RE: Notebook policy (need advice)
- From: "Barrett, Will" <wbarrett@xxxxxxxxxxxxx>
- Date: Sun, 28 Jan 2007 18:21:03 -0700
So what you are saying is:
NEVER EVER EVER STORE SENSITIVE DATA ON A LAPTOP! (Unless it is in the custody of a armed law enforcement official)
Anybody, and I mean ANYBODY, (unless they are an armed law enforcement official) found with sensitive data on their laptop
should have it seized and they should be immediately dismissed.
You should have said so to begin with.
Whether you carry a gun or not there will be occasions where there is someone in your company/agency/organization that needs to have secure information on a laptop or other portable device. The best you can do is mitigate the threat that this presents depending on your organizations and threat acceptance.
And don't use absolutes. Absolute rules will absolutely get you in trouble.
"Thank you for playing, try again."
Cheers,
Will Barrett
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Eric Furman
Sent: Friday, January 26, 2007 9:32 AM
To: Patton Roub; security-basics@xxxxxxxxxxxxxxxxxxxxxxx
Subject: RE: Notebook policy (need advice)
Oh please, this is hardly worth replying to.
Said laptop would be in the possession of an armed law enforcement official. Hardly an unsecure environment.
Thanks for playing, try again.
On Fri, 26 Jan 2007 09:09:49 -0700, "Patton Roub" <proub@xxxxxxxxxxx>
said:
What would be your recommendation to the drug enforcement Special
Agent who is recording the sensitive data outside the house of a
suspect, and then using that data to create a search warrant on that
computer to present to a Judge down the street? Oh, did I mention the
data he must have downloaded earlier to make sure he is looking for the right guy?
Wireless is not available, and we don't want Special Agents climbing
poles.
Never ever say never.
Regards
Patton J Roub
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Eric Furman
Sent: Thursday, January 25, 2007 2:09 PM
To: security-basics@xxxxxxxxxxxxxxxxxxxxxxx
Subject: RE: Notebook policy (need advice)
I'll give you one very simple policy that you should enforce that will
make most of your concerns moot:
NEVER EVER EVER STORE SENSITIVE DATA ON A LAPTOP!
Anybody, and I mean ANYBODY, found with sensitive data on their laptop
should have it seized and they should be immediately dismissed.
There is virtually no reason to ever store sensitive data on a laptop.
Sensitive data should only ever reside on hardened servers in a
physically secured server room. If your employees need to work with
this data there are several means to securely access this data
remotely.
(And, indeed, make sure the room AND its data storage is truly secure.
There have been recent break-ins at certain companies and data tapes
containing sensitive data were stolen.)
On Wed, 24 Jan 2007 22:50:47 -0500, "Tony UcedaVélez"
<tonyuv@xxxxxxxxxxxxx> said:
Definitely agree with the previously made comments on the use of
full disk encryption and points made on AV, however, I wanted to
simply add to those points by saying that the issuance of notebooks
should be focused on those user groups that would most benefit from
a portable computing device.
Not all positions within a company require the use of a notebook for
work (although, in the near future this may very well change).
Obviously, the portability of laptops could be recommended to be
reserved for those who travel/ telecommute or use it for working
sessions in company war rooms (developers, project managers come to
mind). Point here is that the scope and applicability of any
security policy could achieve a more targeted audience, versus a
broad unknown audience who truly don't benefit by having a notebook.
This recommendation is obviously touch to act upon in organization's
where notebooks have already been issued without specific
consideration to the job function. However, if possible the added
value in the above mentioned is the following:
1. IT Operations adheres to imaging and providing laptops to those
whose roles and responsibilities require the use of a notebook.
Often times, IT Ops groups elect to image a resource that is readily
available or one in which the user prefers.
2. Again, a policy surrounding notebook usage will be geared to a
specific audience instead of rolling out a policy to everyone,
regardless of whether they have a notebook or not. Improved
accountability, focused security CBT modules (related to mobile
computing) are some positive by-products that result.
3. Cost savings can be multi-fold here. Since roles and
responsibilities will dictate who gets a notebook, cost savings are
realized not only on the price per notebook, but also the costs
associated with software licenses that are specific to portable information assets.
Again, this suggestive advice obviously depends on the 'mobile'
culture of your company's workforce. Also affecting the above is
whether you'll be able to 'backtrack' to make such a recommendation.
Regarding local admin use, again, I would revert to what the roles
and responsibilities are for the employees and creating various
images that coincide with their respective user groups/ types.
Ideally, a collaborative effort between HR and IT Security should make this work.
Btw, along with AV and FDE, I'd include in the policy the use of
personal firewalls and HIPS agents, especially for the road warriors
of your organization.
Hope this helps.
Best Regards,
Tony UcedaVélez, CISA, GIAC
VerSprite, LLC
(office) 678.938.3434
(email) tonyuv@xxxxxxxxxxxxx
(web) www.versprite.com
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Nicolas Arias
Sent: Tuesday, January 23, 2007 8:12 AM
To: security-basics@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Notebook policy (need advice)
Hi guys!, in my company we have a lot of notebooks, but theres no
formal security policy about them.
Can you tell me how do you handle this?
Do you give an local admin for the owner?, do you use full disk
encryption?, what about anti-virus and external scans?
Any idea is going to be really preciated.
Cheers!!
?This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.?
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
- Follow-Ups:
- RE: Notebook policy (need advice)
- From: Greg Jones
- RE: Notebook policy (need advice)
- References:
- RE: Notebook policy (need advice)
- From: Tony UcedaVélez
- RE: Notebook policy (need advice)
- From: Eric Furman
- RE: Notebook policy (need advice)
- From: Patton Roub
- RE: Notebook policy (need advice)
- From: Eric Furman
- RE: Notebook policy (need advice)
- Prev by Date: Sample application to learn application security
- Next by Date: New Security Cartoon Series
- Previous by thread: RE: Notebook policy (need advice)
- Next by thread: RE: Notebook policy (need advice)
- Index(es):
Relevant Pages
|
