RE: Notebook policy (need advice)

[Tony UcedaVélez <tonyuv () versprite com>]

Definitely agree with the previously made comments on the use of full disk
encryption and points made on AV, however, I wanted to simply add to those
points by saying that the issuance of notebooks should be focused on those
user groups that would most benefit from a portable computing device.  

Not all positions within a company require the use of a notebook for work
(although, in the near future this may very well change).  Obviously, the
portability of laptops could be recommended to be reserved for those who
travel/ telecommute or use it for working sessions in company war rooms
(developers, project managers come to mind).  Point here is that the scope
and applicability of any security policy could achieve a more targeted
audience, versus a broad unknown audience who truly don't benefit by
having a notebook.  

This recommendation is obviously touch to act upon in organization's where
notebooks have already been issued without specific consideration to the
job function.  However, if possible the added value in the above mentioned
is the following:

1. IT Operations adheres to imaging and providing laptops to those whose
roles and responsibilities require the use of a notebook.  Often times, IT
Ops groups elect to image a resource that is readily available or one in
which the user prefers. 
2. Again, a policy surrounding notebook usage will be geared to a specific
audience instead of rolling out a policy to everyone, regardless of
whether they have a notebook or not. Improved accountability, focused
security CBT modules (related to mobile computing) are some positive
by-products that result.
3. Cost savings can be multi-fold here.  Since roles and responsibilities
will dictate who gets a notebook, cost savings are realized not only on
the price per notebook, but also the costs associated with software
licenses that are specific to portable information assets.  

Again, this suggestive advice obviously depends on the 'mobile' culture of
your company's workforce.  Also affecting the above is whether you'll be
able to 'backtrack' to make such a recommendation.  

Regarding local admin use, again, I would revert to what the roles and
responsibilities are for the employees and creating various images that
coincide with their respective user groups/ types.  Ideally, a
collaborative effort between HR and IT Security should make this work. 

Btw, along with AV and FDE, I'd include in the policy the use of personal
firewalls and HIPS agents, especially for the road warriors of your
organization.

Hope this helps.

Best Regards,

Tony UcedaVélez, CISA, GIAC
VerSprite, LLC
(office) 678.938.3434
(email) tonyuv () versprite com
(web)   www.versprite.com
 




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Nicolas Arias
Sent: Tuesday, January 23, 2007 8:12 AM
To: security-basics () lists securityfocus com
Subject: Notebook policy (need advice)


Hi guys!, in my company we have a lot of notebooks, but theres no formal
security policy about them.

Can you tell me how do you handle this?

Do you give an local admin for the owner?, do you use full disk
encryption?, what about anti-virus and external scans?

Any idea is going to be really preciated.

Cheers!!

Attachment: smime.p7s
Description: