Re: Stolen Laptops

[Sherry Callahan <scallahan () KUMC EDU>]

We considered Bitlocker as well because we already had Active Directory and it would be easy to implement. And, let's 
face it, the price doesn't get any better.  However, what made us move to purchasing a commercial solution 
(Safeboot\McAfee) was our need to verify with 100% certainty that a device was encrypted on the day it was stolen.  
Without a central console, Bitlocker can't give you that assurance beyond knowing that it was encrypted at one point.  
We have some researchers and faculty that sometimes decide they don't want certain applications on their laptops, so 
they wipe the drives and reinstall the operating system, thus wiping off the encryption.  We can see that they've done 
that within our CompuTrace and McAfee consoles.  Since whether or not the device was encrypted when stolen is now the 
biggest factor in determining if a disclosure has happened under the HITECH Act (HIPAA), having that 100% certainty is 
of HUGE benefit.
 
Having said that, however, Bitlocker and FileVault are steps in the right direction and are certainly better than not 
using encryption.
 
Sherry Callahan
Information Security Officer
University of Kansas Medical Center
(913) 588-0966 
scallahan () kumc edu

> > > Kimberly Heimbrock <heimbrockk () NKU EDU> 7/29/2010 12:48 PM >>>
Thanks to all for your input so far - just a little more background on what we are dealing with at NKU...

Over the past 8-9 months we have had a LOT of theft on campus, particularly laptops.  Overall, 36 laptops were stolen 
since last October (that I know of) - likely by an internal staff member who has keys to lots of campus areas and can 
go around unnoticed at night and on weekends.  Our biggest concern has been the data within, not just the equipment.  
We have been able to prove that sensitive data resided on some of the systems - so yeah we are on the breach reports :-(

As several posts have commented, a layered approach will be employed.  We just implemented a new policy for all new 
laptops to be Encrypted with MS Bitlocker, and are considering desktops too. Macs will be using Filevault as soon as we 
test more completely.  We just licensed Identity Finder and will be removing sensitive data - hopefully all over campus 
if we can get our users to understand that they need to do so. We continue to increase security cameras and electronic 
locks as budget permits.  Usually we are one step behind the thieves!  As one advised, we may look into tracking 
cameras too. 

We will be investing in some sort of laptop tracking software, but not sure yet which one.  We are leaning toward the 
tools that allow us to 'push' it out to the systems, so we can make progress without having to touch 1200 laptops 
individually - which would never get done.  From a physical aspect, we will be increasing laptop security education for 
employees, possibly looking into physical etching, tags, or rfid's, etc.  All we need is agreement and budget - easy 
right??!?  We have also added more cameras, electronic door readers, etc.

I find that nearly all the time, users 1) do not think they have any sensitive data; 2) it won't happen to them; and 
3)don't care to spend time or energy on security.  We are trying to push out awareness in heavy doses but user behavior 
continues to be our biggest risk.

Hopefully we are close to catching the recent theft ring, but we will continue with efforts to reduce the issue - 
especially with laptops.  

Thanks again to all who posted...very helpful as always.


Kim Heimbrock
Director, IT Policy and Compliance
Northern Kentucky University
(859) 572-5139 
heimbrockk () nku edu



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben Woelk
Sent: Thursday, July 29, 2010 1:10 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Stolen Laptops

To be more specific, we're requiring encryption on university owned or leased laptops. We do not require it on 
personally owned laptops. We discourage use of personally owned laptops to access university information resources, but 
the responsibility for authorizing use of personal equipment lies with the respective dean or VP. We do require 
documented technical controls on ALL laptops that access Private or Confidential information. (This information is in 
our Information Access and Protection Standard--http://security.rit.edu/iap.html)

Ben Woelk '07
Policy and Awareness Analyst
Information Security Office
Rochester Institute of Technology
ROS 10-A204
151 Lomb Memorial Drive
Rochester, New York 14623 
585.475.4122
585.475.7920 fax
ben.woelk () rit edu
http://security.rit.edu/dsd.html 

Become a fan of RIT Information Security at http://rit.facebook.com/RITInfosec

Follow us on Twitter: http://twitter.com/RIT_InfoSec


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris 
Green
Sent: Thursday, July 29, 2010 12:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Stolen Laptops

http://www.educause.edu/sites/default/files/library/presentations/SEC10/SESS11/SPC%2B2010%2Bdisk%2Bencryption%2B-%2Ball.pdf
 slide 16 is what we did and now do. A big pain point was a lot of personally owned approved devices for work and 
needing to support encryption on those.  

There's nothing like bricking an associate dean's brand new "I want to watch movies on a plane and keep up with my UAB 
work that may include sensitive email"  $300 netbook right before a month long trip to France.

Don't require it:  Expect the edge cases not to do it.   Require it:  Expect a painful process dealing with edge cases 
if you don't have a fairly locked down set of hard ware platforms.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, 
MICHAEL
Sent: Wednesday, July 28, 2010 9:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Stolen Laptops

Are your institutions "encouraging encryption" on laptops, or "requiring encryption" on laptops?  We're moving to 
Symantec Endpoint Encryption (it was GuardianEdge, but they got bought by Symantec - which is actually good for us, 
since we use Symantec Altiris, SEP, etc.) and will be doing full disk encryption on any/all non-instructional (student 
use) laptops.....

M

-----Original Message-----