Re: Product request - Enterprise whole disk encryption for laptops

["Waller, Michael A. (HSC)" <Michael-Waller () OUHSC EDU>]

We're working towards this. Basically, we understand that there will be some need, but we're going to make those who 
want to keep sensitive data on a portable device aware of the risks and make them jump through some additional hoops. 
This way, the user is more aware of the risk and supervisors/department heads/deans/IT have a much clearer picture of 
what's out in the wild.

Mike Waller   CISSP
Information Technology, Information Security Services
The University of Oklahoma Health Sciences Center

-----Original Message-----
From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] 
Sent: Monday, July 17, 2006 9:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Product request - Enterprise whole disk encryption for laptops

I agree that there are probably many more computers that have sensitive data on them than is necessary for business 
reasons.  And that on a lot of those machines the users probably don't even realize what's on their computers.

An approach that is very appealing to me is that of requiring users to make a case for their need to store sensitive 
data locally and to get formal permission to do so.  I think this would do a few things.  One, it would have an 
inhibiting effect on those who want to store sensitive data but don't have a strong case for it and, two, it would 
bring to the attention of the IT staff those who do store sensitive stuff, so that the IT staff can keep a closer watch 
on those users.

Harold



At 09:18 AM 7/17/2006, Roger Safian wrote:
> At 01:44 PM 7/15/2006, Charlie Prothero put fingers to keyboard and wrote:
> > Roger's comment on risk management brings to
> mind the question of whether or not
> > someone should even be allowed to put
> sensitive data on a laptop, though this is
> > a bit off-topic vis-à-vis this
> discussion.  Citrix, MS Terminal Services, VNC
>
> Personally I think the risk of sensitive data on a laptop, is only 
> slightly larger that the same data on the network.  They both 
> potentially have the same risk of data lose through a network breach.  The laptop is easier to steal.
> In most cases the business needs outweigh that risk, especially if the 
> data is encrypted.
>
> The issue I see is does *any* machine need access to sensitive data?  
> Speaking just from my experience I'd say that there are plenty of 
> machines with sensitive data that are both not secure AND do not need 
> the data on them in the first place.
>
>
> --
> Roger A. Safian
> r-safian () northwestern edu (email) public key available on many key servers.
> (847) 491-4058   (voice)
> (847) 467-6500   (Fax) "You're never too old to have a great childhood!"

Harold Winshel
Computing and Instructional Technologies Faculty of Arts & Sciences Rutgers University, Camden Campus
311 N. 5th Street, Room B36 Armitage Hall Camden NJ 08102
(856) 225-6669 (O)