Re: Laptop encryption- Follow-up

["SCHALIP, MICHAEL" <mschalip () CNM EDU>]

Having worked in the Fed/R&D sector for many years - I'm reminded of what our Chief Info Security Officer used to tell 
us and fed auditors:  ....If you want to try and solve all your sensitive data problems with technology, the first 
thing you'll need to outlaw is pencils and paper - because sensitive data can walk out on a pad of paper, as well as on 
a laptop....

Sorry - I just always liked when he threw that observation out to the auditor types - they always got the "something in 
the punchbowl" look, closed their briefcases and left for the day....

M

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Koontz 
[dkoontz () MBC EDU]
Sent: Tuesday, November 16, 2010 5:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Laptop encryption- Follow-up

I've watched this thread with much interest.  I think that as stewards
to our campus security we should not make any assumptions.

The fact of the matter is we can not rely on an end user telling us
whether or not they are storing potentially sensitive information, much
less try to use that user report to determine whether or not to encrypt
their machine.  They may not even know what sensitive information means,
let alone if they have any such information on their computer.

To me, it seems a safe assumption that any machine has the "potential"
to have sensitive information stored on it, intentionally or not, and
should be encrypted.  Notebooks are easily lost, however desktops can
also be stolen.  The question is whether the cost of the encryption
software outweighs the potential cost of potential lawsuits.  Why limit
yourself to notebooks?  You should also be thinking in terms of
desktops, and smart-devices like iPhone, Android, etc. as well when
talking about encryption.

On 11/16/10 12:20 PM, James Farr '05 wrote:
> We are rolling this out for Faculty and Staff.  We are trying to educate
> users about confidential information.  At the same time we know some people
> need this information as part of their job responsibilities.  We also
> acknowledge mistakes happen.
>
> Right now we are looking at 3 options
> Option 1, Make 2 folders on every flash drive protected and unprotected.
> Allow the user to select which folder they are putting information into.
> Option 2, Encrypt only new data written to the drive
> Option 3, Encrypt all data written to the drive, including existing data
>
> We have not encountered a scenario where we would allow someone to opt out
> of encryption, but I am sure there will be one person.  If we find a machine
> that absolutely cannot have encryption on it I would require a program like
> Identity Finder make sure the user understands what type of data can and
> cannot be stored on the machine.  I like your idea of a waiver. We have not
> installed the server or local software. In the next month or two we will be
> deciding on how to balance the policies.
>
> James Farr
> Utica College
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Patria, Patricia
> Sent: Tuesday, November 16, 2010 12:00 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Laptop encryption- Follow-up
>
> For those that responded to the encryption thread noting that you are using
> Whole Disk Encryption for portable devices, would you mind sharing which
> group this applies to? Is it just your staff members? Or faculty as well?
>
> We are in the process of rolling out Bitlocker whole disk encryption to all
> staff with laptops, but are planning to allow faculty to opt out of
> Bitlocker if they sign a waiver stating that they do not store sensitive
> data on their laptop per our Data Classification Policy. Is anyone doing
> something similar?
>
> From a breach standpoint, if the individual signs a waiver and states that
> they do not have any sensitive information on their computer, do you employ
> other controls like Identity Finder or DLP software to ensure that is the
> case? Or is their signed waiver enough?
>
> Any feedback, or examples of how you address lost/stolen devices from a
> breach standpoint, is appreciated. Thank you.
>
> Patty
>
>
> Patty Patria
> Bentley University

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.