Educause Security Discussion mailing list archives

Re: Laptop encryption- Follow-up

From: randy marchany <marchany () VT EDU>
Date: Wed, 17 Nov 2010 10:39:07 -0500

On Tue, Nov 16, 2010 at 7:36 PM, Dave Koontz <dkoontz () mbc edu> wrote:

I've watched this thread with much interest.  I think that as stewards
to our campus security we should not make any assumptions.


Agreed. We all know what "assume" means :-).


The fact of the matter is we can not rely on an end user telling us
whether or not they are storing potentially sensitive information, much
less try to use that user report to determine whether or not to encrypt
their machine.  They may not even know what sensitive information means,
let alone if they have any such information on their computer.


Institutions are forgetting that in almost all of their Acceptable Use
Policies/Standards, they have a clause in their that says something like
"the user is responsible for whatever originates/"is stored" on their
computer". So, end users are responsible for protecting sensitive
information. Your last sentence in the fragment above points to the
institution's responsibility to educate the user on what sensitive data (to
the institution) is, how to find and protect it and ultimately place some
responsibility on the end user. I like to modify Tip O'Neill's famous saying
to be "all security is local". If an end user and their dept head has to
co-sign notification letters, behavior will be modified.  We may not be able
to secure "stupid" but we can make them sign their names over and over :-).


To me, it seems a safe assumption that any machine has the "potential"
to have sensitive information stored on it, intentionally or not, and
should be encrypted.  Notebooks are easily lost, however desktops can
also be stolen.  The question is whether the cost of the encryption
software outweighs the potential cost of potential lawsuits.  Why limit
yourself to notebooks?  You should also be thinking in terms of
desktops, and smart-devices like iPhone, Android, etc. as well when
talking about encryption.


I fully agree with these statements. It's the institution's responsibility
to make a best effort to protect its sensitive data and a good strategy is
to assume ALL systems may have it. There has to be multiple levels of
security (encryption) employed to protect the sensitive data.

Randy Marchany
VA Tech IT Security Office

Current thread:

Re: Laptop encryption experiences, (continued)
- - - Re: Laptop encryption experiences Rich Graves (Nov 16)
    - Re: Laptop encryption experiences Sherry Callahan (Nov 17)
    - Database Encryption for HIPAA Patria, Patricia (Nov 18)
- Re: Laptop encryption experiences A. Harry Williams (Nov 15)
  - Re: Laptop encryption experiences James Farr '05 (Nov 15)
- Re: Laptop encryption- Follow-up Patria, Patricia (Nov 16)
  - Re: Laptop encryption- Follow-up Basgen, Brian (Nov 16)
  - Re: Laptop encryption- Follow-up James Farr '05 (Nov 16)
    - Re: Laptop encryption- Follow-up Dave Koontz (Nov 16)
    - Re: Laptop encryption- Follow-up SCHALIP, MICHAEL (Nov 16)
    - Re: Laptop encryption- Follow-up randy marchany (Nov 17)
  - Re: Laptop encryption- Follow-up David Clift (Nov 16)