Educause Security Discussion mailing list archives

Re: Laptop encryption- Follow-up

From: James Farr '05 <jfarr () UTICA EDU>
Date: Tue, 16 Nov 2010 12:20:48 -0500

We are rolling this out for Faculty and Staff.  We are trying to educate
users about confidential information.  At the same time we know some people
need this information as part of their job responsibilities.  We also
acknowledge mistakes happen.

Right now we are looking at 3 options
Option 1, Make 2 folders on every flash drive protected and unprotected.
Allow the user to select which folder they are putting information into.
Option 2, Encrypt only new data written to the drive
Option 3, Encrypt all data written to the drive, including existing data

We have not encountered a scenario where we would allow someone to opt out
of encryption, but I am sure there will be one person.  If we find a machine
that absolutely cannot have encryption on it I would require a program like
Identity Finder make sure the user understands what type of data can and
cannot be stored on the machine.  I like your idea of a waiver. We have not
installed the server or local software. In the next month or two we will be
deciding on how to balance the policies. 

James Farr
Utica College

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Patria, Patricia
Sent: Tuesday, November 16, 2010 12:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Laptop encryption- Follow-up

For those that responded to the encryption thread noting that you are using
Whole Disk Encryption for portable devices, would you mind sharing which
group this applies to? Is it just your staff members? Or faculty as well?

We are in the process of rolling out Bitlocker whole disk encryption to all
staff with laptops, but are planning to allow faculty to opt out of
Bitlocker if they sign a waiver stating that they do not store sensitive
data on their laptop per our Data Classification Policy. Is anyone doing
something similar?

From a breach standpoint, if the individual signs a waiver and states that

they do not have any sensitive information on their computer, do you employ
other controls like Identity Finder or DLP software to ensure that is the
case? Or is their signed waiver enough?

Any feedback, or examples of how you address lost/stolen devices from a
breach standpoint, is appreciated. Thank you. 

Patty


Patty Patria
Bentley University

Current thread:

Re: Laptop encryption experiences, (continued)
- - - Re: Laptop encryption experiences randy marchany (Nov 16)
    - Re: Laptop encryption experiences Joel Rosenblatt (Nov 16)
    - Re: Laptop encryption experiences Allison F Dolan (Nov 16)
    - Re: Laptop encryption experiences Rich Graves (Nov 16)
    - Re: Laptop encryption experiences Sherry Callahan (Nov 17)
    - Database Encryption for HIPAA Patria, Patricia (Nov 18)
- Re: Laptop encryption experiences A. Harry Williams (Nov 15)
  - Re: Laptop encryption experiences James Farr '05 (Nov 15)
- Re: Laptop encryption- Follow-up Patria, Patricia (Nov 16)
  - Re: Laptop encryption- Follow-up Basgen, Brian (Nov 16)
  - Re: Laptop encryption- Follow-up James Farr '05 (Nov 16)
    - Re: Laptop encryption- Follow-up Dave Koontz (Nov 16)
    - Re: Laptop encryption- Follow-up SCHALIP, MICHAEL (Nov 16)
    - Re: Laptop encryption- Follow-up randy marchany (Nov 17)
  - Re: Laptop encryption- Follow-up David Clift (Nov 16)