portable and removable devices information forum l.
Skip this Video
Loading SlideShow in 5 Seconds..
Portable and Removable Devices Information Forum PowerPoint Presentation
Download Presentation
Portable and Removable Devices Information Forum

Loading in 2 Seconds...

play fullscreen
1 / 54

Portable and Removable Devices Information Forum - PowerPoint PPT Presentation

  • Uploaded on

Portable and Removable Devices Information Forum. Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services Enterprise Security Office. Agenda. What is a portable / removable device Policy requirements Agency Panel Richard Rylander, Dept. of Justice

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Portable and Removable Devices Information Forum' - PamelaLan

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
portable and removable devices information forum

Portable andRemovable DevicesInformation Forum

Theresa A. Masse, State Chief Information Security Officer

Department of Administrative ServicesEnterprise Security Office

  • What is a portable / removable device
  • Policy requirements
  • Agency Panel
    • Richard Rylander, Dept. of Justice
    • Herman Davis, Dept. of Revenue
    • Doug Juergensen, Dept. of Fish and Wildlife
  • Key considerations
  • Related policies
  • Q&A
statewide policy
Statewide Policy
  • Purpose
    • To ensure the confidentiality, integrity, and availability of state information assets stored on portable or removable devices
    • To properly manage portable or removable storage devices, agencies must know what devices they have, where they are, who has them, how they are being used, and what information is stored on them
statewide policy7
Statewide Policy
  • Agency Responsibilities
    • Identify types of approved devices
    • Govern use of personally-owned devices
    • Establish ways to track devices
    • Identify what information can be stored on devices
    • Implement methods to secure the information on devices
use of portable removable devices
Use of portable/removable devices
  • 30% are lost every year
  • 250,000 left in U.S. airports
  • 22% users keep list of passwords on device
  • 90% have:
    • insufficient power-on protection
    • storage encryption





  • Estimate from Sans Institute
  • Motorola Mobile Device Security 2007
  • RSA, RSA Security Password Management Survey, September 2005
  • Gartner Group, Magic Quadrant for Mobile Data Protection, 1H04
agency panel
Agency Panel
  • Richard Rylander, Dept. of Justice
  • Herman Davis, Dept. of Revenue
  • Doug Juergensen, Dept. of Fish and Wildlife
agency panel10
Agency Panel

Richard Rylander, Security Coordinator

Oregon Department of Justice

identified devices
Identified Devices
  • Laptops
  • Flash drives
  • Micro drives
  • Flash cards
  • Others
    • iPod
    • Blackberry and cellular phones (covered separately by DOJ)
identified media
Identified Media
  • Media
    • CD/DVD
    • Diskettes (legacy 3.5”, removable HDs, etc.)
    • Tapes
  • Policy
    • Portable & Removable Storage Device
    • Data Classification
    • Media Transport
  • User Awareness
    • Step by Step instructions
    • Short (30-minute) user class
  • Technology
    • Encryption
      • USB Flash drive – currently under testing
        • KanguruMicro Flash Drive
          • FIPS 140-2 Certified
          • AES 256 Encryption
          • HIPAA Compliant
      • Enterprise solution – researching this solution
        • DriveLock
          • Control who can attach devices to a DOJ system
          • Control what can be attached to a DOJ system
  • Laptop encryption
    • ProtectDrive
      • Pilot test currently underway
  • User Controls
    • Limited users
      • No administrator rights on workstations
    • Can use only approved devices
  • Backup tapes
    • Fully encrypted
    • Securely stored
  • Knowledge Management Solution
    • Hummingbird DM – under implementation
      • Enforces data classification on all information placed within the repository
      • Enforces security on all information placed within the repository
      • Enforces document retention on all information placed within the repository
      • Audit logs
        • Access
        • Modification
problems and concerns
Problems and Concerns
  • Personal devices
    • Control
    • Liability
    • Encryption
  • DOJ-owned devices
    • Administration
    • Support
    • Cost
      • Enterprise solution
      • Encrypted flash drives
agency panel18
Agency Panel

