elfanbaum and published by McGraw-Hill Professional. You can download Chapter 4 here for free.
What exactly is the risk that PDAs present to the Enterprise? Before you answer that question and start looking for solutions, you must go through a risk-management planning exercise. This exercise will help you assess what is at risk and what needs to be done to monitor and control the risk to your organization.
The following section examines assessing potential risks, discussing the following topics:
- Risk item identification.
- Risk analysis.
- Risk response planning, monitoring and control.
It seems intuitive that due to the portable nature of PDAs, they can easily be lost or stolen. However, without going through some risk management, one cannot entirely understand how a lost PDA can threaten the Enterprise or its customers.
Risk Item Identification
The first step is to identify who is potentially exposing the Enterprise to risk. In the case of PDAs, the organization should get a handle on how PDAs are entering, what types of employees or groups are using them, and how they are using them. Key questions to study include:
- How are handhelds getting into your Enterprise?
- Are they coming in as personal devices, or are they part of corporate purchases and application deployments?
- What types of employees are using them? What are their roles and responsibilities?
These initial questions should be studied as you formulate strategies to address the risk that handheld devices might pose to your organization.
Once your organization understands how handhelds are coming into the Enterprise and who is using them, you can begin studying which type of information is at risk. In most cases, this consists of understanding how the various employees are using handhelds in their ongoing business activities. Is it primarily individuals who have purchased their own PDAs and are using them primarily for PIM applications? Or are groups deploying vertical applications on handhelds for mobile workers?
At the core of your analysis will be a handheld risk classification document, which will be illustrated as we sum up how to assess overall vulnerability. The classification, similar to a data classification exercise, allows an organization to build a matrix including categories such as device types and information assets in order to understand the related risk factors determining an organization's overall vulnerability.