All computer systems face information security risks. Laptop computers are an essential business tool but their very portability makes them particularly vulnerable to physical damage or theft. Most important is the value of any critical information on or accessible through laptops.
Particular emphasis is placed on Macalester Sensitive Information (MSI), defined as information which should not be made public and which should only be disclosed under limited circumstances. MSI consists of two categories:
- Regulated: Information, the disclosure of which is regulated by federal, state, and/or local government (e.g., FERPA, HIPAA, GLBA, SOX and data collected from human subjects).
- Confidential: Information integral to the business operations of the college but otherwise not subject to state or federal laws or regulations. Examples include: information maintained by the Office of the Provost, Alumni/Advancement information, performance reviews, etc.
For a detailed and comprehensive description of Macalester Sensitive Information, see Macalester College Data Classification
Guidelines to Protect Laptop Information
- First and foremost, whenever possible MSI should not be stored directly on a laptop (or any other physical device such as an external hard drive, thumb or USB drive, etc.).
- MSI – as much as possible - should only be stored on Macalester network drives (either the H:/ or Home drive or G:/ or Group drive). Only if it is on a network drive can security and backup be guaranteed.
- If circumstances dictate that MSI must be stored on a laptop, the hard disk of the laptop should be encrypted in full-disk mode using only an approved methodology. Encryption provides extremely strong protection against unauthorized access to information. Note: Any other portable media (e.g., CD/DVDs, USB drives, memory sticks) containing MSI should also be fully encrypted.
- Choose a long and strong encryption password/passphrase and keep it secure. Never share it with anyone, not even members of your family, friends or IT staff. It is OK to write it down, provided you keep it in a secure place (such as your wallet, along with your credit cards). Review How to Create Strong Passwords: Two Approaches for more information.
- College laptops are provided for official use by authorized employees only. Do not loan your laptop or allow it to be used by others such as family and friends.
- Avoid leaving your laptop unattended and logged-on. Always shut down, log off or activate a screen lock or password-protected screensaver before walking away from the machine..
Guidelines to Ensure Physical Security of Laptops
- Keep your laptop in your possession and within sight whenever possible, just as if it were your wallet, handbag or mobile phone. Be extra careful in public places such as airports (12,000 laptops per week are stolen in the U.S. alone), railway stations or restaurants. It takes thieves just a fraction of a second to steal an unattended laptop.
- If you have to leave the laptop temporarily unattended in the office, meeting room or hotel room, even for a short while, use a laptop security cable or similar device to attach it firmly to a desk or similar heavy furniture. While not absolutely secure these locks do deter casual thieves.
- Lock the laptop away out of sight when you are not using it, preferably in a strong cupboard, filing cabinet or safe. This applies at home, in the office or in a hotel. Never leave a laptop visibly unattended in a vehicle. If necessary, lock it out of sight in the trunk or glove box. It is generally much safer to take it with you.
- Keep a note of the make, model, and serial number of your laptop but do not keep this information with the laptop. While it is the case that ITS already has this information, having it with you immediately in the event the laptop is lost or stolen can greatly assist the police in timely retrieval. Also, inform the ITS Help Desk immediately.
Virus Protection of Laptops
- Viruses are a major threat to the College and laptops are particularly vulnerable if antivirus software is not kept up-to-date. While ITS ensures that every college-owned laptop is configured with anti-virus software, the software can only do its job if it is regularly updated by connecting to the Internet at least weekly. If you cannot login for some reason, contact ITS Help Desk for advice on obtaining and installing antivirus updates.
- Email attachments are the number one source of computer viruses, worms, and other malware. Avoid opening any email attachment unless you were expecting to receive it from that person.
- Ensure that any files downloaded to your computer from any source (CD/DVD, USB hard disks and memory sticks, network files, email attachments or files from the Internet) are virus-scanned. Virus scans normally happen automatically but the ITS Help Desk can tell you how to initiate manual scans if necessary.
- Report any suspected security incidents (such as virus infections) promptly to the ITS Help Desk in order to minimize damage.
- At this time there are many variations of malware disguised as virus warning messages. If you experience unusual activity or are unsure about the messages you see, please contact the ITS Help Desk as soon as possible and do not forward any files or upload data onto the network if you suspect your device might be infected.
Other Guidelines for Laptops Backups
Information residing on physical devices of any kind (desktops, laptops, thumb drives, etc.) is highly vulnerable to crashes and dysfunctions of all kinds. Disaster can be avoided by regular backups.
The simplest and most secure way to do this is to logon and upload data from the laptop to the network (the H:/ or Home drive or the G:/ or Group drive) at least weekly.
If you are unable to access the network, it is your responsibility to make regular off-line backups to CD/DVD, USB memory sticks etc. Off-line backups containing MSI should be encrypted and physically secured.
If a laptop is stolen, lost or damaged, or simply malfunctions, it may be impossible to retrieve any of its information. Regular backups will help avoid the frustration and extra work associated with such events.
Most software, unless it is specifically identified as “freeware” or “public domain software,” may only be installed and/or used if the appropriate license fee has been paid. Shareware or trial packages must be deleted or licensed by the end of the permitted free trial period. Some software is limited to free use by private individuals whereas commercial use requires a license payment.
Copyright This document is based on copyright © 2007, ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution- Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers’ forum , and (c) derivative works are shared under the same terms as this.