RussellHltn wrote:Yes, but it seems to be wide open to local/personal interpretation of what is secure. Someone may interpret constant physical possession as being adequately secure. I don't find your interpretation with respect to removable media to be unreasonable, but OTOH, I don't think we can say that it is church policy.
The reason I jumped into this line was not because it was a bad idea, but because it was claimed be required "to conform with policy."
I will make an observation about the difference between a PDA and a Flash/Thumb/SD card: With a unsecured PDA, ti's possible to see the data with just casual handling. With a flash/thumb/SD card it would typically requires a more permanent loss or even theft. And then it would have to be connected to a computer before any sensitive data is viewed.
The problem with that reasoning is that it utterly fails to grapple with the other policy requirement quoted above (to which you never responded):
So the policy does cover the case of protecting data stored on the device when it is permanently out of the authorized user's possession, not just against "casual handling" by an unauthorized person. And it is not sufficient for anyone to assume "constant physical possession," because the policy expressly covers the hypothetical case when such possession does not obtain
As for your argument that the SD card is merely functioning as a flash drive and policy does not cover flash drives, that simply does not fit the facts of the Android case.
When an Android user is carrying around the phone, the SD card is not
functioning as a USB flash drive. It is functioning as memory attached to the smartphone. The only way to make it function as a USB flash drive while inserted in the phone is to plug in the USB cable and manually configure the memory card for that mode through the user interface, but that cannot occur if the phone is locked by its password pattern.
But if the locked device is lost or stolen (again, see the policy quoted above) it is trivially easy to remove the SD card -- which by design
is removable -- plug it into a $5 adapter and read it with a computer.
Of course, the immediate onus of that particular policy provision is not on the end user but on the STS, who somehow is supposed to "ensure" that the data on all end-users' devices is password-protected. I'm not an STS, which is a good thing because I've never understood how that responsibility can be feasibly carried out without proactive, good-faith compliance by the end users. I suppose a pharasitical priesthood leader with an Android could simply ignore the policy unless the STS brings it to his attention. But if I were an STS, I think it would be clear to me as a matter of fact that the Android's SD card is not protected if it is lost or stolen.