Herman Davis, Senior Network Architect

Department of Revenue

identified devices19
Identified Devices
  • Laptops
  • Flash Drives/Thumb Drives
  • CDs
  • Blackberry and PDA
  • Policy
    • Must be encrypted unless an exception is granted
    • Exceptions only for equipment used for training materials and equipment
  • Method
    • Full drive encryption
    • Centralized key management
    • Clear guidelines for handling loss of equipment
  • User Awareness - Transparent to user
flash drives
Flash Drives
  • Policy
    • Personal devices (of any type) not to be connected to Revenue network or PCs
  • Method
    • Lock down USB ports on desktops
  • User Awareness
    • Training and education on policy
  • Policy – Portable devices
  • Business Need
    • Auditors required a method of transporting customer specific information in a secure manner
    • Wanted to use flash drives = risks
  • Method
    • Burn encrypted CDs and provide to customer with password
    • Customer’s responsibility to dispose of CD
  • User Awareness
    • Hands on training for staff with a need to use this tool
blackberry and pda
Blackberry and PDA
  • Policy
    • No personally-owned portable devices to connect to network or PC
  • Method
    • Uninstall personally-owned devices
    • Lock down administrative rights and USB ports on PCs
    • Provide agency-owned Blackberry for individuals with a business need
blackberry and pda24
Blackberry and PDA
  • Securing the Blackberry
    • Password protect
    • Remote management and wipe
  • Related Policies: E-mail security
    • No Federal Tax Data or State Tax Data is to be transmitted via e-mail
agency panel25
Agency Panel

Doug Juergensen, Information Systems Division Administrator / CIO

Department of Fish and Wildlife

what is a portable device26

USB ‘memory keys’

PDA (Personal Digital Assistants)

Cell phones

GPS devices

Portable hard drives

Combination units

Agency data (it’s not just about the hardware

What is a portable device?

Electronic devices grew faster; now they are growing smaller. Many devices can now be considered portable and easily fit in your hand.

the three cs
The three Cs
  • Connectivity
    • Many devices started out as stand-alone units, difficult to use and interface (special data cables)
    • Most how have plug-and-play, wizard set-up, and automated synchronization (wireless, USB)
the three cs28
The three Cs
  • Capability
    • Devices had lacked robust applications or tools; not very sophisticated
    • Today many operate a similar version of OS as a desktop computer – and can do many of the same functions
the three cs29
The three Cs
  • Capacity
    • Not long ago, performance and storage capacity was limited; devices were bulky
    • Now very powerful, small, and extremely portable
  • Early devices were typically limited to 16KB or 64KB (thousands of bytes)
  • Credit Card drives are the size of an index card and easily store 1GB (billion of bytes) or more
    • 4 GB flash drive available at any store
    • 8 GB flash drive is less than $100
    • 64 GB flash drive available for about $1,200 – still the size of a pack of gum
    • ½ TB (500GB) portable hard drives fit in your pocket!
  • According to one source …
    • 1 Terabyte (TB) is all the x-ray files in a large hospital
    • 10 Terabytes is the printed collection of the U.S. Library of Congress
it management
IT Management
  • Large number of disparate devices
    • Few, if any, ‘enterprise’ management tools
    • Limited administrative features
    • Lacks consistency in standards and compliance to standards
  • Training
    • IT staff needs training on many devices, difficult to be experts
    • Employees need training but may try ‘whatever works’
it management33
IT Management
  • Technical issues
    • Many devices largely unsecured and unmanaged
    • Often lacks features we find ‘essential’ on any other computer
      • Firewall
      • VPN (Virtual Private Network)
      • Virus protection
  • Support and patches
    • Generally not updated or patched
what about policy
What about policy?
  • Most portable devices are the sexy, market-driven, must-have productivity tool that enhances our ability to work, but substantially increases the risk to agency data
  • If you can’t manage them electronically, is a written policy and employee goodwill enough?
  • Can you adequately train employees about risks?
compare and contrast
Enterprise support tools

Multi-level authority

Automated inventory control

Rules-based security


Patch management

Complex authentication (ID and password)

Remote access

Wake on LAN




Security upgrades

Compare and Contrast

Contrast the enterprise management systems such as the desktop PC, laptop, or network devices to portable devices. Ask yourself if they have …

compare and contrast36
Compare and Contrast
  • Wireless (802.11, Bluetooth, cellular)
  • Plug-and-play

