540 likes | 677 Views
Portable and Removable Devices Information Forum. Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services Enterprise Security Office. Agenda. What is a portable / removable device Policy requirements Agency Panel Richard Rylander, Dept. of Justice
E N D
Portable andRemovable DevicesInformation Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative ServicesEnterprise Security Office
Agenda • What is a portable / removable device • Policy requirements • Agency Panel • Richard Rylander, Dept. of Justice • Herman Davis, Dept. of Revenue • Doug Juergensen, Dept. of Fish and Wildlife • Key considerations • Related policies • Q&A
Statewide Policy • Purpose • To ensure the confidentiality, integrity, and availability of state information assets stored on portable or removable devices • To properly manage portable or removable storage devices, agencies must know what devices they have, where they are, who has them, how they are being used, and what information is stored on them
Statewide Policy • Agency Responsibilities • Identify types of approved devices • Govern use of personally-owned devices • Establish ways to track devices • Identify what information can be stored on devices • Implement methods to secure the information on devices
Use of portable/removable devices • 30% are lost every year • 250,000 left in U.S. airports • 22% users keep list of passwords on device • 90% have: • insufficient power-on protection • storage encryption 1 2 3 4 • Estimate from Sans Institute • Motorola Mobile Device Security 2007 • RSA, RSA Security Password Management Survey, September 2005 • Gartner Group, Magic Quadrant for Mobile Data Protection, 1H04
Agency Panel • Richard Rylander, Dept. of Justice • Herman Davis, Dept. of Revenue • Doug Juergensen, Dept. of Fish and Wildlife
Agency Panel Richard Rylander, Security Coordinator Oregon Department of Justice
Identified Devices • Laptops • Flash drives • Micro drives • Flash cards • Others • iPod • Blackberry and cellular phones (covered separately by DOJ)
Identified Media • Media • CD/DVD • Diskettes (legacy 3.5”, removable HDs, etc.) • Tapes
Methods • Policy • Portable & Removable Storage Device • Data Classification • Media Transport • User Awareness • Step by Step instructions • Short (30-minute) user class
Methods • Technology • Encryption • USB Flash drive – currently under testing • KanguruMicro Flash Drive • FIPS 140-2 Certified • AES 256 Encryption • HIPAA Compliant • Enterprise solution – researching this solution • DriveLock • Control who can attach devices to a DOJ system • Control what can be attached to a DOJ system
Methods • Laptop encryption • ProtectDrive • Pilot test currently underway • User Controls • Limited users • No administrator rights on workstations • Can use only approved devices • Backup tapes • Fully encrypted • Securely stored
Methods • Knowledge Management Solution • Hummingbird DM – under implementation • Enforces data classification on all information placed within the repository • Enforces security on all information placed within the repository • Enforces document retention on all information placed within the repository • Audit logs • Access • Modification
Problems and Concerns • Personal devices • Control • Liability • Encryption • DOJ-owned devices • Administration • Support • Cost • Enterprise solution • Encrypted flash drives
Agency Panel Herman Davis, Senior Network Architect Department of Revenue
Identified Devices • Laptops • Flash Drives/Thumb Drives • CDs • Blackberry and PDA
Laptops • Policy • Must be encrypted unless an exception is granted • Exceptions only for equipment used for training materials and equipment • Method • Full drive encryption • Centralized key management • Clear guidelines for handling loss of equipment • User Awareness - Transparent to user
Flash Drives • Policy • Personal devices (of any type) not to be connected to Revenue network or PCs • Method • Lock down USB ports on desktops • User Awareness • Training and education on policy
CDs • Policy – Portable devices • Business Need • Auditors required a method of transporting customer specific information in a secure manner • Wanted to use flash drives = risks • Method • Burn encrypted CDs and provide to customer with password • Customer’s responsibility to dispose of CD • User Awareness • Hands on training for staff with a need to use this tool
Blackberry and PDA • Policy • No personally-owned portable devices to connect to network or PC • Method • Uninstall personally-owned devices • Lock down administrative rights and USB ports on PCs • Provide agency-owned Blackberry for individuals with a business need
Blackberry and PDA • Securing the Blackberry • Password protect • Remote management and wipe • Related Policies: E-mail security • No Federal Tax Data or State Tax Data is to be transmitted via e-mail
Agency Panel Doug Juergensen, Information Systems Division Administrator / CIO Department of Fish and Wildlife
Laptops USB ‘memory keys’ PDA (Personal Digital Assistants) Cell phones GPS devices Portable hard drives Combination units Agency data (it’s not just about the hardware What is a portable device? Electronic devices grew faster; now they are growing smaller. Many devices can now be considered portable and easily fit in your hand.
