Document Sample
HandheldWirelessEmailDevicesv2.0Final Powered By Docstoc
					Wireless Handheld Devices
 Risk Management Guide
         VERSION 2.0

         December 2007
                                                    Wireless Handheld Devices Risk Management Guide

Contents .......................................................................................................... 1
1.        Purpose of This Guide .......................................................................... 2
2.        “Push” Technology ................................................................................ 2
3.        BlackBerry ............................................................................................. 3
4.        Other Technologies ............................................................................... 5
5.        General Risks........................................................................................ 6
6.        Important Issues to Consider ................................................................ 7
7.        Conclusion ............................................................................................ 9
Appendix A – Wireless Handheld Devices Guidance Summary ...................... 1

Department of the Premier and Cabinet – Office of e-Government                                  Page 1
                                                 Wireless Handheld Devices Risk Management Guide

1. Purpose of This Guide
This guide provides general information on risks and risk treatment strategies
with regard to wireless handheld devices. It replaces the BlackBerry & Mobile
Push Technology Implementation Guide published by the Office of
e-Government (OeG) in January 2007.

The Guide is intended as a starting point for Western Australian Government
agencies considering the merits of wireless handheld devices. It has been
updated to reflect the current position on these devices and to advise
agencies of important progress made on the management of risk associated
with licence agreements for these devices.

Other areas of risk such as technical approaches to security and privacy are
dealt with in other OeG publications and will be the subject of future papers.

It should be noted that this area of technology and the products that are
available in the marketplace are subject to constant innovation and change.
This paper does not attempt to provide a detailed technical guide but should
be used by people using, or planning to use, wireless handheld devices to
ensure that important issues of risk are addressed.

2. “Push” Technology
Typical functions of wireless handheld devices include an all in one mobile
phone, email, a web browser, an organiser, a camera and office capabilities.
The better known products that fall in to this category are BlackBerry
produced by Research In Motion, Good Mobile Messaging (formerly
GoodLink) produced by the Motorola Good Technology Group, Jasjam from
i-mate and Dopod. Other portable products such as pocket, tablet and
notebook PC‟s will be the subject of a future paper.

The “push” description of the technology refers to an „always connected‟
capability, where emails and Personal Information Manager (PIM) information,
such as scheduling and calendar details, are „pushed‟ out from an
organisation‟s server to users‟ mobile devices. This means that users have
the capacity to be notified of incoming emails and appointments as they are
received. There is no need to log in and „pull‟ this information into the device.
The user has the option to set up the device to receive and send information
at selected intervals.

This technology has proven to be popular with businesses with employees
who are out of their office regularly but require immediate, secure and

Department of the Premier and Cabinet – Office of e-Government                  Page 2
                                                 Wireless Handheld Devices Risk Management Guide

constant access to their email and PIM information. Such devices, including
BlackBerry, are currently in use in a number of WA Government agencies.

3. BlackBerry
Research In Motion Ltd (RIM) released the first mobile push technology
device with their BlackBerry solution. This incorporated the push email service
as well as a proprietary handheld device. BlackBerry capabilities have also
been incorporated into third party mobile devices such as those from Nokia
and Sony Ericsson.

3.1 Technology Overview
BlackBerry push technology requires the installation of a server solution that
sits between an organisation‟s corporate email server and the firewall.
Enterprise applications running under Microsoft Exchange, Lotus Domino and
Novell GroupWise can be accessed by BlackBerry using the BlackBerry
Enterprise Server. The server solution integrates with the email server to
allow users‟ emails and PIM data to be sent through the firewall to a carrier‟s
mobile network via the Internet. The data is then sent to the specific user‟s
device. The server application provides encryption to the data in order for
secure transmission. The following simplified diagram shows this process:

(Image from Optus BlackBerry Overview)

The BlackBerry solution is available over the existing GSM and CDMA mobile
networks, and is expected to be available on the carriers‟ respective next
generation (3G) mobile networks.

3.2 Service Providers
In Western Australia, BlackBerry is available through suppliers such as
Telstra, Optus and Vodafone. All three companies provide the required
Enterprise Server solutions as well as BlackBerry and third party BlackBerry
enabled handsets.

