Educause Security Discussion mailing list archives
Re: Laptop encryption experiences
From: Allison F Dolan <adolan () MIT EDU>
Date: Tue, 16 Nov 2010 14:12:55 -0500
Randy Like all good regulations, the wording is ambiguous. The whole 'Computer System Security Requirements' section is prefaced with 'the extent technically feasible', and the specific reference to laptops is simply "Encryption of all personal information stored on laptops or other portable devices" In talking with the regulators, it sounded like their thinking was influenced by the number of lost or stolen laptops, USBs and such, and thus they were thinking of the situation when the machine is powered off. Since MA doesn't have an automatic safe harbor for encryption, there are those who believe that if you can show that the data was encrypted at the time of the loss/theft, then the AG may agree you don't need to notify. (Given the limitations of FDE, we really push the mantra " you can't lose what you don't have"; if you have to have such info, then there is a laundry list of requirements, including, but not limited to, FDE on laptops) ......Allison Dolan (617-252-1461) On Nov 16, 2010, at 1:37 PM, randy marchany wrote:
Alison, you hit on my point about FDE? Is it really compliance? It seems to me that FDE complies with the MA law only if the laptop is powered off. Does FDE comply when you're using the computer? Not familiar with the MA wording so that's why I'm asking. Do you need some other encryption tool (truecrypt, PGP Netshare, GPG, etc.) to be compliant when the machine is in use? -r. On Tue, Nov 16, 2010 at 7:29 AM, Allison F Dolan <adolan () mit edu> wrote: Rich - one reason to consider FDE is compliance related - in Massachusetts, there is a regulatory requirement to encrypt personal data on laptops (and other portable devices) and in other states, if the lost/stolen laptop has been encrypted, then you don't need to notify ......Allison Dolan (617-252-1461)
Attachment:
smime.p7s
Description:
Current thread:
- Re: Laptop encryption experiences, (continued)
- Re: Laptop encryption experiences randy marchany (Nov 15)
- Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
- Re: Laptop encryption experiences Tonkin, Derek K. (Nov 15)
- Re: Laptop encryption experiences SCHALIP, MICHAEL (Nov 15)
- Re: Laptop encryption experiences Rich Graves (Nov 15)
- Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
- Re: Laptop encryption experiences Allison F Dolan (Nov 16)
- Re: Laptop encryption experiences Mclaughlin, Kevin (mclaugkl) (Nov 16)
- Re: Laptop encryption experiences randy marchany (Nov 16)
- Re: Laptop encryption experiences Joel Rosenblatt (Nov 16)
- Re: Laptop encryption experiences Allison F Dolan (Nov 16)
- Re: Laptop encryption experiences Rich Graves (Nov 16)
- Re: Laptop encryption experiences Sherry Callahan (Nov 17)
- Database Encryption for HIPAA Patria, Patricia (Nov 18)
- Re: Laptop encryption experiences James Farr '05 (Nov 15)
- Re: Laptop encryption- Follow-up Basgen, Brian (Nov 16)
- Re: Laptop encryption- Follow-up James Farr '05 (Nov 16)
- Re: Laptop encryption- Follow-up Dave Koontz (Nov 16)
- Re: Laptop encryption- Follow-up SCHALIP, MICHAEL (Nov 16)