Consider the ease at which portable devices can be connected to your enterprise network and the potential impact …

what about odfw
What about ODFW?
  • Laptops are now secured using VPN for connections away from the office
    • Access to e-mail, Internet, and file-sharing
  • PDAs are widely used but are not Internet enabled
  • USB thumb drives are available to all employees
    • Not asset tagged, but logged in purchasing system to user or manager
    • Considering an internal audit to assess asset control/loss
what about odfw38
What about ODFW?
  • Cell phone / PDA combos are few and very limited
    • Requires approval by ISC and the Director’s office
  • Portable hard drives
    • Limited deployment
    • Requires ISD approval
  • Easy to use – just as easy to lose
  • Small size and capacity increases the potential risk factors
    • Many units deployed
    • Easily shared
    • Poor asset control mechanisms
  • Immature technology
    • Competitive market – rushed to deployment
    • Compliance to standards
    • Administrative controls
    • Virus protection
    • Security / encryption
    • Patch management and updates
  • IT staffing and support
  • Training (help desk and employees)
risk vs benefit
Risk vs. Benefit
  • Most IT shops are faced with a dilemma
  • How much risk is acceptable?
  • Does the business side of the agency comprehend the complex and technical issues to make an informed decision?
  • With the potential of multiple devices per employee (not just one PC), is there support for additional IT staff?
agency considerations
Agency Considerations

Amy McLaughlin, Program Manager

Enterprise Security Office

key considerations
Key Considerations
  • What business drivers require the use of portable/removable devices?
  • What devices are acceptable to use?
  • Who needs to use these devices?
  • What information should/should not be stored on these devices?
  • How can the devices be protected?
use of portable removable devices45
Use of portable/removable devices
  • Are portable/removable devices needed?
  • Other options:
    • E-mail, encrypted to protect sensitive information
    • Secure File Transfer Protocol (SFTP)
    • Upload to/download from network
    • Upload to/download from Internet/intranet
  • USBs
    • Consider purchasing USBs with built-in encryption
  • CDs / DVDs
    • Consider password protecting or encrypting media
  • Laptops, palmtops
    • Use whole-disc encryption for devices storing sensitive information
    • Use encryption for individual files
  • Blackberries, PDAs
    • Encrypt sensitive information
    • Use a password and time-out feature
    • Use remote management and wipe features
  • Establish policy to authorize who may use portable devices
  • Determine if personal devices can be used or only agency-issued devices
sensitive information
Sensitive Information
  • Establish policy to authorize what type of information can be stored/transmitted on a device
    • Classify the information
    • Restrict use of devices to store/transmit Level 3 and Level 4 information
    • If Level 3 and Level 4 information is stored/transmitted, employ controls such as encryption
  • If use of devices is not authorized, consider appropriate controls
    • Disable USB ports
    • Disable CD/DVD write capability
    • Remove administrative rights to PCs; prevent user ability to install hardware and software
    • Define help desk procedures for handling rogue devices
    • Use purchasing oversight to prevent purchase of banned devices
  • If use of devices is authorized, consider appropriate controls
    • Use whole disc encryption
    • Encrypt sensitive files
    • Use lock-out and password protection features
    • Enable remote management and remote disabling capabilities
    • Use one time use passwords or number generators
related policies
Related Policies
  • Controlling Portable and Removable Storage Devices (107-004-051)
  • Information Asset Classification (107-004-050)
  • Transporting Information Assets (107-004-100)
  • Acceptable Use of State Information Assets (107-004-110)
  • Information Technology Asset Inventory/Management (107-004-010)
for further information
For further information …
  • Theresa Masse, DAS Enterprise Security Office(503) 378-4896, theresa.a.masse@state.or.us
  • Richard Rylander, Dept. of Justice(503) 378-5957, richard.rylander@state.or.us
  • Herman Davis, Dept. of Revenue

(503) 945-8042, herman.davis@state.or.us

  • Doug Juergensen, Dept. of Fish and Wildlife(503) 947-6261, douglas.juergensen@state.or.us
next forum
Next Forum …


Tools and Techniques

Panel Presentation

May 20, 2008