1 / 54

Portable and Removable Devices Information Forum

Portable and Removable Devices Information Forum. Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services Enterprise Security Office. Agenda. What is a portable / removable device Policy requirements Agency Panel Richard Rylander, Dept. of Justice

PamelaLan
Download Presentation

Portable and Removable Devices Information Forum

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Portable andRemovable DevicesInformation Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative ServicesEnterprise Security Office

  2. Agenda • What is a portable / removable device • Policy requirements • Agency Panel • Richard Rylander, Dept. of Justice • Herman Davis, Dept. of Revenue • Doug Juergensen, Dept. of Fish and Wildlife • Key considerations • Related policies • Q&A

  3. What is a portable device?

  4. What is a portable device?

  5. What is a portable device?

  6. Statewide Policy • Purpose • To ensure the confidentiality, integrity, and availability of state information assets stored on portable or removable devices • To properly manage portable or removable storage devices, agencies must know what devices they have, where they are, who has them, how they are being used, and what information is stored on them

  7. Statewide Policy • Agency Responsibilities • Identify types of approved devices • Govern use of personally-owned devices • Establish ways to track devices • Identify what information can be stored on devices • Implement methods to secure the information on devices

  8. Use of portable/removable devices • 30% are lost every year • 250,000 left in U.S. airports • 22% users keep list of passwords on device • 90% have: • insufficient power-on protection • storage encryption 1 2 3 4 • Estimate from Sans Institute • Motorola Mobile Device Security 2007 • RSA, RSA Security Password Management Survey, September 2005 • Gartner Group, Magic Quadrant for Mobile Data Protection, 1H04

  9. Agency Panel • Richard Rylander, Dept. of Justice • Herman Davis, Dept. of Revenue • Doug Juergensen, Dept. of Fish and Wildlife

  10. Agency Panel Richard Rylander, Security Coordinator Oregon Department of Justice

  11. Identified Devices • Laptops • Flash drives • Micro drives • Flash cards • Others • iPod • Blackberry and cellular phones (covered separately by DOJ)

  12. Identified Media • Media • CD/DVD • Diskettes (legacy 3.5”, removable HDs, etc.) • Tapes

  13. Methods • Policy • Portable & Removable Storage Device • Data Classification • Media Transport • User Awareness • Step by Step instructions • Short (30-minute) user class

  14. Methods • Technology • Encryption • USB Flash drive – currently under testing • KanguruMicro Flash Drive • FIPS 140-2 Certified • AES 256 Encryption • HIPAA Compliant • Enterprise solution – researching this solution • DriveLock • Control who can attach devices to a DOJ system • Control what can be attached to a DOJ system

  15. Methods • Laptop encryption • ProtectDrive • Pilot test currently underway • User Controls • Limited users • No administrator rights on workstations • Can use only approved devices • Backup tapes • Fully encrypted • Securely stored

  16. Methods • Knowledge Management Solution • Hummingbird DM – under implementation • Enforces data classification on all information placed within the repository • Enforces security on all information placed within the repository • Enforces document retention on all information placed within the repository • Audit logs • Access • Modification

  17. Problems and Concerns • Personal devices • Control • Liability • Encryption • DOJ-owned devices • Administration • Support • Cost • Enterprise solution • Encrypted flash drives

  18. Agency Panel Herman Davis, Senior Network Architect Department of Revenue

  19. Identified Devices • Laptops • Flash Drives/Thumb Drives • CDs • Blackberry and PDA

  20. Laptops • Policy • Must be encrypted unless an exception is granted • Exceptions only for equipment used for training materials and equipment • Method • Full drive encryption • Centralized key management • Clear guidelines for handling loss of equipment • User Awareness - Transparent to user

  21. Flash Drives • Policy • Personal devices (of any type) not to be connected to Revenue network or PCs • Method • Lock down USB ports on desktops • User Awareness • Training and education on policy

  22. CDs • Policy – Portable devices • Business Need • Auditors required a method of transporting customer specific information in a secure manner • Wanted to use flash drives = risks • Method • Burn encrypted CDs and provide to customer with password • Customer’s responsibility to dispose of CD • User Awareness • Hands on training for staff with a need to use this tool

  23. Blackberry and PDA • Policy • No personally-owned portable devices to connect to network or PC • Method • Uninstall personally-owned devices • Lock down administrative rights and USB ports on PCs • Provide agency-owned Blackberry for individuals with a business need

  24. Blackberry and PDA • Securing the Blackberry • Password protect • Remote management and wipe • Related Policies: E-mail security • No Federal Tax Data or State Tax Data is to be transmitted via e-mail

  25. Agency Panel Doug Juergensen, Information Systems Division Administrator / CIO Department of Fish and Wildlife

  26. Laptops USB ‘memory keys’ PDA (Personal Digital Assistants) Cell phones GPS devices Portable hard drives Combination units Agency data (it’s not just about the hardware What is a portable device? Electronic devices grew faster; now they are growing smaller. Many devices can now be considered portable and easily fit in your hand.

