| Laptop Security Assessment | | | | user information and requiring the user to log and |
| Did you know that your company's confidential | | | | maintain a minimal set of confidential information |
| information is climbing over your corporate firewall | | | | on the laptop between trips out of the office. By |
| and escaping from your fancy intrusion detection | | | | maintaining a log and keeping minimal data on the |
| systems? Every day, gigabytes of information | | | | laptop, liability is limited should an incident occur. |
| walk right out your front door - on your | | | | Rather than storing confidential information directly |
| company's laptops. How expensive would it be if | | | | on the laptop, it should be stored on external |
| one of these laptops was stolen? | | | | storage, allowing the laptop to remain void of any |
| Before you start checking the deductible on your | | | | confidential information. External storage solutions |
| insurance premium, take a second to do a | | | | include network storage (file servers), online data |
| security assessment on the true value of the | | | | stores (websites) and locally attached storage |
| laptop: the information stored within. Making it | | | | devices (discs or USB flash drives). USB flash |
| even more valuable, or at least potentially costly, | | | | drives are very convenient, holding large amounts |
| is the passage into law of California Senate Bill | | | | of data on a key-sized device for under $100. |
| 1386 (SB1386). The burden of maintaining | | | | Laptops using a network to download confidential |
| information confidentiality has been pushed onto | | | | information should not locally cache data. Locally |
| the information holder - you. | | | | attached storage devices need to be kept |
| Per SB1386: Following discovery or notification of | | | | separate from the laptop when not in use, and |
| the breach in the security of the data to any | | | | travel separately from the laptop. Security |
| resident of California whose unencrypted personal | | | | assessments show that this eliminates any |
| information [being a name and social security, | | | | exposure should the laptop be stolen, the most |
| drivers license or account, credit or debit card | | | | likely target of a thief, but users definitely need to |
| number] was, or is reasonably believed to have | | | | be vigilant about keeping the external storage |
| been, acquired by an unauthorized person...shall | | | | device secure. |
| disclose any breach [potentially including] | | | | A firewall and a VPN should be required when a |
| notification to major statewide media. | | | | laptop is attached to any remote network, if the |
| While there are no direct civil penalties or fines, | | | | policy even allows laptops to be connected to |
| the disclosure requirements of the law are severe | | | | remote networks. Wireless networks should |
| enough to hurt the viability of even the most | | | | never be considered secure, as the majority are |
| reputable institution. And, even though it's a | | | | easily tapped. Hotel and coffee shop wireless |
| California law, it has national implications because | | | | networks are typically run in an unencrypted |
| of the media notification clause. With this in mind, | | | | manner allowing anyone to watch network traffic |
| how much of a liability might that stolen laptop | | | | to and from laptops. The encryption in modern |
| become? With a little up-front due diligence and | | | | wireless devices is dreadfully inadequate and |
| security assessment, these liabilities can be | | | | defeated by a number of readily available tools. A |
| reduced by taking some simple steps to help | | | | personal firewall will prevent malicious users from |
| prevent laptop incidents from occurring. | | | | connecting to the laptop and a VPN will encrypt |
| Security Assessment: Threats | | | | any data sent from the laptop across the air. |
| Security assessments show that the information | | | | Wired remote networks, such as home office |
| on a laptop can be compromised in two ways: | | | | DSL, cable modem and dial-up, carry the same |
| physical theft of the laptop itself, or a network | | | | threats as wireless networks, in that malicious |
| intrusion while the laptop is attached to an | | | | users can watch unencrypted data across the |
| unprotected external network. | | | | network and initiate attacks on an unprotected |
| From the security checkpoint at airports to the | | | | laptop. Once again, security assessments show |
| back of rental cars to the presenter table at a | | | | that a personal firewall and VPN should be in place |
| conference, information thieves are walking away | | | | if the laptop is even allowed to connect to a |
| with laptops every day. While the motivation of | | | | remote network in the first place. |
| most of these thefts is not for the information | | | | Data Security Assessment |
| stored on the laptop but the hardware itself, | | | | As mentioned above, the amount of information |
| there have been incidents where specific | | | | stored on a laptop should be kept to a bare |
| individuals' laptops have been targeted for the | | | | minimum. Rather than loading up a laptop with all |
| information stored within. | | | | the user information, just download the |
| Security assessments show that connecting a | | | | information that is required for this trip out the |
| laptop to a remote network is the other easy | | | | office. On the next trip, clean out the old data and |
| way to compromise the security of confidential | | | | load up the new. If an incident occurs, then the |
| information. Remote networks vary from the | | | | liability is much more limited. |
| wireless access point (WAP) at your local coffee | | | | Data encryption and digital rights management |
| shop, to wired connections in a hotel room and | | | | (DRM) solutions are coming of age and will soon |
| the cable modem in your home office. | | | | be encrypting all information across networks and |
| Thinking about using that wireless network at | | | | laptops. With a DRM solution, all information is |
| Starbucks without a personal firewall or VPN? You | | | | encrypted, and requires the user to enter a |
| might as well just run a patch cable around your | | | | password to view files, making security |
| corporate firewall directly to your laptop. Both | | | | assessment simpler. In addition, a detailed history |
| ways, security assessments show that your | | | | of requested licenses is maintained, which is crucial |
| computers are exposed. | | | | in case of laptop theft. |
| Security Assessment: Policies and Procedures | | | | Hopefully, you'll never have to worry about a |
| As always, the easiest way to prevent something | | | | laptop theft, but with a few of these suggestions |
| from happening is to implement policies and | | | | the risks can be mitigated. Laptops are becoming |
| procedures to ban activities that might | | | | a pervasive part of today's mobile society, and |
| compromise data security, and to thoroughly train | | | | some will disappear. However, with a few of |
| your employees to follow said procedures. | | | | these suggestions and vigilant security |
| A very simple policy and cost-effective procedure | | | | assessment, the liability will be minimal, there won't |
| is to limit the amount of confidential information | | | | be any information loss, and your only concern will |
| on a laptop. This could be enforced by a periodic | | | | be which shiny new laptop model you'll have to |
| security assessment, wiping clean the laptop of all | | | | order. |