As per the Common Use Arrangement for Mobile Telecommunications
Services and Equipment (CUA15103), Vodafone and Optus are contracted
suppliers for GSM and 3G airtime services and handsets. Telstra is able to

Department of the Premier and Cabinet – Office of e-Government                  Page 3
                                                 Wireless Handheld Devices Risk Management Guide

sell restricted 3G services. For more information on CUA15103 refer to

3.3 Contractual Issues with BlackBerry
The Commonwealth Government has identified certain contractual and
security issues associated with the use of BlackBerry devices. In particular,
the licence agreements that each user has with RIM, the supplier of
BlackBerry devices, require the licensee (i.e., user) to provide an unlimited
indemnity to RIM for loss or damages caused to RIM in connection with the
user‟s use of BlackBerry.        In order to reduce this exposure, the
Commonwealth Government negotiated with RIM on behalf of all
Commonwealth agencies using BlackBerry devices to cap the indemnity and
implement other changes to the agreements. In addition, the Commonwealth
Government has made available to its agencies detailed guidance on the use
of protective security markings with BlackBerry and other advice regarding
security risk management. Refer to Appendix A for further information.

Several WA agencies already deploy BlackBerry devices and are therefore
subject to the unlimited indemnity under the licence agreements. This has the
potential to cause problems for WA agencies. For example, agencies may
risk losing insurance cover if they do not notify RiskCover of contracts that
waive the agency‟s right of recovery, indemnify other parties and / or cap
liabilities such as those with RIM. This has highlighted the need for agencies
to be more aware of the contractual and other more general risks associated
with these types of technologies.

RiskCover has now been able to procure reinsurance coverage in respect of
the indemnity provision contained in the following Agreements with Research
In Motion Ltd relating to the use of the BlackBerry Product and / or Software:
        BlackBerry Enterprise Server Software License Agreement
        BlackBerry End-User / Software License Agreement
        BlackBerry Internet Service End User Agreement.

RiskCover recommends that agencies undertake a thorough review of current
contracts to identify if there are other contracts which should be notified to
RiskCover. It should be emphasised that until notification and
acceptance of contractual risks has occurred, agencies will not be
covered in respect of any liability under contract. Refer to the Fund
Guidelines 8.1, 8.2, 8.3 and 8.4 for full particulars of notifiable events. These
Guidelines are available from RiskCover on (08) 9264 3333 or on the secure
section of the web site at

Department of the Premier and Cabinet – Office of e-Government                  Page 4
                                                 Wireless Handheld Devices Risk Management Guide

4. Other Technologies
This section describes other emerging technologies that provide push email
solutions. This is not an exhaustive and detailed consideration of all the
available technologies as new vendors and products are entering the market.

4.1 Good Mobile Messaging and Good Mobile Intranet from
    Motorola Good Technology Group
Good Mobile Messaging and Mobile Intranet provide a similar service to RIM‟s
BlackBerry service and are available on devices from a number of vendors
including Motorola, Samsung, Palm and Windows Mobile i-mate, see At present, Good Mobile Messaging
and Mobile Intranet can operate in environments where Microsoft Exchange
or Lotus Domino email servers are used. If the handheld device is lost or
stolen the IT Manager can erase data stored on the device. It is currently only
available through Telstra. Users need to be aware that data sent to and from
such devices is transmitted through a central server in the USA and as such is
subject to the laws of that country which include those dealing with encryption,
surveillance and interception.

4.2 Windows Mobile Email
Microsoft has released push technology capabilities in a service pack 2
upgrade to its MS Exchange Server 2003 application. This provides push
capability to handheld devices running MS Windows Mobile software version
5. For information on the Messaging and Security Feature Pack refer to
Windows Mobile 6 is available on Microsoft Exchange Server 2007.

One of the characteristics of this solution is that it does not require the user‟s
emails or data to be transmitted via a central server, as is the case with the
BlackBerry solution where all data is transmitted via RIM‟s central server in
Canada. The devices are also pre-installed with Windows Mobile versions of
the Microsoft Office suite, allowing users to edit MS Office documents easily
using a familiar interface.

The BlackBerry system can be seen as a „thin‟ solution when compared to the
Windows Mobile Email solution. This means that the BlackBerry devices and
the BlackBerry Enterprise Server send less data between each other when

Department of the Premier and Cabinet – Office of e-Government                  Page 5
                                                 Wireless Handheld Devices Risk Management Guide

5. General Risks
There are other general risks that an agency may be exposed to if careful
review of the licence agreement is not undertaken and appropriate remedial
action implemented. These risks include, but are not limited to:
   breach of foreign laws as some devices channel information through
    servers located overseas and the user may be in breach of local laws
    regarding surveillance, encryption and interception
   breach of export or re-export restrictions under foreign laws by taking a
    device in to an embargoed country
   breach of the agreement with the wireless handheld device supplier by
    using the products or services on behalf of a third party, for example in the
    operation of a service bureau or allowing a third party to access the
    products or services without written permission
   breach of contract if the product is used on a server or on a device not
    located on the agency‟s premises, for example being used by a contractor
    or at another office.
The above could result in a range of penalties including confiscation of
equipment, loss of sensitive information, financial loss, damage to reputation
and image and civil or criminal liability.

