Safeguarding Information on Laptop Computers by MitchBurroughs


									            Safeguarding Information on Laptop Computers

Announcement - 05/04/2005, from the GT Office of Information Technology

Safeguarding Information on Laptop Computers
How to protect Institute-owned laptop computers, safeguard the information stored and used on
laptops, and limit liability due to theft or loss.
Precautions for Laptop Computer Users
Recent news reports have brought attention to the need for safeguarding laptops and the information on
them. Here are two examples:

“A Chinese-born American professor at the Georgia Institute of Technology has returned to the United
States from China after being arrested and detained for two weeks on charges of espionage.” – The
Chronicle, 9/3/2004. The professor’s laptop was confiscated for a period of time by the Chinese
government. Chinese customs regulations provide for seizure of computers to review contents. Encrypted
information must be decrypted or decryption keys provided.

“A thief recently walked into a University of California, Berkeley office and swiped a computer laptop
containing personal information about nearly 100,000 alumni, graduate students and past applicants,
highlighting a continued lack of security that has increased society’s vulnerability to identity theft.” – San
Francisco Chronicle, 3/29/2005.

Protection of the hardware is primarily against theft or confiscation due to potential violations of foreign
laws regarding data encryption. Safeguarding information involves protection against unauthorized access.

Protecting Data on Laptops

We recommend following these two steps:

    1.   Do not store any sensitive data on a laptop when traveling internationally.
    2.   If the sensitive information must be stored or used on a laptop’s hard drive at Georgia Tech or
         while traveling, the information should be encrypted.

OIT strongly discourages the use of laptops to store any sensitive data (Category III or IV) as defined by the
Institute’s Data Access Policy. This includes any of the following:

    •    Social Security Number
    •    Driver’s license number
    •    Student identification number (gtID#)
    •    Bank account numbers
    •    Credit or debit card numbers
    •    Other banking information in combination with any required security code, access code, or
         password that would permit access to an individual’s financial account.

OIT also discourages the use of laptops to store research data and intellectual property that would
compromise research and teaching efforts if lost, destroyed or disclosed to other parties. Unit heads will
determine the level of acceptable risk for research data. It is highly recommended that mobile users travel
with a bare bones system that is properly secured. Please consult with your unit’s technical lead or contact

                                                      S:\Faculty information\orientation\Lap top Computer Precautions.doc
OIT Information Security for guidance.

Additionally, Georgia Tech requires disk and/or data encryption software for any laptop that will be used
for storing confidential personal information on individuals, including donors, volunteers, alumni, friends,
faculty, students, attendees, and staff. Examples of confidential data are any demographic, biographic, gift,
membership, employment, academic, admissions, or financial information associated with a specific

Procedures for Traveling with a Laptop

Laptop computers should be protected by following the physical security procedures and guidelines at all
times, especially when traveling. Any lost, stolen, or access-compromised laptop that contains sensitive
data must be immediately reported to the unit head and OIT’s Information Security office
( Laptops should be on the unit’s home loan agreement so that the Institute’s
insurance program will cover the cost of replacing the laptop in the event of loss, damage or theft.

Physical Security Measures

    •    Ensure the laptop has a GIT asset/property tag with appropriate contact information. This same
         information may also be duplicated on a special login banner to be enabled during travel, with
         explicit instructions on how to return the laptop.
    •    Do not allow the laptop to leave your presence when in transit.
    •    Never leave the laptop unattended in the passenger compartment of a car, locked or unlocked.
         Always place the laptop in the trunk or out of plain sight. In a hotel, lock the laptop in a safe.

Information Security Measures

    •    Install host-based protections including a personal firewall, anti-virus software, and anti-spyware
    •    Apply all software patches.
    •    Ensure that there is a required login for the operating system.
    •    Purchase the asset tracking option at the time of purchase.
    •    Turn off file-sharing and print-sharing before traveling.
    •    Do not store any data on computers if traveling to countries with encryption restrictions. Refer to
         these U.S. Department of State documents:
              o “Tips for Traveling Abroad” (
              o “Consular Information Sheets” (
    •    Do not store sensitive data on a laptop without encryption.
    •    Backup your data before traveling.
    •    Use a unit-owned generic system for all international travel (recommended for domestic travel).
    •    Only access your email using a secure Web client or IMAP client.

Consult with your departmental technical support or the Office of Information Technology’s Information
Security office for specific technology selections and implementation procedures for encryption.

                                                     S:\Faculty information\orientation\Lap top Computer Precautions.doc

To top