Security Basics mailing list archives

RE: Notebook policy (need advice)

From: "Huang, John, GCM" <John.Huang () rbsgc com>
Date: Fri, 26 Jan 2007 14:52:34 -0500

Oh please, LE don't lose things? 

A 20002 audit of the FBI revealed that they lost 317 laptops over a period of 3 years.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Eric Furman
Sent: Friday, January 26, 2007 11:32 AM
To: Patton Roub; security-basics () lists securityfocus com
Subject: RE: Notebook policy (need advice)

Oh please, this is hardly worth replying to. 
Said laptop would be in the possession of an armed law enforcement official. Hardly an unsecure environment.
Thanks for playing, try again.

On Fri, 26 Jan 2007 09:09:49 -0700, "Patton Roub" <proub () dci wyo gov>
said:

What would be your recommendation to the drug enforcement Special 
Agent who is recording the sensitive data outside the house of a 
suspect, and then using that data to create a search warrant on that 
computer to present to a Judge down the street?  Oh, did I mention the 
data he must have downloaded earlier to make sure he is looking for the right guy?
Wireless is not available, and we don't want Special Agents climbing 
poles.

Never ever say never.

Regards

Patton J Roub


-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com]
On Behalf Of Eric Furman
Sent: Thursday, January 25, 2007 2:09 PM
To: security-basics () lists securityfocus com
Subject: RE: Notebook policy (need advice)

I'll give you one very simple policy that you should enforce that will 
make most of your concerns moot:

NEVER EVER EVER STORE SENSITIVE DATA ON A LAPTOP!

Anybody, and I mean ANYBODY, found with sensitive data on their laptop 
should have it seized and they should be immediately dismissed.

There is virtually no reason to ever store sensitive data on a laptop.
Sensitive data should only ever reside on hardened servers in a 
physically secured server room. If your employees need to work with 
this data there are several means to securely access this data 
remotely.

(And, indeed, make sure the room AND its data storage is truly secure. 
There have been recent break-ins at certain companies and data tapes 
containing sensitive data were stolen.)

On Wed, 24 Jan 2007 22:50:47 -0500, "Tony UcedaVélez"
<tonyuv () versprite com> said:

Definitely agree with the previously made comments on the use of 
full disk encryption and points made on AV, however, I wanted to 
simply add to those points by saying that the issuance of notebooks 
should be focused on those user groups that would most benefit from 
a portable computing device.

Not all positions within a company require the use of a notebook for 
work (although, in the near future this may very well change).  
Obviously, the portability of laptops could be recommended to be 
reserved for those who travel/ telecommute or use it for working 
sessions in company war rooms (developers, project managers come to 
mind).  Point here is that the scope and applicability of any 
security policy could achieve a more targeted audience, versus a 
broad unknown audience who truly don't benefit by having a notebook.

This recommendation is obviously touch to act upon in organization's 
where notebooks have already been issued without specific 
consideration to the job function.  However, if possible the added 
value in the above mentioned is the following:

1. IT Operations adheres to imaging and providing laptops to those 
whose roles and responsibilities require the use of a notebook.  
Often times, IT Ops groups elect to image a resource that is readily 
available or one in which the user prefers.
2. Again, a policy surrounding notebook usage will be geared to a 
specific audience instead of rolling out a policy to everyone, 
regardless of whether they have a notebook or not. Improved 
accountability, focused security CBT modules (related to mobile 
computing) are some positive by-products that result.
3. Cost savings can be multi-fold here.  Since roles and 
responsibilities will dictate who gets a notebook, cost savings are 
realized not only on the price per notebook, but also the costs 
associated with software licenses that are specific to portable information assets.

Again, this suggestive advice obviously depends on the 'mobile' 
culture of your company's workforce.  Also affecting the above is 
whether you'll be able to 'backtrack' to make such a recommendation.

Regarding local admin use, again, I would revert to what the roles 
and responsibilities are for the employees and creating various 
images that coincide with their respective user groups/ types.  
Ideally, a collaborative effort between HR and IT Security should make this work.

Btw, along with AV and FDE, I'd include in the policy the use of 
personal firewalls and HIPS agents, especially for the road warriors 
of your organization.

Hope this helps.

Best Regards,

Tony UcedaVélez, CISA, GIAC
VerSprite, LLC
(office) 678.938.3434
(email) tonyuv () versprite com
(web)   www.versprite.com
 




-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com]
On Behalf Of Nicolas Arias
Sent: Tuesday, January 23, 2007 8:12 AM
To: security-basics () lists securityfocus com
Subject: Notebook policy (need advice)


Hi guys!, in my company we have a lot of notebooks, but theres no 
formal security policy about them.

Can you tell me how do you handle this?

Do you give an local admin for the owner?, do you use full disk 
encryption?, what about anti-virus and external scans?

Any idea is going to be really preciated.

Cheers!!


-----------------------------------------
*******************************************************************
*

This e-mail is intended only for the addressee named above.
As this e-mail may contain confidential or privileged information,
if you are not the named addressee, you are not authorized
to retain, read, copy or disseminate this message or any part of
it.

*******************************************************************
*

Current thread:

Re: list of university hacked in 2006, (continued)
- Re: list of university hacked in 2006 John Hummel (Jan 22)
  - Notebook policy (need advice) Nicolas Arias (Jan 23)
    - Re: Notebook policy (need advice) Saqib Ali (Jan 24)
    - RE: Notebook policy (need advice) Pranav Lal (Jan 24)
    - Message not available
    - Fwd: Notebook policy (need advice) kevin fielder (Jan 24)
    - RE: Notebook policy (need advice) Pranav Lal (Jan 25)
    - RE: Notebook policy (need advice) Tony UcedaVélez (Jan 25)
    - RE: Notebook policy (need advice) Eric Furman (Jan 26)
    - RE: Notebook policy (need advice) Patton Roub (Jan 26)
    - RE: Notebook policy (need advice) Eric Furman (Jan 26)
    - RE: Notebook policy (need advice) Huang, John, GCM (Jan 26)
    - Re: Notebook policy (need advice) Eric White (Jan 26)
    - Re: Notebook policy (need advice) Eric Furman (Jan 26)
    - RE: Notebook policy (need advice) Sipes, Bob (Jan 26)
    - RE: Notebook policy (need advice) Steveb (Jan 30)
    - RE: Notebook policy (need advice) Patton Roub (Jan 29)
    - RE: Notebook policy (need advice) Barrett, Will (Jan 29)
    - RE: Notebook policy (need advice) Greg Jones (Jan 30)
    - RE: Notebook policy (need advice) Sipes, Bob (Jan 26)
    - Re: Notebook policy (need advice) Ansgar -59cobalt- Wiechers (Jan 26)
    - Re: Notebook policy (need advice) Ryan Chow (Jan 29)

(Thread continues...)