Precautions for Laptop Computer Users The purpose of this document is to help laptop computer users protect institutionally-owned laptop computers, safeguard the information stored and used on laptops, and limit liability due to theft or loss to the fullest extent possible. Data Protection The University IT Security Office recommends following these two steps: 1. Do not store any restricted or sensitive data on a laptop. 2. If the sensitive data must be stored or used on a laptop’s hard drive, the data must be encrypted. The University IT Security Office strongly discourages the use of laptops to store any restricted or sensitive data as defined by the Duke Human Resources Data Access Policy. (link) This includes any of the following (complete lists are at the link above): * Social Security Number * Driver’s license number * Home address or telephone number * Bank account numbers * Credit or debit card numbers * Other banking information in combination with any required security code, access code, or password that would permit access to an individual’s financial account * Personally-identifiable health information * Student information that falls under FERPA guidelines The IT Security Office also discourages the use of laptops to store research data or intellectual property that would compromise research and teaching efforts if lost, destroyed or disclosed to other parties. Faculty and researchers should consider the level of acceptable risk for research data. It is highly recommended that mobile users travel with a bare bones system that is properly secured. Please consult with your department's technical staff for guidance. Additionally, Duke strongly recommends disk and/or data encryption software for any laptop that will be used for storing restricted or sensitive personal information on individuals, including donors, volunteers, alumni, friends, faculty, students, attendees, and staff. Examples of confidential data are any demographic, biographic, gift, membership, employment, academic, admissions, or financial information associated with a specific individual, in addition to the specific data elements that have been designated restricted or sensitive by the Duke Human Resources office. Physical and Application Security for Laptops Laptop computers should be protected by following the physical security procedures and guidelines at all times, especially when traveling. Any lost, stolen, or access-compromised laptop that contains restricted or sensitive data must be immediately reported to the department head and the University IT Security office (security@duke.edu). Laptops should be covered by Duke’s insurance program, and more information about that program can be found here: http://www.treasury.duke.edu/corprisk/insurance/laptop_pc_equip.html. Physical Security Measures • Ensure the laptop has a sticker with appropriate contact information. This same information may also be duplicated on a special login banner to be enabled during travel, with explicit instructions on how to return the laptop. • Do not allow the laptop to leave your presence when in transit. • Never leave the laptop unattended in the passenger compartment of a car, locked or unlocked. Always place the laptop in the trunk or out of sight. In a hotel, lock the laptop in a safe. Information Security Measures • Install host-based protections including anti-virus software and anti spyware software. • Apply all operating system and application patches. • Ensure that there is a required login for the operating system. • Ensure that all user accounts have strong passwords. • Purchase and install an asset tracking option at the time of purchase (e.g. LoJack). • Turn off file-sharing and print-sharing before traveling. • Do not store any data on computers if traveling to countries with encryption restrictions. Refer to the following U.S. Department of State Web pages: • “Tips for Traveling Abroad” (http://travel.state.gov/travel/tips/tips_1232.html) • “Consular Information Sheets” (http://travel.state.gov/travel/cis_pa_tw/cis/cis_1765.html) • Do not store restricted or sensitive institutional data on a laptop without encryption. • Backup your data before traveling. • Use a department-owned generic system for all international travel (recommended for domestic travel). • Only access your email using a secure Web client or IMAP client. • Only access Duke resources via the Duke vpn client. Consult with your departmental technical support for specific technology selections and implementation procedures for encryption.