Portable and removable devices information forum
Download
1 / 54

Portable and - PowerPoint PPT Presentation


  • 327 Views
  • Updated On :

Portable and Removable Devices Information Forum. Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services Enterprise Security Office. Agenda. What is a portable / removable device Policy requirements Agency Panel Richard Rylander, Dept. of Justice

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Portable and' - PamelaLan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Portable and removable devices information forum l.jpg

Portable andRemovable DevicesInformation Forum

Theresa A. Masse, State Chief Information Security Officer

Department of Administrative ServicesEnterprise Security Office


Agenda l.jpg
Agenda

  • What is a portable / removable device

  • Policy requirements

  • Agency Panel

    • Richard Rylander, Dept. of Justice

    • Herman Davis, Dept. of Revenue

    • Doug Juergensen, Dept. of Fish and Wildlife

  • Key considerations

  • Related policies

  • Q&A





Statewide policy l.jpg
Statewide Policy

  • Purpose

    • To ensure the confidentiality, integrity, and availability of state information assets stored on portable or removable devices

    • To properly manage portable or removable storage devices, agencies must know what devices they have, where they are, who has them, how they are being used, and what information is stored on them


Statewide policy7 l.jpg
Statewide Policy

  • Agency Responsibilities

    • Identify types of approved devices

    • Govern use of personally-owned devices

    • Establish ways to track devices

    • Identify what information can be stored on devices

    • Implement methods to secure the information on devices


Use of portable removable devices l.jpg
Use of portable/removable devices

  • 30% are lost every year

  • 250,000 left in U.S. airports

  • 22% users keep list of passwords on device

  • 90% have:

    • insufficient power-on protection

    • storage encryption

1

2

3

4

  • Estimate from Sans Institute

  • Motorola Mobile Device Security 2007

  • RSA, RSA Security Password Management Survey, September 2005

  • Gartner Group, Magic Quadrant for Mobile Data Protection, 1H04


Agency panel l.jpg
Agency Panel

  • Richard Rylander, Dept. of Justice

  • Herman Davis, Dept. of Revenue

  • Doug Juergensen, Dept. of Fish and Wildlife


Agency panel10 l.jpg
Agency Panel

Richard Rylander, Security Coordinator

Oregon Department of Justice


Identified devices l.jpg
Identified Devices

  • Laptops

  • Flash drives

  • Micro drives

  • Flash cards

  • Others

    • iPod

    • Blackberry and cellular phones (covered separately by DOJ)


Identified media l.jpg
Identified Media

  • Media

    • CD/DVD

    • Diskettes (legacy 3.5”, removable HDs, etc.)

    • Tapes


Methods l.jpg
Methods

  • Policy

    • Portable & Removable Storage Device

    • Data Classification

    • Media Transport

  • User Awareness

    • Step by Step instructions

    • Short (30-minute) user class


Methods14 l.jpg
Methods

  • Technology

    • Encryption

      • USB Flash drive – currently under testing

        • KanguruMicro Flash Drive

          • FIPS 140-2 Certified

          • AES 256 Encryption

          • HIPAA Compliant

      • Enterprise solution – researching this solution

        • DriveLock

          • Control who can attach devices to a DOJ system

          • Control what can be attached to a DOJ system


Methods15 l.jpg
Methods

  • Laptop encryption

    • ProtectDrive

      • Pilot test currently underway

  • User Controls

    • Limited users

      • No administrator rights on workstations

    • Can use only approved devices

  • Backup tapes

    • Fully encrypted

    • Securely stored


Methods16 l.jpg
Methods

  • Knowledge Management Solution

    • Hummingbird DM – under implementation

      • Enforces data classification on all information placed within the repository

      • Enforces security on all information placed within the repository

      • Enforces document retention on all information placed within the repository

      • Audit logs

        • Access

        • Modification


Problems and concerns l.jpg
Problems and Concerns

  • Personal devices

    • Control

    • Liability

    • Encryption

  • DOJ-owned devices

    • Administration

    • Support

    • Cost

      • Enterprise solution

      • Encrypted flash drives


Agency panel18 l.jpg
Agency Panel

Herman Davis, Senior Network Architect

Department of Revenue


Identified devices19 l.jpg
Identified Devices

  • Laptops

  • Flash Drives/Thumb Drives

  • CDs

  • Blackberry and PDA


Laptops l.jpg
Laptops

  • Policy

    • Must be encrypted unless an exception is granted

    • Exceptions only for equipment used for training materials and equipment

  • Method

    • Full drive encryption

    • Centralized key management

    • Clear guidelines for handling loss of equipment

  • User Awareness - Transparent to user


Flash drives l.jpg
Flash Drives

  • Policy

    • Personal devices (of any type) not to be connected to Revenue network or PCs

  • Method

    • Lock down USB ports on desktops

  • User Awareness

    • Training and education on policy


Slide22 l.jpg
CDs

  • Policy – Portable devices

  • Business Need

    • Auditors required a method of transporting customer specific information in a secure manner

