Educause Security Discussion mailing list archives
Re: Looking for a laptop encryption policy for institutionally-owned laptops
From: Steve Brukbacher <sab2 () UWM EDU>
Date: Thu, 22 Mar 2007 11:32:54 -0500
This has not made it in to formal policy for us yet, but this is the direction we are going: Here's our guidelines on device configuration https://www3.uwm.edu/IMT/security/resources/4-CompSecConfig0606.pdf from https://www3.uwm.edu/IMT/security/resources/information_security_guidelines.cfm This section specifically speaks to this issue: ---------------------------------- C. Laptop Security for Campus Owned Equipment/Departmental Computers (In Addition to those that apply based on operating system) i. Laptop Security Cables 1. Laptops should be secured with a cable whenever possible to deter theft and provide for more complete insurance coverage should a theft occur. ii.. Encryption 1. Confidential or sensitive data stored on a laptop or other mobile device should be encrypted. 2. Full hard drive encryption is strongly encouraged on laptops and mobile devices containing confidential information. iii.. Authentication 1. Authentication with strong passwords are required on all laptop devices. A strong password is one that is not obvious or easy to guess. It should be 8-12 characters long and include a combination of upper and lowercase letters, numbers and symbols such as punctuation marks and special characters. 2. Two factor authentication and full hard drive encryption are strongly encouraged on laptops and mobile devices containing confidential information. ----------------------------------------- Our Data Classification Guidelines also support this. We are piloting a full hard drive encryption product beginning next month (waiting on licensing stuff to clear). Provided this test period shows that we can truly support this for the campus, then we'll amend the guidelines above to require rather than recommend laptop full hard drive encryption wherever technically possible. Why are we doing this? We have a state data breach notification law. If we can certify the device was encrypted we do not have to report under the Wisconsin law, (WA138). Given the pervasiveness of confidential data in a University setting, and the high rate of laptop thefts, it is prudent to encrypt them all if it is technically and financially feasible. We'll be building the cost of the software into the standard laptop purchase package eventually as we have for security cables. -- Steve Brukbacher, CISSP University of Wisconsin Milwaukee Information Security Coordinator UWM Computer Security Web Site www.security.uwm.edu Phone: 414.229.2224 Ardoth Hassler wrote:
Hi.... I'm in search of a sample policy that addresses encryption of institutionally-owned laptops. Thanks in advance for sharing. Ardoth (Also posted this to the ICPL list so I apologize for the cross post.)
Current thread:
- Re: Looking for a laptop encryption policy for institutionally-owned laptops HALL, NATHANIEL D. (Mar 22)
- <Possible follow-ups>
- Re: Looking for a laptop encryption policy for institutionally-owned laptops Gary Dobbins (Mar 22)
- Re: Looking for a laptop encryption policy for institutionally-owned laptops Paul Keser (Mar 22)
- Re: Looking for a laptop encryption policy for institutionally-owned laptops Gibson, Nathan J. (HSC) (Mar 22)
- Re: Looking for a laptop encryption policy for institutionally-owned laptops Steve Brukbacher (Mar 22)