Educause Security Discussion mailing list archives
Re:
From: "Peters, Kevin" <Kevin.Peters () OLC STATE OH US>
Date: Mon, 17 Dec 2007 15:06:13 -0500
The State of Ohio has established a State-wide program for data protection, with direction coming from the Governor's office. The sub-committee working on this project selected Safeboot as the application of choice for data storage devices of the mobile computing variety. (Tape backup encryption is varied upon the hardware being used.) Yes, there are other applications of equal capability; this is just the one the sub-committee selected. Within the sub-committee conversations the first question asked was under what circumstances a data storage device should be encrypted. Second, why does the individual have the data? Reviewing resources such as NIST publications 800-53 and 800-53A and ISO 27000-series guidelines the State sub-committee came to this conclusion: - If the data at rest on a storage device is considered to be sensitive (private) then the device will be encrypted. - If the data is considered important (confidential) at the time, such as an RFP document, then at a minimum the device should be password protected, with encryption as a higher level option. - If the data doesn't fall into either of those other two then neither encryption or a password is required. At what level to encrypt - entire hard-drive or just the folder is up to the agency, however the State is indicating that full encryption is suggested. Safeboot allows for both levels of encryption, locking down USB ports, and various other security features. If the person is not sure, then error on the safe side and encrypt. What also needs to be kept in mind by the user communities are the various laws and possible outcomes of not protecting data that is considered sensitive. At the individual level, the person who loses the device could be subject to various litigation and penalties. At the institutional level litigation, penalties, and mitigation are at stake. As an example, in June, a backup tape was stolen from the State of Ohio containing all of the SSNs for all State employees - over 64,000. At the individual level several people were "thrown under the bus" and terminated for the incident. At the institutional level it is estimated that the State has over two million dollars invested in mitigation and still counting. The State is looking at years of mitigation associated with this incident. I know Ohio University had an incident back in 2006 that has had a significant "cost" to that institution. (In addition to the statutes mentioned, GLB I believe allows for civil recourse in addition to criminal recourse. At the Ohio State Lottery we also intend to perform mandatory user awareness training and random audits for compliance, however bottom-line the individual users must understand the significance and importance of having sensitive or private data on storage devices, and protecting that data. Otherwise that person should not be allowed to have the data. Kevin Peters IT Manager The Ohio State Lottery ________________________________ From: Allan Williams [mailto:allan.williams () ANU EDU AU] Sent: Monday, December 17, 2007 12:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] G'day, I've learnt that you can't use the "M" word with some academics - no matter how just your cause they will pull out some extreme example. In some sense you are playing the same game by stating that this technology is needed to protect the data from disastrous consequences. A few of suggestions 1) Acknowledge that policy is attempting to mitigate the risk and state that you would be happy to consider alternative solutions if they can be shown to be effective - probably worth listing out the type of risks your trying to prevent and invite them in for a one on one to discuss. 2) Go over his head - depends where they sit in the food chain 3) Don't make it an IT policy - push it out to your research office/ grants/ ethics body and make it a condition of researching in this area or have it tied to funding this type or research. 4) Ignore it, it's been approved and you can't please all the of the people all of the time. Hopefully you managed to get an audit clause in and in 6 months time he could come in for a "random" audit :) Regards, Allan On 18/12/2007, at 4:15 AM, Mclaughlin, Kevin (mclaugkl) wrote: Hi All: I am having a bit of a tussle with a faculty member who is on one of the committees that already approved UC having a Full Disk Encryption Policy. I won't overload you with the verbose emails that have gone back and forth but it seems that his concern is summed up in that he doesn't want a policy for this as that makes it mandatory and he is making some grandiose blanket statements about the impact to faculty if we have a Full Disk Encryption policy in place. (see below) The policy basically says: all PCs that store restricted data (FERPA, HIPAA, GLB, PCI) will be encrypted with PGP's full disk encryption software at no cost to the individual or department. This software will be supported, as needed, by Central IT. Hi Kevin Encouraging FDE (full disk encryption) is fine. Mandating it - is not. Regarding your comment that "My profession is all about Risk mgt and mitigation". That is the trouble with the policy. Faculty teach, do research, etc. The policy needs to strike a balance. In years past, we had similar discussions about libraries. To protect the books, libraries should simply close their doors. A balance needs to found. The goal of the policy should be to assist professors to follow the law while they do their job. Here's my question: I have talked about how transparent the tool is, my team and I have used it for about 6 months now; I have talked about how as an adjunct I found it easy to use, and I have talked about how this IS a tool that allows faculty to do their job and to safeguard information at the same time. I have also offered to let him try the tool and he has not taken me up on that. The net result I have had is nill. Have any of you had success with a technique to overcome this type of obstacle? I have no doubt that the policy will be approved and moved forward but I would also like to get this very vocal faculty member's support if possible. Thanks, -Kevin Kevin L. McLaughlin CISM, CISSP, PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) 513-558-ISEC (department) <image003.png> CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful. <image003.png> ================================== Allan Williams Head Systems & Desktop Services Division of Information R.G. Menzies Building Building 2 The Australian National University Canberra ACT 0200 T: +61 2 6125 8404 M: 0400 480 144 www.anu.edu.au CRICOS Provider #00120C ==================================
Current thread:
- Re: Peters, Kevin (Dec 17)