    • Wanted to use flash drives = risks

  • Method

    • Burn encrypted CDs and provide to customer with password

    • Customer’s responsibility to dispose of CD

  • User Awareness

    • Hands on training for staff with a need to use this tool


Blackberry and pda l.jpg
Blackberry and PDA

  • Policy

    • No personally-owned portable devices to connect to network or PC

  • Method

    • Uninstall personally-owned devices

    • Lock down administrative rights and USB ports on PCs

    • Provide agency-owned Blackberry for individuals with a business need


Blackberry and pda24 l.jpg
Blackberry and PDA

  • Securing the Blackberry

    • Password protect

    • Remote management and wipe

  • Related Policies: E-mail security

    • No Federal Tax Data or State Tax Data is to be transmitted via e-mail


Agency panel25 l.jpg
Agency Panel

Doug Juergensen, Information Systems Division Administrator / CIO

Department of Fish and Wildlife


What is a portable device26 l.jpg

Laptops

USB ‘memory keys’

PDA (Personal Digital Assistants)

Cell phones

GPS devices

Portable hard drives

Combination units

Agency data (it’s not just about the hardware

What is a portable device?

Electronic devices grew faster; now they are growing smaller. Many devices can now be considered portable and easily fit in your hand.


The three cs l.jpg
The three Cs

  • Connectivity

    • Many devices started out as stand-alone units, difficult to use and interface (special data cables)

    • Most how have plug-and-play, wizard set-up, and automated synchronization (wireless, USB)


The three cs28 l.jpg
The three Cs

  • Capability

    • Devices had lacked robust applications or tools; not very sophisticated

    • Today many operate a similar version of OS as a desktop computer – and can do many of the same functions


The three cs29 l.jpg
The three Cs

  • Capacity

    • Not long ago, performance and storage capacity was limited; devices were bulky

    • Now very powerful, small, and extremely portable


Capacity l.jpg
Capacity

  • Early devices were typically limited to 16KB or 64KB (thousands of bytes)

  • Credit Card drives are the size of an index card and easily store 1GB (billion of bytes) or more

    • 4 GB flash drive available at any store

    • 8 GB flash drive is less than $100

    • 64 GB flash drive available for about $1,200 – still the size of a pack of gum

    • ½ TB (500GB) portable hard drives fit in your pocket!


Capacity31 l.jpg
Capacity

  • According to one source …

    • 1 Terabyte (TB) is all the x-ray files in a large hospital

    • 10 Terabytes is the printed collection of the U.S. Library of Congress


It management l.jpg
IT Management

  • Large number of disparate devices

    • Few, if any, ‘enterprise’ management tools

    • Limited administrative features

    • Lacks consistency in standards and compliance to standards

  • Training

    • IT staff needs training on many devices, difficult to be experts

    • Employees need training but may try ‘whatever works’


It management33 l.jpg
IT Management

  • Technical issues

    • Many devices largely unsecured and unmanaged

    • Often lacks features we find ‘essential’ on any other computer

      • Firewall

      • VPN (Virtual Private Network)

      • Virus protection

  • Support and patches

    • Generally not updated or patched


What about policy l.jpg
What about policy?

  • Most portable devices are the sexy, market-driven, must-have productivity tool that enhances our ability to work, but substantially increases the risk to agency data

  • If you can’t manage them electronically, is a written policy and employee goodwill enough?

  • Can you adequately train employees about risks?


Compare and contrast l.jpg

Enterprise support tools

Multi-level authority

Automated inventory control

Rules-based security

Encryption

Patch management

Complex authentication (ID and password)

Remote access

Wake on LAN

Firewall

VPN

Filters

Security upgrades

Compare and Contrast

Contrast the enterprise management systems such as the desktop PC, laptop, or network devices to portable devices. Ask yourself if they have …


Compare and contrast36 l.jpg
Compare and Contrast

  • Wireless (802.11, Bluetooth, cellular)

  • Plug-and-play

Consider the ease at which portable devices can be connected to your enterprise network and the potential impact …


What about odfw l.jpg
What about ODFW?

