Re: Laptop encryption

[David Taylor <ltr () ISC UPENN EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


There is also the Seagate drive that does whole disk encryption.  It also takes most of the performance hit since most 
of the processing is done on the drive hardware. Has anyone had any experience with these?  I think they just hit the 
market recently.

http://www.pcworld.com/businesscenter/article/129734/seagate_ships_supersecure_hard_disk_drive.html


- -------------------------------
David Taylor
University of Pennsylvania
Office of Information Security
215-898-1236
- -------------------------------



- -----Original Message-----
From: O'Callaghan, Daniel [mailto:Daniel.OCallaghan () SINCLAIR EDU]
Sent: Friday, October 05, 2007 10:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Laptop encryption

> 1.  What is your current practice:
We looked at laptop encryption about 2 years ago and decided the
resource hit, risk of data loss, key management, and user-related issues
were significant enough that we could not support 'mandating' across the
board.
We opted for mandating the use of drive locking technology (HP
DriveLock) for all College-owned administrative (ie faculty & staff)
laptops. DriveLock essentially uses the TPM chip which prevents the
drive from booting/initializing until the password is entered, even if
the drive is removed & inserted in another device, it will not boot.
College policy requires all laptop purchases be coordinated with and
processed by IT.  When the machine arrives on campus, IT sets the
'master' DriveLock password and the owner sets the user password on
delivery. We initially met user resistance to this 'extra' password
requirement, but have overcome a lot of it by also allowing users to
implement the stored credentials (essentially a password vault) feature
offered by the machines.  A caveat is that users must be taught to
power-down, not just hibernate, the laptop when traveling as DriveLock
only works at powerup.

> 2.  What is your desired practice if you do not use encryption on
laptops
Our Acceptable Use Policy does state that all personal identifying
information stored on local devices, portable devices, or removable
media must be encrypted or redacted. We offer user training on using
WinZip, AxCrypt, and Truecrypt for encryption of individual files or
folders.

We do realize that this DriveLock is essentially technology enhanced
"security by obscurity" and is not a perfect solution,  but think it is
a pretty good solution based on risk/usability.  Our legal counsel
opines that if a user (who doesn't follow the AUP encryption
requirement) loses a laptop containing personal information, DriveLock
"might" provide a defense under the "data elements unreadable"
definition of Ohio's data breach notification law...but we are really
hoping we do not have the opportunity to find out.


________________________________________________
Daniel V. O'Callaghan, Jr., MBA, CISSP
Chief Information Security Officer
Sinclair Community College
444 West Third Street, 14-324
Dayton, Ohio 45402-1460
937-512-2452 Fax 937-512-3124
daniel.ocallaghan () sinclair edu

-----BEGIN PGP SIGNATURE-----
Version: 9.6.3 (Build 3017)

wj8DBQFHBkyDrFOwyUiOUlwRAimsAKDSX/sj4NtGLwpJEJdMdR7xCbE2dACgyZ61
1y9/LFgc1Wra/JgjUmwLSCE=
=Y08E
-----END PGP SIGNATURE-----