Pass the Aspirin

[InfoSec News <isn () c4i org>]

http://www.rednova.com/news/technology/205549/pass_the_aspirin/

12 August 2005

The ubiquitous Laptop! So much in so small a package, and therein lies
the probLem.

More costLy than many desktop computers, they pack an entire office
into a tiny box. Some community bankers "live" out of their Laptops.

Which is fine unless the Laptop goes missing and private customer data
is exposed to potential loss, and worse.

At ABA's recent Regulatory Compliance Conference, speakers warned
Listeners that one of the most common causes of customer data breaches
is the "lost laptop."

"I've had clients trolling the pawnshops, trying to find out what
happened to their missing laptops," said Oliver Ireland, partner at
the Morrison & Foerster law firm, in Washington, D.C.

Gilbert Schwartz, partner at Schwartz & Ballen, also of Washington,
advised bankers to be sure that any laptop that leaves the bank
premises be equipped for data encryption. The only saving grace, he
added, about the "lost laptop" is that thieves most typically are
opportunists looking to simply fence the machine itself.

William H. Henley, Jr., of the FDIC said the loss of a laptop
protected by encryption might not have to be disclosed to the public-
the federal guidelines give banks some leeway on disclosure. Henley,
examination specialist in FDIC's Technology Supervision Branch, in its
Division of Supervision and Consumer Protection, said this ultimately
hinges on the bank's assessment of the likelihood of the encrypted
data remaining so.

The comments at the compliance conference prompted this month's Pass
the Aspirin question.


THE HEADACHE

Lost laptops lay open lenders to liability: Does your bank have an
established policy and procedure regarding removal of bank-owned
laptops from the bank's premises and the inclusion of customer files
on those laptops?


REMEDY 1

Tom Mantor, president and COO, Bank of Walnut Creek, $500 million-
assets, Walnut Creek, Calif.

Our bank has an established policy whereby laptops may leave the
premises. However, no customer information is stored on laptops.  
Customer information is stored on network drive and can be accessed
off-site. In addition, only a handful of laptops are authorized and
that is to select senior staff. By comparison, paper customer files
are not allowed off-site.


REMEDY 2

Jim Mathews, vice-president, Internal Audit, Valley Bank & Trust,
$248.8 million-assets, Brighton, CoIo.

Although we only have only a handful of these units in our bank that
can be checked out, we adhere to our laptop usage policies very
closely before releasing a unit.

The major use of our laptops so far have been for use at off- site
training sessions, allowing the officer an effective way to take
notes, and to keep in touch with the bank as well through our network.  
The only encryption we use is what is provided by Microsoft in its
software suite on the laptop.

Mathews provided excerpts from the bank's laptop usage policy, which
can be found at www.ababj.com.


REMEDY 3

John Hutchison, senior vice-president-compliance, Capital City Bank
Group, Inc., $2.3 billion-assets, Tallahassee, FIa.

Yes, we have a policy. Any associate taking a laptop off bank premises
must keep it in their personal possession. It cannot be checked at an
airport, given to a hotel porter, or otherwise allowed out of the
associate's hands, unless any client information on it has been
encrypted. Whenever possible, client information would be encrypted,
and the laptop would always be password protected. Any associate who
wishes to have access to the main systems from their laptop must be
able to justify the need, and firewall protection is provided.

Similar limitations would apply to any paper file. Associates are
permitted to take certain files out of the office (such as to deliver
files to auditors or examiners in another location), but they are not
supposed to take them home if they contain loan documents. Any paper
files with client information should be in their personal possession
at all times.


REMEDY 4

I Mike Murphy, executive vice-president and CFO, First American Bank,
$242 million-assets, Purcell, OkIa.

We do not have a "poLicy" regarding removal of bank-owned laptops from
banking premises, but we do have a "practice" of not putting customer
information on the laptops we do have. That information is housed on
servers maintained in secure areas of each banking center. Those
laptops which we do have are primarily used for training lab purposes.

It is interesting you bring this up because we recently had a laptop
which was stolen from banking premises. One of the first questions we
asked was what was on the laptop. Fortunately, the answer did not
include any customer information.


