This article can also be found in the Premium Editorial Download "Information Security magazine: CISO survival guide: 18 of the best security tips."
Download it now to read this article plus other related content.
The Right Tool
"Ours is definitely not a one-size-fits-all policy," says Kashner. "We initially chose AES full-disk encryption for laptops because it was bulletproof. We chose [a different platform] for removable media protection because of the vendor's DoD history, centralized control and ability to make use-case exceptions."
San Antonio-based Clarke American Checks combines Computrace LoJack for Laptops with PGP Whole Disk Encryption on about 700 laptops. "Those programs now go out the door with all new laptops," says senior IS auditor Deron Means. Clarke evaluated half a dozen products before settling on PGP. "If all we wanted was disk encryption, any could have done that. But most could not encrypt emailed .zip files or archives--features that were huge for us."
The Hershey Company chose SafeBoot Device Encryp- tion for transparency, ease of use and small footprint.
"Demonstrating audit compliance and integration with our identity management infrastructure was important to me," says Dan Klinger, manager of IS. "Our support center also required delegated roles and central management through one console."
Coverage can also play a big role. "If an employee buys a laptop, we have a standard," says Rob Marti, director of IS at Integris Health in Oklahoma City, "but physicians go out and buy the latest toys; I can't dictate what they'll use. The faster we can support new devices, the better."
Integris chose Credant Mobile Guardian
Working Out the Kinks
These companies selected different platforms to meet varied requirements, but all emphasize the importance of pilot programs to work out any kinks.
"My laptop's BIOS had to be flashed before encryption worked," says Means. "Now we have a process of running scandisk and upgrading BIOS before installation."
To avoid problems on older laptops, Means installs software LoJack before encryption. "You may decide to just encrypt newer laptops with chip-based LoJack," he says.
Highmark also started slowly to minimize impact, but found that data could be encrypted reliably without extraordinary measures. "Backups and BIOS updates are fine ideas, but if you're encrypting 4,000 laptops, it's just not feasible," says Kashner. "We didn't do any of those things, and our failure rate was minimal--out of 13,000 desktops, we lost maybe one."
"As long as the laptop itself is well managed, we don't have encryption issues," says Integris' Marti. "But on PDAs, we do a hard reset, install Credant, then reinstall applications, because some Mobile 5 devices have issues with releasing memory."
Stolen or lost laptops have exposed millions of records. Here are some of the most notable listed by the Privacy Rights Clearinghouse.
Nov. 19, 2005 Stolen Boeing laptop with 161,000 records.
Dec. 25, 2005 Stolen Ameriprise Financial laptop with 260,000 customer records.
May 2006 Theft of Veterans Administration laptop and external hard drive containing records of 28.6 million veterans.
June 2006 Stolen Ernst & Young laptop with credit card data of 243,000 hotel.com customers.
March 2007 Theft of Los Angeles County Child Support laptops including 243,000 SSNs, names and child support case numbers.
This was first published in July 2007