I. Title

A. Name: Policy on Server-Managed Personal Digital Assistants (PDAs)

B. Number: 20080407-serverpda

C. Author: M. Muth (ISC N&T)

D. Status:

[ ] proposed [ ] under review [X] approved [ ] rejected [ ] obsolete

E. Date proposed: 2007-09-12

F. Date revised: 2009-01-12

G. Date approved: 2008-04-07

H. Effective date: 2008-04-15


II. Authority and Responsibility

Information Systems and Computing is responsible for the operation of Penn's data networks (PennNet) as well as the establishment of information security policies, guidelines, and standards. This office therefore has the authority and responsibility to develop a policy in response to the significant privacy and compliance risks associated with confidential University data contained on or accessed by personal digital assistants (PDAs).

III. Executive Summary

This policy establishes requirements for protecting confidential University data contained on or accessed by PDAs managed by University servers, whether those devices are owned by individuals or the University.

IV. Purpose

The purpose of this policy is to ensure that University server operators configure and maintain PDAs with appropriate measures to protect the privacy of Penn constituents and reduce compliance and reputational risks to Penn.

V. Risk of Non-compliance

PDAs have a greater risk of theft or loss than other computing devices. If a PDA containing confidential University data is accessed by an unauthorized party, the University may incur business risks (strategic, operational, financial, compliance and reputational).

VI. Definitions

Confidential University Data
Confidential University Data includes:

Sensitive Personally Identifiable Information - Information relating to an individual that reasonably identifies the individual and, if compromised, could cause significant harm to that individual or to Penn. Examples may include, but are not limited to: Social Security numbers, credit card numbers, bank account information, student grades or disciplinary information, salary or employee performance information, donations, patient health information, information Penn has promised to keep confidential, and account passwords or encryption keys used to protect access to Confidential University Data.

Proprietary Information - Data, information or intellectual property in which the University has an exclusive legal interest or ownership right, which, if compromised, could cause significant harm to Penn. Examples may include, but are not limited to, business planning, financial information, trade secret, copyrighted material, and software or comparable material from a third party when the University has agreed to keep such information confidential.

Any other data, the disclosure of which could cause significant harm to Penn or its constituents.

Personal Digital Assistant (PDA)
A PDA is a hand-held electronic organizer that has the capability of accessing, storing and/or transmitting data. PDAs may or may not be managed by a server for the purpose of "push" of data and/or policies. They may be owned by an individual or by the University.
Push
Push means the electronic delivery of data such as email, calendar information or policies from a server to a client device, without the user of the client device having to take any manual action to initiate it. For example, email would just "appear" on a user's PDA, rather than their manually having to check for new mail.
Server-Managed
A PDA qualifies as server-managed if (1) it is capable of accepting and enforcing a policy, and (2) it connects to a University service in a way that makes it possible to push a policy to the device. The service has to be capable of detecting the manageable device and pushing a policy. Certain types of connections (e.g. IMAP) are not detectable as PDA-specific, and do not provide for push of policies.

VII. Scope

This policy covers server-managed PDAs that access University systems or services. The policy covers both individually-owned and University-owned devices. A handheld used exclusively by a student who has access only to his or her own personal or academic data is exempt.

VIII. Statement of policy

  1. Servers that manage handhelds must, whenever technically possible:
    1. require encryption of data while at rest and during transmission;
    2. require a password at least 4 characters in length, in cases where all data on the device is wiped automatically after at most 10 failed password attempts; otherwise, the password must be at least 6 characters in length; and
    3. require that a password be entered after an inactivity timeout of 1 hour. However, a properly-configured/capable device won't (and need not) require that a password be entered just to answer the phone.
  2. The University reserves the right to wipe lost or stolen devices if necessary to protect confidential University data contained on the device, whether or not the device is owned by Penn. Device wipe also could occur upon separation of service from Penn. Depending on the technical implementation, this could result in all data being wiped. However, a server is only responsible for wiping the data it's managing.
  3. Notification of lost or stolen devices must be done in accordance with the Information Systems Security Incident Response Policy (see References, below).
  4. Relevant local policies with stricter or additional requirements must be followed (see References, below).
  5. Server operators must obtain acknowledgement from end-users that they agree to the terms of service required by this policy. See References below for sample acknowledgement form.

IX. Recommendations and Best Practices

  1. Passwords should be a minimum of 6 characters in length.
  2. A password should not be easily guessable by someone who knows the user, or be derived from published information about the user. Examples of bad passwords include phone numbers, birthdates, addresses, names, zip codes, etc.
  3. When available, install anti-virus software, maintain current virus signatures and enable real-time scanning for viruses.
  4. Regularly back up data stored on PDAs, protecting the backed up data appropriately. In the event a device is lost, stolen or damaged, the backup will ease restoration of service and prevent loss of data.
  5. PDAs should be server-managed whenever feasible.
  6. Even when not server-managed or a server cannot enforce compliance, PDAs should comply with Statements of Policy 1.1, 1.2, and 1.3.
  7. Server administrators are strongly advised to inform their users of the notification requirements in the event a particular device is lost or stolen (see Information Systems Security Incident Response Policy in References, below).

X. Compliance

A. Verification: Through its annual program of risk-based audits and compliance assessments, the Office of Audit, Compliance and Privacy will verify that servers providing PDA synchronization service are implementing this policy.
B. Notification: The Office of Audit, Compliance and Privacy will notify server administrators and computing directors of compliance issues.
C. Remedy: Remedy will be the re-configuration of the server or service to push appropriate policies to PDAs it manages. ISC will offer consulting assistance to the operator of the computer, server or service where possible in order to bring the service and PDA into compliance as quickly as possible.
D. Financial Implications: Costs associated with the implementation of this policy are the responsibility of the department, individual, school, and/or center responsible for the server.
E. Responsibility: Responsibility for remedy lies with the department, individual, school, and/or center responsible for the server.
F. Time Frame: Affected servers must be brought into compliance within 6 months of the date this policy is approved. For service commencing after the effective date of this policy, end-user acknowledgement must be obtained prior to delivery of the service. For services already being provided, end-user acknowledgement must be obtained within 6 months of the date this policy is approved.
G. Enforcement: Individuals not adhering to this policy may be subject to sanctions as appropriate under Penn policies.
H. Appeals: Requests for waiver from the requirements of this policy may be submitted to either the Office of Audit, Compliance and Privacy or Information Systems and Computing, Information Security. These requests shall be decided by the Vice President of Information Systems and Computing and the Associate Vice President of Audit, Compliance and Privacy.

XI. References