NIST Offers Guidance on Contingency Planning, Cell Phone Security


The National Institute of Standards and Technology, a non-regulatory federal agency within the U.S. Department of Commerce, promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.


The NIST has uploaded two of its publications to the Knowledge Network, the first being Guidelines on Cell Phone and PDA Security. While these mobile devices provide productivity benefits, the NIST argues that they also pose new risks to an organization.


NIST's concerns include:


  • Because of their small size and use outside the office, handheld devices can be easier to misplace or to have stolen than a laptop or notebook computer. If they do fall into the wrong hands, gaining access to the information they store or are able to access remotely can be relatively easy.


  • Communications networks, desktop synchronization, and tainted storage media can be used to deliver malware to handheld devices. Malware is often disguised as a game, device patch, utility or other useful third-party application available for download. Once installed, malware can initiate a wide range of attacks and spread itself onto other devices.


  • Similar to desktop computers, cell phones and PDAs are subject to spam, but this can include text messages and voice mail, in addition to electronic mail. Besides the inconvenience of deleting spam, charges may apply for inbound activity. Spam can also be used for phishing attempts.


  • Electronic eavesdropping on phone calls, messages, and other wirelessly transmitted information is possible through various techniques. Installing spy software on a device to collect and forward data elsewhere, including conversations captured via a built-in microphone, is perhaps the most direct means, but other components of a communications network, including the airwaves, are possible avenues for exploitation.


This document provides an overview of cell phone and PDA devices in use today and offers insights into making informed information technology security decisions on their treatment. The document gives details about the threats and technology risks associated with the use of these devices and the available safeguards to mitigate them. Organizations can use this information to enhance security and reduce incidents involving cell phone and PDA devices.


The second document uploaded to the Knowledge Network by the NIST is a Contingency Planning Guide for IT Systems. This in-depth guide provides instructions, recommendations, and considerations for government IT contingency planning. Contingency planning refers to disaster recovery, or interim measures to recover IT services following an emergency or system disruption. Interim measures may include the relocation of IT systems and operations to an alternate site, the recovery of IT functions using alternate equipment, or the performance of IT functions using manual methods.