RE: The VA Stolen Laptop - Lessons Learned

["Isaac Van Name" <ivanname () southerlandsleep com>]

Bush hasn't defined "data"... he can't define anything because he's a moron.

Does data include OS files, log files, cab files, drivers, etc.?
IMO, no.  None of it.  Screw the OS and its files; those things don't count
as "sensitive data".  Okay, so there's the argument that "these things can
be used for a compromise".  Really, I don't see why someone can't just use a
roaming profile and a VPN connection on the laptop to connect to their
workplace and, anytime sensitive data like that is put on a laptop, encrypt
it as the roaming profile and set the file rights to only allow that roaming
profile to access it.  That way, when the laptop is stolen, just disable the
roaming account... that should protect the encrypted files for long enough
for the laptop to be recovered.  True, this is more work, but then, isn't
proper security just making your everyday tasks take longer?

Of course, this is all said with a cup of coffee in one head and my hungover
head in the other, so please feel free to correct me.  As it seems to me,
though, I think you have to plan out system security before you implement
file security... otherwise, you're just playing smoke and mirrors.


Isaac Van Name
Network Assistant / Programmer
Southerland, inc.
ivanname () southerlandsleep com

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of evb
Sent: Wednesday, September 13, 2006 3:47 PM
To: security-basics () securityfocus com
Subject: RE: The VA Stolen Laptop - Lessons Learned

 
:1. Encrypt all data on mobile computers/devices which carry 
:agency data unless the data is determined to be non-sensitive, 
:in writing, by your Deputy Secretary or an individual he/she 
:may designate in writing 
: 

And does "data" include operating system files, log files, cab files,
drivers, etc., or does it only include eg xls, doc, pdf and wpd files, etc.?
How has Bush defined "data"?  

Thx,

Eric 


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------