Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Looking for a laptop encryption policy for institutionally-owned laptops
From: Steve Brukbacher <sab2 () UWM EDU>
Date: Thu, 22 Mar 2007 11:32:54 -0500

This has not made it in to formal policy for us yet, but this is the
direction we are going:

Here's our guidelines on device configuration
https://www3.uwm.edu/IMT/security/resources/4-CompSecConfig0606.pdf
from
https://www3.uwm.edu/IMT/security/resources/information_security_guidelines.cfm

This section specifically speaks to this issue:

----------------------------------
C. Laptop Security for Campus Owned Equipment/Departmental Computers
(In Addition to those that apply based on operating system)

i. Laptop Security Cables
1. Laptops should be secured with a cable whenever possible to deter
theft and provide for more complete insurance coverage should a theft occur.

ii.. Encryption
1. Confidential or sensitive data stored on a laptop or other mobile
device should be encrypted.

2. Full hard drive encryption is strongly encouraged on laptops and
mobile devices containing confidential information.

iii.. Authentication
1. Authentication with strong passwords are required on all laptop
devices. A strong password is one that is not obvious or easy to guess.
It should be 8-12 characters long and include a combination of upper and
lowercase letters, numbers and symbols such as punctuation marks and
special characters.
2. Two factor authentication and full hard drive encryption are strongly
encouraged on laptops and mobile devices containing confidential
information.
-----------------------------------------

Our Data Classification Guidelines also support this.

We are piloting a full hard drive encryption product beginning next
month (waiting on licensing stuff to clear). Provided this test period
shows that we can truly support this for the campus, then we'll amend
the guidelines above to require rather than recommend laptop full hard
drive encryption wherever technically possible.

Why are we doing this? We have a state data breach notification law.  If
we can certify the device was encrypted we do not have to report under
the Wisconsin law, (WA138).  Given the pervasiveness of confidential
data in a University setting, and the high rate of laptop thefts, it is
prudent to encrypt them all if it is technically and financially
feasible.   We'll be building the cost of the software into the standard
laptop purchase package eventually as we have for security cables.



--
Steve Brukbacher, CISSP
University of Wisconsin Milwaukee
Information Security Coordinator
UWM Computer Security Web Site
www.security.uwm.edu
Phone: 414.229.2224



Ardoth Hassler wrote:
Hi.... I'm in search of a sample policy that addresses encryption of
institutionally-owned laptops. Thanks in advance for sharing.

Ardoth

(Also posted this to the ICPL list so I apologize for the cross post.)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]