The three Cs • Connectivity • Many devices started out as stand-alone units, difficult to use and interface (special data cables) • Most how have plug-and-play, wizard set-up, and automated synchronization (wireless, USB)
The three Cs • Capability • Devices had lacked robust applications or tools; not very sophisticated • Today many operate a similar version of OS as a desktop computer – and can do many of the same functions
The three Cs • Capacity • Not long ago, performance and storage capacity was limited; devices were bulky • Now very powerful, small, and extremely portable
Capacity • Early devices were typically limited to 16KB or 64KB (thousands of bytes) • Credit Card drives are the size of an index card and easily store 1GB (billion of bytes) or more • 4 GB flash drive available at any store • 8 GB flash drive is less than $100 • 64 GB flash drive available for about $1,200 – still the size of a pack of gum • ½ TB (500GB) portable hard drives fit in your pocket!
Capacity • According to one source … • 1 Terabyte (TB) is all the x-ray files in a large hospital • 10 Terabytes is the printed collection of the U.S. Library of Congress
IT Management • Large number of disparate devices • Few, if any, ‘enterprise’ management tools • Limited administrative features • Lacks consistency in standards and compliance to standards • Training • IT staff needs training on many devices, difficult to be experts • Employees need training but may try ‘whatever works’
IT Management • Technical issues • Many devices largely unsecured and unmanaged • Often lacks features we find ‘essential’ on any other computer • Firewall • VPN (Virtual Private Network) • Virus protection • Support and patches • Generally not updated or patched
What about policy? • Most portable devices are the sexy, market-driven, must-have productivity tool that enhances our ability to work, but substantially increases the risk to agency data • If you can’t manage them electronically, is a written policy and employee goodwill enough? • Can you adequately train employees about risks?
Enterprise support tools Multi-level authority Automated inventory control Rules-based security Encryption Patch management Complex authentication (ID and password) Remote access Wake on LAN Firewall VPN Filters Security upgrades Compare and Contrast Contrast the enterprise management systems such as the desktop PC, laptop, or network devices to portable devices. Ask yourself if they have …
Compare and Contrast • Wireless (802.11, Bluetooth, cellular) • Plug-and-play Consider the ease at which portable devices can be connected to your enterprise network and the potential impact …
What about ODFW? • Laptops are now secured using VPN for connections away from the office • Access to e-mail, Internet, and file-sharing • PDAs are widely used but are not Internet enabled • USB thumb drives are available to all employees • Not asset tagged, but logged in purchasing system to user or manager • Considering an internal audit to assess asset control/loss
What about ODFW? • Cell phone / PDA combos are few and very limited • Requires approval by ISC and the Director’s office • Portable hard drives • Limited deployment • Requires ISD approval
Challenges • Easy to use – just as easy to lose • Small size and capacity increases the potential risk factors • Many units deployed • Easily shared • Poor asset control mechanisms
Challenges • Immature technology • Competitive market – rushed to deployment • Compliance to standards • Administrative controls • Virus protection • Security / encryption • Patch management and updates • IT staffing and support • Training (help desk and employees)
Risk vs. Benefit • Most IT shops are faced with a dilemma • How much risk is acceptable? • Does the business side of the agency comprehend the complex and technical issues to make an informed decision? • With the potential of multiple devices per employee (not just one PC), is there support for additional IT staff?
Agency Considerations Amy McLaughlin, Program Manager Enterprise Security Office
Key Considerations • What business drivers require the use of portable/removable devices? • What devices are acceptable to use? • Who needs to use these devices? • What information should/should not be stored on these devices? • How can the devices be protected?
Use of portable/removable devices • Are portable/removable devices needed? • Other options: • E-mail, encrypted to protect sensitive information • Secure File Transfer Protocol (SFTP) • Upload to/download from network • Upload to/download from Internet/intranet
Devices • USBs • Consider purchasing USBs with built-in encryption • CDs / DVDs • Consider password protecting or encrypting media • Laptops, palmtops • Use whole-disc encryption for devices storing sensitive information • Use encryption for individual files
Devices • Blackberries, PDAs • Encrypt sensitive information • Use a password and time-out feature • Use remote management and wipe features
Authorization • Establish policy to authorize who may use portable devices • Determine if personal devices can be used or only agency-issued devices
Sensitive Information • Establish policy to authorize what type of information can be stored/transmitted on a device • Classify the information • Restrict use of devices to store/transmit Level 3 and Level 4 information • If Level 3 and Level 4 information is stored/transmitted, employ controls such as encryption
Controls • If use of devices is not authorized, consider appropriate controls • Disable USB ports • Disable CD/DVD write capability • Remove administrative rights to PCs; prevent user ability to install hardware and software • Define help desk procedures for handling rogue devices • Use purchasing oversight to prevent purchase of banned devices