The use of a device in countries that may potentially trigger a breach of
contract is subject to change and different jurisdictions may embargo different
countries under different restrictions. The countries that may be encompassed
by such breaches include Angola, Eritrea, Ethiopia, Iraq, Liberia, Burma,
Rwanda and Sierra Leone. Agencies are advised to refer to web sites of the
various vendors and those of the Commonwealth Government that are
identified in Appendix A for more information.

Implementing wireless handheld devices requires careful planning and
consideration of the technical and security issues that can affect the operation
of the products and the security of agency information. Vendor and specialist
publications and advice should be sought before implementing this

There are some precautionary measures that can be adopted when agencies
deploy, or consider deploying, wireless handheld devices. These are
summarised, with links to relevant documents, in Appendix A.

Department of the Premier and Cabinet – Office of e-Government                  Page 6
                                                 Wireless Handheld Devices Risk Management Guide

6. Important Issues to Consider
6.1 Security Issues
6.1.1                     Data Encryption
Handheld devices and the enterprise server need to support high levels of
data encryption such as the Advanced Encryption Standard (AES) or the Data
Encryption Standard (DES). All data should be encrypted and transmitted with
an encryption key that can only be decrypted by the server or the device itself.
It is important to note that DES is in the process of being decommissioned in
favour of AES and Triple-DES.

Handheld devices and enterprise servers should be set up to use AES or
Triple-DES rather than DES. More information can be obtained from the

6.1.2                     Protective Markings
The Defence Signals Directorate (DSD) of the Department of Defence has
approved the use of BlackBerry devices for transmission of “UNCLASSIFIED,
X-IN-CONFIDENCE and RESTRICTED information” as per its “ICT Security
Policy for the Use of BlackBerry by the Australian Government”* (March
2006). Also see the BlackBerry Consumer Guide released by DSD in August
2007 at

The policy describes a number of technical and operational security measures
that, when implemented, minimise security concerns when using BlackBerry
in the transmission of information.

The Australian Government Information Management Office (AGIMO) has
also released their “Protective Markings and BlackBerry Devices Guidance”*
which provides guidance on the implementation, management and use of
BlackBerry devices.

The Western Australian Government does not yet have standards and
guidelines for protective markings and Commonwealth Government
guidelines should be considered and applied to the extent possible.

6.1.3                     International Transmission
It is important to note that data transmitted to or from handheld devices can
travel via servers located in other countries before being transmitted to the
recipient and therefore, at some stage, become subject to foreign jurisdiction.
This will be the case even if the handheld device and the enterprise server are

 Links to these documents are provided in the attached Appendix A - Wireless Handheld
Devices Guidance Summary
Department of the Premier and Cabinet – Office of e-Government                  Page 7
                                                 Wireless Handheld Devices Risk Management Guide

located in Australia. This triggers issues relating to privacy, secrecy, security,
encryption, interception, surveillance and other laws relevant to messaging,
particularly where the devices are used by agency personnel overseas. An
example of where exposure may be increased is that some countries prohibit
or restrict the use of encrypted messaging. As one of the key features of
wireless handheld devices is high levels of security messages are encrypted
and merely transmitting a message could involve the commission of a crime
that would not occur if the same message was sent via plain internet mail.

While agency employees are using these devices for sending and receiving
information to and from other countries they should be mindful of potential
conflict with foreign legislation.

6.1.4                     Lost Devices
If a handheld device is lost or stolen, it should be able to be locked remotely
to effectively render the device useless unless the administrator of the server
unlocks it again. Different products offer different solutions to locking lost
devices and agencies should ensure that selected devices incorporate such

6.2 CDMA, GSM and 3G Networks and BlackBerry Devices
BlackBerry and other similar devices are becoming commonplace globally
and Australian providers have good coverage for users that require
international roaming capabilities. It is important to note however that CDMA
handsets are not capable of international roaming, due to the lack of an
international CDMA network, and that Telstra has advised that the CDMA
network in Australia is being replaced by the Telstra Next-G (3G) network in
early 2008. Choice of network will need to be made on a case by case basis
depending on the proposed use and travel requirements of users, and
agencies will need to discuss this with service providers. Further advice can
be obtained from Government Procurement in the Department of Treasury
and Finance.

6.3 IT Services Installation and Maintenance
Implementation of wireless handheld devices will incur costs over and above
those for the device itself. Additional resources may include:
   a server (or servers) and its installation and ongoing support costs
   applicable licence costs for the enterprise server and handheld device
   communications costs between the enterprise server, the vendors server
    and the handheld device.
Agencies should follow the appropriate procurement process to ensure that
the market is properly tested and all implementation and operational costs are
identified and provided for.

