Educause Security Discussion mailing list archives
Re: Laptop encryption- Follow-up
From: randy marchany <marchany () VT EDU>
Date: Wed, 17 Nov 2010 10:39:07 -0500
On Tue, Nov 16, 2010 at 7:36 PM, Dave Koontz <dkoontz () mbc edu> wrote:
I've watched this thread with much interest. I think that as stewards to our campus security we should not make any assumptions.
Agreed. We all know what "assume" means :-).
The fact of the matter is we can not rely on an end user telling us whether or not they are storing potentially sensitive information, much less try to use that user report to determine whether or not to encrypt their machine. They may not even know what sensitive information means, let alone if they have any such information on their computer.
Institutions are forgetting that in almost all of their Acceptable Use Policies/Standards, they have a clause in their that says something like "the user is responsible for whatever originates/"is stored" on their computer". So, end users are responsible for protecting sensitive information. Your last sentence in the fragment above points to the institution's responsibility to educate the user on what sensitive data (to the institution) is, how to find and protect it and ultimately place some responsibility on the end user. I like to modify Tip O'Neill's famous saying to be "all security is local". If an end user and their dept head has to co-sign notification letters, behavior will be modified. We may not be able to secure "stupid" but we can make them sign their names over and over :-).
To me, it seems a safe assumption that any machine has the "potential" to have sensitive information stored on it, intentionally or not, and should be encrypted. Notebooks are easily lost, however desktops can also be stolen. The question is whether the cost of the encryption software outweighs the potential cost of potential lawsuits. Why limit yourself to notebooks? You should also be thinking in terms of desktops, and smart-devices like iPhone, Android, etc. as well when talking about encryption.
I fully agree with these statements. It's the institution's responsibility to make a best effort to protect its sensitive data and a good strategy is to assume ALL systems may have it. There has to be multiple levels of security (encryption) employed to protect the sensitive data. Randy Marchany VA Tech IT Security Office
Current thread:
- Re: Laptop encryption experiences, (continued)
- Re: Laptop encryption experiences Rich Graves (Nov 16)
- Re: Laptop encryption experiences Sherry Callahan (Nov 17)
- Database Encryption for HIPAA Patria, Patricia (Nov 18)
- Re: Laptop encryption experiences A. Harry Williams (Nov 15)
- Re: Laptop encryption experiences James Farr '05 (Nov 15)
- Re: Laptop encryption- Follow-up Patria, Patricia (Nov 16)
- Re: Laptop encryption- Follow-up Basgen, Brian (Nov 16)
- Re: Laptop encryption- Follow-up James Farr '05 (Nov 16)
- Re: Laptop encryption- Follow-up Dave Koontz (Nov 16)
- Re: Laptop encryption- Follow-up SCHALIP, MICHAEL (Nov 16)
- Re: Laptop encryption- Follow-up randy marchany (Nov 17)
- Re: Laptop encryption- Follow-up David Clift (Nov 16)