Re: Stolen Laptops

[Walter Petruska <wpetruska () USFCA EDU>]

And are you requiring the use of cable locks for laptops and computers
in public areas?

On 7/29/10, Kimberly Heimbrock <heimbrockk () nku edu> wrote:
> Thanks to all for your input so far - just a little more background on what
> we are dealing with at NKU...
>
> Over the past 8-9 months we have had a LOT of theft on campus, particularly
> laptops.  Overall, 36 laptops were stolen since last October (that I know
> of) - likely by an internal staff member who has keys to lots of campus
> areas and can go around unnoticed at night and on weekends.  Our biggest
> concern has been the data within, not just the equipment.  We have been able
> to prove that sensitive data resided on some of the systems - so yeah we are
> on the breach reports :-(
>
> As several posts have commented, a layered approach will be employed.  We
> just implemented a new policy for all new laptops to be Encrypted with MS
> Bitlocker, and are considering desktops too. Macs will be using Filevault as
> soon as we test more completely.  We just licensed Identity Finder and will
> be removing sensitive data - hopefully all over campus if we can get our
> users to understand that they need to do so. We continue to increase
> security cameras and electronic locks as budget permits.  Usually we are one
> step behind the thieves!  As one advised, we may look into tracking cameras
> too.
>
> We will be investing in some sort of laptop tracking software, but not sure
> yet which one.  We are leaning toward the tools that allow us to 'push' it
> out to the systems, so we can make progress without having to touch 1200
> laptops individually - which would never get done.  From a physical aspect,
> we will be increasing laptop security education for employees, possibly
> looking into physical etching, tags, or rfid's, etc.  All we need is
> agreement and budget - easy right??!?  We have also added more cameras,
> electronic door readers, etc.
>
> I find that nearly all the time, users 1) do not think they have any
> sensitive data; 2) it won't happen to them; and 3)don't care to spend time
> or energy on security.  We are trying to push out awareness in heavy doses
> but user behavior continues to be our biggest risk.
>
> Hopefully we are close to catching the recent theft ring, but we will
> continue with efforts to reduce the issue - especially with laptops.
>
> Thanks again to all who posted...very helpful as always.
>
>
> Kim Heimbrock
> Director, IT Policy and Compliance
> Northern Kentucky University
> (859) 572-5139
> heimbrockk () nku edu
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben Woelk
> Sent: Thursday, July 29, 2010 1:10 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Stolen Laptops
>
> To be more specific, we're requiring encryption on university owned or
> leased laptops. We do not require it on personally owned laptops. We
> discourage use of personally owned laptops to access university information
> resources, but the responsibility for authorizing use of personal equipment
> lies with the respective dean or VP. We do require documented technical
> controls on ALL laptops that access Private or Confidential information.
> (This information is in our Information Access and Protection
> Standard--http://security.rit.edu/iap.html)
>
> Ben Woelk '07
> Policy and Awareness Analyst
> Information Security Office
> Rochester Institute of Technology
> ROS 10-A204
> 151 Lomb Memorial Drive
> Rochester, New York 14623
> 585.475.4122
> 585.475.7920 fax
> ben.woelk () rit edu
> http://security.rit.edu/dsd.html
>
> Become a fan of RIT Information Security at
> http://rit.facebook.com/RITInfosec
>
> Follow us on Twitter: http://twitter.com/RIT_InfoSec
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Green
> Sent: Thursday, July 29, 2010 12:02 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Stolen Laptops
>
> http://www.educause.edu/sites/default/files/library/presentations/SEC10/SESS11/SPC%2B2010%2Bdisk%2Bencryption%2B-%2Ball.pdf
> slide 16 is what we did and now do. A big pain point was a lot of personally
> owned approved devices for work and needing to support encryption on those.
>
> There's nothing like bricking an associate dean's brand new "I want to watch
> movies on a plane and keep up with my UAB work that may include sensitive
> email"  $300 netbook right before a month long trip to France.
>
> Don't require it:  Expect the edge cases not to do it.   Require it:  Expect
> a painful process dealing with edge cases if you don't have a fairly locked
> down set of hard ware platforms.
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL
> Sent: Wednesday, July 28, 2010 9:16 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Stolen Laptops
>
> Are your institutions "encouraging encryption" on laptops, or "requiring
> encryption" on laptops?  We're moving to Symantec Endpoint Encryption (it
> was GuardianEdge, but they got bought by Symantec - which is actually good
> for us, since we use Symantec Altiris, SEP, etc.) and will be doing full
> disk encryption on any/all non-instructional (student use) laptops.....
>
> M
>
> -----Original Message-----