Have a laptop? Travel with it? Ever worry about it being lost or stolen? Do you take extra efforts to ensure the security of your laptop - like place it in the trunk, never leave in your hotel room? Who is responsible for the laptop if it is lost or stolen? Was it your responsibility? Do you know the laws around this topic?
The law mandates encryption of data on laptops, smart phones, USB sticks and like platforms. Do you know what law? Try the new privacy laws. Some of the new privacy law requirements are unsurprising. Perhaps the bases are already covered: a Written Information Security Plan (WISP), encryption from laptops to servers, policy controls on third party access, yada yada. You realize you’re not there yet, but already steps have been taken in the right direction. Right?
Fines? $5,000 per breach or lost record. Lose records for a thousand Massachusetts residents and the company could be out $5M. Okay, that’s serious. Taking it serious? Not many companies are yet. Every laptop should be encrypted before it leaves the setup lab. The law requires a combination of “technical, administrative and physical safeguards.” Workstations and servers may be password protected, but what if the box is simply carried off and the disk contents examined? You may have a state-of-the-art firewall, but do your perimeter protections guard against walk-offs?
I propose to you that tools such as PointSec and SafeBoot are essential to every laptop build. Yes MS Windows is now coming with these features, so turn them on. No laptop should ever leave the building without safeguards. Laptops are lost or stolen at airport security check points all the time, hotel rooms, cars, and the list goes on. The laptop was assigned to you, so you are responsible.
Laptop encryption should be part of your security framework, it is necessary, and now required by new privacy laws. I would also propose that each user should be careful of what data they do store on the laptop, backup that laptop and maintain the data.
It really is necessary.
Scott Arnett
scott.arnett@charter.net
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
No comments:
Post a Comment