Safeguarding Information on Laptop Computers

Safeguarding Information on Laptop Computers Announcement - 05/04/2005, from the GT Office of Information Technology Safeguarding Information on Laptop Computers How to protect Institute-owned laptop computers, safeguard the information stored and used on laptops, and limit liability due to theft or loss. Precautions for Laptop Computer Users Recent news reports have brought attention to the need for safeguarding laptops and the information on them. Here are two examples: “A Chinese-born American professor at the Georgia Institute of Technology has returned to the United States from China after being arrested and detained for two weeks on charges of espionage.” – The Chronicle, 9/3/2004. The professor’s laptop was confiscated for a period of time by the Chinese government. Chinese customs regulations provide for seizure of computers to review contents. Encrypted information must be decrypted or decryption keys provided. “A thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society’s vulnerability to identity theft.” – San Francisco Chronicle, 3/29/2005. Protection of the hardware is primarily against theft or confiscation due to potential violations of foreign laws regarding data encryption. Safeguarding information involves protection against unauthorized access. Protecting Data on Laptops We recommend following these two steps: 1. 2. Do not store any sensitive data on a laptop when traveling internationally. If the sensitive information must be stored or used on a laptop’s hard drive at Georgia Tech or while traveling, the information should be encrypted. OIT strongly discourages the use of laptops to store any sensitive data (Category III or IV) as defined by the Institute’s Data Access Policy. This includes any of the following: • • • • • • Social Security Number Driver’s license number Student identification number (gtID#) Bank account numbers Credit or debit card numbers Other banking information in combination with any required security code, access code, or password that would permit access to an individual’s financial account. OIT also discourages the use of laptops to store research data and intellectual property that would compromise research and teaching efforts if lost, destroyed or disclosed to other parties. Unit heads will determine the level of acceptable risk for research data. It is highly recommended that mobile users travel with a bare bones system that is properly secured. Please consult with your unit’s technical lead or contact \\server\Misc\Orientation for SA and XD\Lap top Computer Precautions.doc 5/9/2005 OIT Information Security for guidance. Additionally, Georgia Tech requires disk and/or data encryption software for any laptop that will be used for storing confidential personal information on individuals, including donors, volunteers, alumni, friends, faculty, students, attendees, and staff. Examples of confidential data are any demographic, biographic, gift, membership, employment, academic, admissions, or financial information associated with a specific individual. Procedures for Traveling with a Laptop Laptop computers should be protected by following the physical security procedures and guidelines at all times, especially when traveling. Any lost, stolen, or access-compromised laptop that contains sensitive data must be immediately reported to the unit head and OIT’s Information Security office (security@gatech.edu). Laptops should be on the unit’s home loan agreement so that the Institute’s insurance program will cover the cost of replacing the laptop in the event of loss, damage or theft. Physical Security Measures • • • Ensure the laptop has a GIT asset/property tag with appropriate contact information. This same information may also be duplicated on a special login banner to be enabled during travel, with explicit instructions on how to return the laptop. Do not allow the laptop to leave your presence when in transit. Never leave the laptop unattended in the passenger compartment of a car, locked or unlocked. Always place the laptop in the trunk or out of plain sight. In a hotel, lock the laptop in a safe. Information Security Measures • • • • • • Install host-based protections including a personal firewall, anti-virus software, and anti-spyware software. Apply all software patches. Ensure that there is a required login for the operating system. Purchase the asset tracking option at the time of purchase. Turn off file-sharing and print-sharing before traveling. Do not store any data on computers if traveling to countries with encryption restrictions. Refer to these U.S. Department of State documents: o “Tips for Traveling Abroad” (http://travel.state.gov/travel/tips/tips_1232.html) o “Consular Information Sheets” (http://travel.state.gov/travel/cis_pa_tw/cis/cis_1765.html) Do not store sensitive data on a laptop without encryption. Backup your data before traveling. Use a unit-owned generic system for all international travel (recommended for domestic travel). Only access your email using a secure Web client or IMAP client. • • • • Consult with your departmental technical support or the Office of Information Technology’s Information Security office for specific technology selections and implementation procedures for encryption. \\server\Misc\Orientation for SA and XD\Lap top Computer Precautions.doc 5/9/2005