100
|
ASK THE EXPERT
Asking all the right questions to protect yourself What questions does an organization ask when a laptop is lost or stolen? More than you want to answer, so back-up and encrypt, says Joseph Belsanti. not be required to disclose a potentially embarrassing data loss. Is there any way to find out where that laptop is now? In some cases, organizations want to know if they can track the location of the missing laptop in question. They do so, not necessarily to recover the laptop, but to determine if there are any other measures that they need to take into consideration to further protect themselves. For example, did a recently fired employee take a laptop home, holding it to ransom for severance? Did the contract worker that was in last month take a notebook? Did an employee steal it? Each one of these above conditions may provoke a different set of responses and measures that an organization may want to execute in order to protect itself legally and the data that may be exposed.
B
eing told that one of your employees just lost their laptop can instantaneously wake you up to the reality that your data is not safe, and you just may have been compromised. Thoughts revolve around the data that resided on that drive, and whether a current backup exists – or indeed any backup at all. Next, concerns arise relating to what might happen if there is unauthorized access to the data and if it were to be used for wrongful purposes. The immediate questions asked are: Whose laptop has gone missing? And what data did they possess? Secondly, questions surrounding the restoration of the data through a backup are discussed in order to get the employee’s productivity backup to a desired level. Now the adventure begins. Was the laptop encrypted? Does disclosure of the loss of data need to occur and what would the repercussions be to the enterprise? Upon the loss of a notebook, a typical organization asks the following questions. How did the notebook go missing, and is there anything we can do to stop it from happening again?
WinMagic.indd 100
Organizations now start to analyze their security practices and processes. They try to determine if they need to buy any soft ware or hardware to protect their data – such as encryption – and they look at reviewing their existing security measures. If the organization subscribes to ISO 27000 standards, they now turn to ISO 27001, which formally defi nes the mandatory requirements for the overall management and control framework regarding an organization’s security risks. They will also review their ISO 27002 standards, in relation to ISO 27001, to establish a code of practice and guidelines in protecting sensitive data within their enterprise. Was the notebook encrypted? Given the amount of attention that privacy and security regulations around the world have brought to data breaches, the above question is probably one of the first questions to be asked. The reason for this question begins with the exemption clauses under most data breach notification conditions existing within privacy and security regulations. In most cases if you encrypt the media upon which the data resides in adherence to exemption clauses, then you will
What else can be done to the laptop now that it is not in our possession? Intel’s Anti Theft Technology now enables some encryption ISV vendors to issue a poison pill to a laptop that has been identified as lost or stolen. Th is poison pill can be issued to a laptop whether or not it is connected to the internet/LAN and performs two primary functions. It disables the platform and performs an encryption data disable. The first function was intended as a theft deterrent mechanism. The second function further protects the sensitive data on the laptop. In this case, access to an encrypted laptop would be denied even if the individual were in possession of the correct credentials – password, smartcard, USB token, etc. With new security technologies including Intel’s Anti-Theft Technology and self encrypting drives (SEDs), it is only a matter of time before the ubiquitous protection of data through encryption becomes normal practice – just like backing up data. Joseph Belsanti is the Vice President of Marketing at WinMagic Inc., a leading global provider of full-disk encryption solutions protecting data on laptops, USB thumb drives, and CD/DVDs. In addition to data security solutions, he has been marketing and selling in the fields of IP Address Management (IPAM), and E-services (CRM, E-procurement, Web Services and E-business).
05/11/2010 17:02