ASPIRIN RESOURCES

Some of the solutions to laptop security simply require common sense.  
You don't leave a laptop with sensitive data on it-or perhaps any
laptop-in an unoccupied hotel or conference room without some
precautions. Some suggest separating the computer from the sensitive
data by storing the latter on a removable memory device. One doesn't
hear anything about shackling the laptop to the traveler's wrist,
though it would certainly make going through airport security
interesting. Speaking of the government, the following links have some
federal tips on laptop security: physical security,
www.uscert.gov/cas/tips/ST04-017.html and data security, www.us-
cert.gov/cas/tips/ST04020.html

Three categories of products that can address aspects of the lost
laptop problem are: encryption software; physical security devices;  
and laptop tracking software. Please note that these listings appear
as a sampling of what's out there, and in no way imply an endorsement
on the part of ABA Banking Journal nor the American Bankers
Association.

Encryption: Some encryption programs are comprehensive, while others
offer "a Ia carte" software, with separate products covering
encryption of storage media, e-mail, and more. Certain Windows
operating systems, as indicated in one of the bankers' answers above,
feature encryption of their own. It is up to the bank whether these
built-in measures suffice. Further information about Windows- based
encryption can be found at www.microsoft.com.

Control Break International, Inc., www.safeboot.com

Cypherus, Inc., www.cypherus.com

Jetico, Inc., www.jetico.com

PC-Encrypt, Inc., www.pc-encrypt.com

PC Guardian Technologies, Inc., www.pc guardiantechnologies.com

PGP Corp., www.pgp.com

SafeNet Inc., www.safnet-inc.com

Physical security: These devices may include cabling; locks; lockable
frames that can prevent a closed laptop from being opened; specialized
locks for drives and removable media; barcoded stickers that make it
harder to sell stolen laptops to unsuspecting buyers; and more. Some
may be packaged with encryption or other security software.

Computer security Products, Inc., www.computersecurity.com

Compucage International, www.com pucage.com.

PC Guardian Anti-Theft Products, Inc., www.pcguardiananti-theft. com

STOP (security Tracking of Office Proper ty), www.stoptheft.com

Think Products, Inc., www.laplocker.com

Laptop tracking: This type of software automatically transmits via the
internet to a central location when the laptop is used to go online
and reveals where the machine is plugged into the internet. If a
machine is reported stolen to the software vendor, the information is
reported to local, authorities. Some of these companies offer
additional services as part of the package, including the ability to
destroy all data on the laptop's hard drive from the vendor's location
while the machine is online. One vendor, Absolute Software, Inc.,
posts a $1,000 guarantee on its website. If they fail to get your
missing laptop back, you get the money.

Absolute Software, Inc., www.absolute.com

CyberAngel security Solutions, Inc., www.sentryinc.com

Stealth Signal, Inc., www.stealthsignal. com

Trackion, www.trackion.com


HEADACHE #2

Data breaches have been much in the news because of recent breaches at
major retailers, the new federal mandates regarding breaches connected
with bank customer information, and passage of some relevant state
laws. Some banks automatically issue new cards to affected customers,
while others may do so only on request.

How has your bank handled this and what kinds of costs have you faced?


REMEDY 1

Gordon L. Gentry, Jr., chairman, TowneBank/Peninsula, $1.5
billion-assets, Newport News, Va.

In the last two years, we have re-issued certain credit cards due to
notification by MasterCard that merchants have experienced a data
breach. While not a massive number, the expense-estimated to be
several thousand dollars-is one we would not otherwise have
encountered.


REMEDY 2

Jon Rohlfs, assistant vice-president and security officer, First State
Bank and Trust, $156.1 million-assets, Fremont, Neb.

First State Bank & Trust Co. has been affected by the recent breaches
at third-party processors. We have chosen to close all cards that were
involved with these breaches, so we have incurred a cost of reissuing
new cards ($2.50 per card), as well as the time spent doing so.

Copyright Simmons-Boardman Publishing Corporation Aug 2005



_________________________________________
Attend ToorCon 
Sept 16-18th, 2005
Convention Center
San Diego, California
www.toorcon.org