  27. The three Cs • Connectivity • Many devices started out as stand-alone units, difficult to use and interface (special data cables) • Most how have plug-and-play, wizard set-up, and automated synchronization (wireless, USB)

  28. The three Cs • Capability • Devices had lacked robust applications or tools; not very sophisticated • Today many operate a similar version of OS as a desktop computer – and can do many of the same functions

  29. The three Cs • Capacity • Not long ago, performance and storage capacity was limited; devices were bulky • Now very powerful, small, and extremely portable

  30. Capacity • Early devices were typically limited to 16KB or 64KB (thousands of bytes) • Credit Card drives are the size of an index card and easily store 1GB (billion of bytes) or more • 4 GB flash drive available at any store • 8 GB flash drive is less than $100 • 64 GB flash drive available for about $1,200 – still the size of a pack of gum • ½ TB (500GB) portable hard drives fit in your pocket!

  31. Capacity • According to one source … • 1 Terabyte (TB) is all the x-ray files in a large hospital • 10 Terabytes is the printed collection of the U.S. Library of Congress

  32. IT Management • Large number of disparate devices • Few, if any, ‘enterprise’ management tools • Limited administrative features • Lacks consistency in standards and compliance to standards • Training • IT staff needs training on many devices, difficult to be experts • Employees need training but may try ‘whatever works’

  33. IT Management • Technical issues • Many devices largely unsecured and unmanaged • Often lacks features we find ‘essential’ on any other computer • Firewall • VPN (Virtual Private Network) • Virus protection • Support and patches • Generally not updated or patched

  34. What about policy? • Most portable devices are the sexy, market-driven, must-have productivity tool that enhances our ability to work, but substantially increases the risk to agency data • If you can’t manage them electronically, is a written policy and employee goodwill enough? • Can you adequately train employees about risks?

  35. Enterprise support tools Multi-level authority Automated inventory control Rules-based security Encryption Patch management Complex authentication (ID and password) Remote access Wake on LAN Firewall VPN Filters Security upgrades Compare and Contrast Contrast the enterprise management systems such as the desktop PC, laptop, or network devices to portable devices. Ask yourself if they have …

  36. Compare and Contrast • Wireless (802.11, Bluetooth, cellular) • Plug-and-play Consider the ease at which portable devices can be connected to your enterprise network and the potential impact …

  37. What about ODFW? • Laptops are now secured using VPN for connections away from the office • Access to e-mail, Internet, and file-sharing • PDAs are widely used but are not Internet enabled • USB thumb drives are available to all employees • Not asset tagged, but logged in purchasing system to user or manager • Considering an internal audit to assess asset control/loss

  38. What about ODFW? • Cell phone / PDA combos are few and very limited • Requires approval by ISC and the Director’s office • Portable hard drives • Limited deployment • Requires ISD approval

  39. Challenges • Easy to use – just as easy to lose • Small size and capacity increases the potential risk factors • Many units deployed • Easily shared • Poor asset control mechanisms

  40. Challenges • Immature technology • Competitive market – rushed to deployment • Compliance to standards • Administrative controls • Virus protection • Security / encryption • Patch management and updates • IT staffing and support • Training (help desk and employees)

  41. Risk vs. Benefit • Most IT shops are faced with a dilemma • How much risk is acceptable? • Does the business side of the agency comprehend the complex and technical issues to make an informed decision? • With the potential of multiple devices per employee (not just one PC), is there support for additional IT staff?

  42. Questions?

  43. Agency Considerations Amy McLaughlin, Program Manager Enterprise Security Office

  44. Key Considerations • What business drivers require the use of portable/removable devices? • What devices are acceptable to use? • Who needs to use these devices? • What information should/should not be stored on these devices? • How can the devices be protected?

  45. Use of portable/removable devices • Are portable/removable devices needed? • Other options: • E-mail, encrypted to protect sensitive information • Secure File Transfer Protocol (SFTP) • Upload to/download from network • Upload to/download from Internet/intranet

  46. Devices • USBs • Consider purchasing USBs with built-in encryption • CDs / DVDs • Consider password protecting or encrypting media • Laptops, palmtops • Use whole-disc encryption for devices storing sensitive information • Use encryption for individual files

  47. Devices • Blackberries, PDAs • Encrypt sensitive information • Use a password and time-out feature • Use remote management and wipe features

  48. Authorization • Establish policy to authorize who may use portable devices • Determine if personal devices can be used or only agency-issued devices

  49. Sensitive Information • Establish policy to authorize what type of information can be stored/transmitted on a device • Classify the information • Restrict use of devices to store/transmit Level 3 and Level 4 information • If Level 3 and Level 4 information is stored/transmitted, employ controls such as encryption

  50. Controls • If use of devices is not authorized, consider appropriate controls • Disable USB ports • Disable CD/DVD write capability • Remove administrative rights to PCs; prevent user ability to install hardware and software • Define help desk procedures for handling rogue devices • Use purchasing oversight to prevent purchase of banned devices

More Related