  • Laptops are now secured using VPN for connections away from the office

    • Access to e-mail, Internet, and file-sharing

  • PDAs are widely used but are not Internet enabled

  • USB thumb drives are available to all employees

    • Not asset tagged, but logged in purchasing system to user or manager

    • Considering an internal audit to assess asset control/loss


What about odfw38 l.jpg
What about ODFW?

  • Cell phone / PDA combos are few and very limited

    • Requires approval by ISC and the Director’s office

  • Portable hard drives

    • Limited deployment

    • Requires ISD approval


Challenges l.jpg
Challenges

  • Easy to use – just as easy to lose

  • Small size and capacity increases the potential risk factors

    • Many units deployed

    • Easily shared

    • Poor asset control mechanisms


Challenges40 l.jpg
Challenges

  • Immature technology

    • Competitive market – rushed to deployment

    • Compliance to standards

    • Administrative controls

    • Virus protection

    • Security / encryption

    • Patch management and updates

  • IT staffing and support

  • Training (help desk and employees)


Risk vs benefit l.jpg
Risk vs. Benefit

  • Most IT shops are faced with a dilemma

  • How much risk is acceptable?

  • Does the business side of the agency comprehend the complex and technical issues to make an informed decision?

  • With the potential of multiple devices per employee (not just one PC), is there support for additional IT staff?



Agency considerations l.jpg
Agency Considerations

Amy McLaughlin, Program Manager

Enterprise Security Office


Key considerations l.jpg
Key Considerations

  • What business drivers require the use of portable/removable devices?

  • What devices are acceptable to use?

  • Who needs to use these devices?

  • What information should/should not be stored on these devices?

  • How can the devices be protected?


Use of portable removable devices45 l.jpg
Use of portable/removable devices

  • Are portable/removable devices needed?

  • Other options:

    • E-mail, encrypted to protect sensitive information

    • Secure File Transfer Protocol (SFTP)

    • Upload to/download from network

    • Upload to/download from Internet/intranet


Devices l.jpg
Devices

  • USBs

    • Consider purchasing USBs with built-in encryption

  • CDs / DVDs

    • Consider password protecting or encrypting media

  • Laptops, palmtops

    • Use whole-disc encryption for devices storing sensitive information

    • Use encryption for individual files


Devices47 l.jpg
Devices

  • Blackberries, PDAs

    • Encrypt sensitive information

    • Use a password and time-out feature

    • Use remote management and wipe features


Authorization l.jpg
Authorization

  • Establish policy to authorize who may use portable devices

  • Determine if personal devices can be used or only agency-issued devices


Sensitive information l.jpg
Sensitive Information

  • Establish policy to authorize what type of information can be stored/transmitted on a device

    • Classify the information

    • Restrict use of devices to store/transmit Level 3 and Level 4 information

    • If Level 3 and Level 4 information is stored/transmitted, employ controls such as encryption


Controls l.jpg
Controls

  • If use of devices is not authorized, consider appropriate controls

    • Disable USB ports

    • Disable CD/DVD write capability

    • Remove administrative rights to PCs; prevent user ability to install hardware and software

    • Define help desk procedures for handling rogue devices

    • Use purchasing oversight to prevent purchase of banned devices


Controls51 l.jpg
Controls

  • If use of devices is authorized, consider appropriate controls

    • Use whole disc encryption

    • Encrypt sensitive files

    • Use lock-out and password protection features

    • Enable remote management and remote disabling capabilities

    • Use one time use passwords or number generators


Related policies l.jpg
Related Policies

  • Controlling Portable and Removable Storage Devices (107-004-051)

  • Information Asset Classification (107-004-050)

  • Transporting Information Assets (107-004-100)

  • Acceptable Use of State Information Assets (107-004-110)

  • Information Technology Asset Inventory/Management (107-004-010)


For further information l.jpg
For further information …

  • Theresa Masse, DAS Enterprise Security Office(503) 378-4896, [email protected]

  • Richard Rylander, Dept. of Justice(503) 378-5957, [email protected]

  • Herman Davis, Dept. of Revenue

    (503) 945-8042, [email protected]

  • Doug Juergensen, Dept. of Fish and Wildlife(503) 947-6261, [email protected]


Next forum l.jpg
Next Forum …

Encryption

Tools and Techniques

Panel Presentation

May 20, 2008


ad