Department of the Premier and Cabinet – Office of e-Government                  Page 8
                                                 Wireless Handheld Devices Risk Management Guide

7. Conclusion
Many Western Australian government agencies are using and planning to use
wireless handheld devices. Agencies should be aware that:

   there are certain risks inherent in the use of such devices, as set out in this
   there is a range of devices in the market and more will probably be
    available in the future
   the licence contract must be carefully reviewed before accepting the terms
    and conditions
   RiskCover must be notified if the licence contract exposes the agency or
    the Western Australian Government to unlimited liability
   agencies deploying, or considering deploying, wireless handheld devices
    should refer to this paper and the attached Appendix A, Wireless
    Handheld Devices Guidance Summary in order to mitigate their risks
   the marketplace for mobile telecommunications services and devices is
    rapidly evolving, and a greater variety of solutions will be available as
    carriers roll out their respective 3G networks. The current Common Use
    Arrangements are likely to be reviewed and modified to reflect these
Further information on procurement options should be directed to Peter
Barrenger at Government Procurement in the Department of Treasury and
Finance on (08) 9222 5421.

Any queries on the policy issues raised in this paper or general requests for
further information can be directed to Sven Bluemmel, Director Policy and
Strategy, in OeG on (08) 9213 7100.

Department of the Premier and Cabinet – Office of e-Government                  Page 9
                                                 Wireless Handheld Devices Risk Management Guide

Department of the Premier and Cabinet – Office of e-Government                  Page 10
                                                                    Wireless Handheld Devices Risk Management Guide

   Appendix A – Wireless Handheld
   Devices Guidance Summary

Wireless Handheld Devices Guidance Summary

Be aware

    In addition to a contract with a service provider (e.g. Telstra) users enter into one or more
    licence agreements directly with the device supplier, for example Research In Motion Limited

    Under some licence agreements users indemnify the device supplier to an unlimited amount.
    This could jeopardise your agency’s insurance cover.

    All or some data transferred via wireless handheld devices is encrypted and may travel through
    central servers located overseas. This can have certain implications for the use of devices
    overseas and for sending and receiving information in some countries. For example BlackBerry
    use is prohibited in some countries under Canadian export laws. Other devices transmit the
    information through servers located in the USA where the data may be subject to laws relating
    to data encryption, surveillance and interception.

    Your agency must pay particular attention to developing policies and procedures regarding the
    transfer of sensitive or classified information.

Before implementing wireless handheld devices

    Ensure that the terms of the licence agreements have been read and understood. You will be
    asked to accept the terms of the applicable agreements when installing the required software
    packages, for the device itself and its applications.

    Notify RiskCover if your agency plans to enter into licence agreements that could have
    unlimited liability implications or other areas of risk.

    Consider and apply to the extent possible the Commonwealth Government‟s Better Practice
    Guidance for CIO’s – Security Considerations for the Use of Personal Electronic Devices
    (PEDs) available at:

    Refer to publications at the Australian Government Information Management Office (AGIMO)
    that will be of assistance and are regularly updated. See the Publications section of the website

    Consider the security protection associated with documents being sent over wireless handheld
    devices. The Federal Government publications concerning Protective Markings and
    BlackBerry Devices Guidance can provide assistance and is available at

   Department of the Premier and Cabinet – Office of e-Government
                                                                   Wireless Handheld Devices Risk Management Guide

Wireless Handheld Devices Guidance Summary
   Consider the issues associated with ICT security through the adoption of wireless handheld
   devices. Information provided by the Defence Signals Directorate (DSD) may provide
   assistance; see Policy and Guidance for the use of BlackBerry by the Australian
   Government at

   Refer to the BlackBerry Consumers Guide at

Manage Use

   Develop policies and procedures on the use of wireless handheld devices, with a focus on
   security, the transfer of sensitive or classified information and use overseas.

   Provide staff with training on the use of wireless handheld devices and security requirements,
   making them aware of policies and procedures.

   Consider the implication of using the devices overseas. For example refer to the RIM Personal
   Use     Exceptions     for    Roaming      with    BlackBerry   Equipment        available at

   For advice on procurement options and the availability of solutions under Common Use
   Arrangements contact Peter Barrenger, Government Procurement in the Department of
   Treasury and Finance on (08) 9222 5421.

   For general queries or for further information contact Sven Bluemmel, Director Policy and
   Strategy, Office of e-Government on (08) 9213 7100.

  Department of the Premier and Cabinet – Office of e-Government

Shared By: