Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Confidential information and Smartphone Policies ? was RE: Your thougts about smart phone ...

From: James H Moore <jhmfa () RIT EDU>
Date: Thu, 4 May 2006 16:45:58 -0400
We are finalizing a standard that covers PDAs, smart phones, and similar
devices.

In the Educause archives, we found 3 policies, Georgetown, East
Carolina, and Azusa.  We fashioned something that is kind of a
combination.  Does anyone else have standards in the PDA and smart phone
area? Can you send me a link, or the document?  Are PDAs and Smart
phones covered in Data Classification and Handling policies?

Thanks for your help.  I will summarize to the list.

Jim 

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)



"We will have a chance when we are as efficient at communicating
information security best practices, as hackers and criminals are at
sharing attack information"  - Peter Presidio






-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU] 
Sent: Tuesday, May 02, 2006 9:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Your thougts about smart phone access to privileged
accounts?

What are your thoughts regarding the use of smart phones to
access elevated privilege accounts by administrators and
other privileged users over a wireless VPN?

We're getting requests for such use. Although known incidents
with such devices are rare, the technology is new and changing
rapidly and I'm not sure that we know enough about the
technology, attack points, and how people will use them ( e.g.
application downloads, local storage of sensitive data like
passwords, etc. ) to perform any kind of accurate, formal risk
assessment. Ergo, I lean toward the conservative and would
tend to view use of such technology for access to accounts
having global access to organizational data premature without
a *strong* demonstrated benefit of doing so. Customer service
is the benefit being used to justify the access.

On the other hand, can they be any worse than using
a Windows PC? :)


-- 
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security
Previous By Date Next
Previous By Thread Next

Current thread: