Re: Cell Phone Pin Policy

["Patria, Patricia" <PPatria () BENTLEY EDU>]

Hi George,



We have a policy that requires PINs for all employees that connect to our Blackberry Enterprise Server or Active Sync 
server. The full policy can be viewed at http://info-privacy.bentley.edu/policy/handheld-device-policy.



We don't yet have a hands free policy, but Nick’s points below are very valid and could be incorporated into a policy 
to reduce your exposure.



Patty



Patty Patria
Chief Information Security Administrator | Bentley University
175 Forest Street, Waltham, MA 02452 |781.891.2364





From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nick 
Recchia
Sent: Friday, July 16, 2010 2:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cell Phone Pin Policy

Hi George,

1) We do not have a phone/mobile device pin policy in place; however, I am interested to see who may currently have one 
in place, or considering such an implementation.

2) Regrading the concern of hands free, etc. In California we already have a 
law<http://www.dmv.ca.gov/pubs/vctop/d11/vc23123.htm> in-place requiring hands free use while driving. Even when a 
phone/mobile device is locked, it will allow incoming calls to be answered. If one is planning to use the device to 
make a call, one can unlock it before starting the car (mount the phone, etc). Configuration settings can also be put 
in place allowing the phone to stay unlocked for varying time periods (when a phone is not holstered; i.e. Blackberry).

Other thoughts?

--
Nicholas Recchia
Security Administrator
University of San Francisco

On Fri, Jul 16, 2010 at 10:20 AM, Finney, George <gfinney () mail smu edu<mailto:gfinney () mail smu edu>> wrote:
Our University is considering activating a group policy (for those phones recognizing Active Sync policies) to require 
a PIN before accessing the contents of the phone (including personal phones).

First Question: Do any of your schools have a policy in place that requires a pin for smartphones.

Second Question: If you do have a cell phone pin policy, does that policy also address how you use your device; i.e. 
Not using it while driving or using a hands free device while driving.

There have been some concerns that requiring a pin may create additional exposure for the University, since drivers may 
be more distracted while typing in their pins than they otherwise would have been.


George Finney, J.D., PMP, CISSP
Information Security Officer and Director of Digital Interests
Southern Methodist University