Laptop Security est ractices - Security Solutions of ...

1 Laptop Security Best Practices Given the realities of an increasingly mobile workforce and the growing regulatory obligations of organizations, IT Security professionals need to craft, communicate, and enforce more specific Laptop Security policies to prevent company and customer data from being compromised. Laptop policies either don t exist, and if they do, they re not enforced. The lines of responsibility are often blurred between IT and Facilities/ Security departments and conflict with effectively implementing existing policies. The weak link in the Security chain, the end user, is left ill-trained to protect the vulnerable mobile computer.

2 End users need more specific rules and training, IT staff should implement automated and non-automated enforcement practices, and management should lead by example, provide clear direction and high-light good behavior. Laptop Security policy and regulatory compliance requirements need to be balanced with knowledge worker produc-tivity targets in order to help the organiza-tion achieve both its Security and bottom line goals. T h i s p a p e r a d d r e s s e s Th e f o l l o w i n g a r e a s : I. Why a separate Laptop polIcy? II. regulatory envIronment III. Laptop Security polIcy overvIeW Iv.

3 BalancIng productIvIty and Security v. Laptop Security : Who Is responsIBle? vI. traInIng vII. management role vIII. polIcy consIderatIons IX. Laptop Security polIcy checklIst X. references and lInksP C G U A R D I A N > ( 8 0 0 ) 2 8 8 . 8 1 2 6 > W W W . P C G U A R D I A N . C O M .REGULATIONI .|W h y ha v e a S e p a r a t e L a p t o p S e c u rIt y poL Ic y ?since the choicepoint case of 2005, the water-shed data breach event where Id thieves compromised 163,000 accounts, hundreds more data breach cases have been reported resulting in over 150 million consumer records being compromised.

4 Many of these were a direct result of lost or stolen computers and computer components. the trend continues in 2007 with over one third of the 119 reported data breaches in the first three months of the year a result of lost or stolen In such cases, organizations are left vulner-able to fines, customer loss from reputation damage, and costly remedies like consumer notification and credit report monitoring. choicepoint ended up paying ten million in civil penalties and five million in consumer redress. a study by the ponemon Institute last year concluded that twenty percent of data breach victims cut ties with organizations that compromised their privacy.

5 Much of the blame for computer theft can be attributed to the end userIt s time for those respon-sible for IT physical Security to reevaluate their policies in order to improve the way end users guard their mobile windows into the corpora-tion s data I .|I n d uSt r y re g uLa tIo n to u c h eS ne a rLy ev e r y or g a nIz a tIo nthe stakes have risen over the past decade and gone are the days when only a handful of industries operated under serious secu-rity regulation. recent corporate governance scandals (enron, Worldcom) have increased the spotlight on corporate ethical behavior and the handling of data. governments and individuals are insisting on accountability from public and private corporations to control their data.

6 With information access now ubiquitous, sensitive corporate and personal information needs to be protected more than ever. to prevent repeated scan-dals, protect the integrity of enterprise owned information, and ensure customer privacy, dozens of privacy laws pertinent to all types of companies have emerged and more are on the way. some of today s most prominent Security mandates include:2sarbanes oxley the sarbanes oxley act of 2002 requires strict internal controls and independent auditing of financial informa-tion as a proactive defense against fraud-with potentially serious civil and criminal penal-ties for the health Information portability and accountability act of 1996 requires tight controls over handling of and access to medical information to protect patient the gramm-leachy Bliley act of 1999 requires financial institutions to create, docu-ment.

7 And continuously audit Security proce-dures to protect the nonpublic personal infor-mation of their clients including precautions to prevent unauthorized electronic the federal information Security management act requires federal agencies to develop, document and implement agency-{{{{WHY?WHY?REGULATIONP C G U A R D I A N > ( 8 0 0 ) 2 8 8 . 8 1 2 6 > W W W . P C G U A R D I A N . C O M .POLICY wide programs to secure data and informa-tion systems supporting agency operations and assets, including those managed by other agencies or contractors. pcI although not a law, the pcI data Security standard was established by credit card companies to ensure the proper handling and protection of cardholder account and transac-tion sB 1386 known as the Security Breach Information act, this state law governs organizations that serve customers residing in california and store confidential data about those customers on computers, or transmit such data over networks.}}}}

8 The law requires proactive protection of private data for californians, and provides a model for electronic privacy legislation that has been enacted in 33 other states. IT Frameworks Provide Detailed Directioncorporations faced with multiple compliance requirements are addressing this enormously complex challenge by utilizing industry and government sanctioned standard practices. they have invested millions to adopt IT gover-nance frameworks that cover a large percentage of regulatory mandates. three of the most widely employed frameworks include:coBIt published by the It governance Institute (ItgI), coBIt emphasizes regu-latory compliance.

9 It helps organizations to increase the value attained from It and enables alignment with business goals and objectives. coBIt offers the advantage of being very detailed, which makes it readily adopt-able across all levels of the organization. Iso (Iso 27001) this is an inter-national standard for the management of It Security that organizes controls into ten major sections, each covering a different topic. these are: business continuity plan-ning, system development and maintenance, physical and environmental Security , compli-ance, personal Security , Security organization, computer operations and management, asset control, and Security policy.

10 NIs t 8 0 0 - 5 3 th i s p u b l i c at i o n f ro m the national Institute of standards and technology is a collection of recommended Security controls for federal information systems. It describes Security controls for use by organizations to protect their informa-tion systems, and recommends that they be employed with and as part of a well defined information Security program. A Tree within the Forestgiven all the heavy lifting being done at the macro level to help companies comply with regulations and standards, it s not a stretch to see how a specific Laptop Security policy might get buried within a larger Is policy document.