Standards Regarding Portable Data Devices

(established pursuant to the University Computing Resources Security Policy 1.20)

Purpose

  • To educate all University of Western Ontario computer users on their responsibilities related to the security of sensitive information that resides on Portable Data Devices, as well as the physical devices themselves.
  • To ensure Portable Data Devices are maintained in a secure environment to minimize the risk and impact of the loss or theft of the devices or the sensitive information that resides on them.

Scope

This document defines the standards required to minimize the security risks associated with Portable Data Devices. It has two sections.

Section 1 defines the standards for Portable Data Device users.
Section 2 the standards for departmental management.

The standards apply to all of University of Western Ontario Computing users (e.g. employees, officers, staff, contractors, students) using notebook, laptop, PDA, USB key, cellular or other Portable Data Devices owned by the University or containing University information.

These are intended to be standards, and not detailed implementation directions; for this information, the reader is urged to consult the associated document on Portable Data Device Security Best Practices.

Portable Data Device Security Risks

Portable Data Devices are especially vulnerable to loss and theft.

The loss of the data on these devices could cause embarrassment, loss of reputation or significant financial impact to the University.

In the University environment, such sensitive information may comprise

  • private information as defined by the Freedom of Information and Protection of Privacy Act (FIPPA)
  • student or staff personal details
  • any information that the user would wish to remain private
  • intellectual property; e.g. research notes, data and commercially sensitive information
  • medical data, including classified and proprietary product development information
  • sensitive financial data

To counter these risks, Portable Data Device security is addressed in five ways;

  • user responsibility; through increased user awareness of the risks and application of a portable data device security standard
  • physical security; both at the user's "base" and when traveling
  • access control/authentication
  • data protection; using software and hardware based solutions
  • tracking/recovery; particularly for devices at high risk or containing very sensitive data

Compliance

Within this document standards marked with a lock are Mandatory standards (i.e. they require immediate compliance by all). Standards marked with a unlock are Mandatory for users or departments who can comply. All others should make plans to comply at the earliest opportunity.

STANDARDS

SECTION 1: User security requirements

lock Portable Data Device users agree to take shared responsibility for the security of their Portable Data Device and the information it contains.

Upon allocation of a Laptop or other Portable Data Device, users should undertake to comply with all applicable sections of this Portable Data Device Security Standard.

lock Users need to take all reasonable steps to protect against the installation of unlicensed or malicious software.

The use of unlicensed software is illegal and puts the University at significant risk of legal action.  Executable software needs to be validated and approved by departmental Systems Administrator before being installed. Unmanaged installations can compromise the operating environment and also constitute a security risk, including the intentional or unintentional spreading of software viruses and other malicious software.

Commercial software (including shareware) needs to

  • have a valid license for each prospective user
  • be checked for all known security risks, including malicious software

lockUsers need to take good care of their laptop.

Portable Data Devices are more fragile than desktops and require more care.  See the Portable Data Device Security Best Practices document for additional details.

Physical security

lockPortable Data Device users need to comply with physical security requirements.

Users should take the following physical security preventative measures.

  • It is important that Portable Data Devices not be
    • left on view in an unattended vehicle, even for a short period of time
    • left in a vehicle overnight
    • positioned so that they are visible from outside a ground floor window, unless there is no alternative
  • A  Portable Data Device displaying sensitive information being used in a public place, e.g. on a train, aircraft or bus, needs to be positioned so that the screen cannot be viewed by others.  If this is not possible, the user should consider other options such as the use of a screen privacy filter, or postpone working with this sensitive information to a more appropriate and protected setting.
  • When leaving a Portable Data Device unattended for any extended period, e.g. lunch breaks or overnight, users should
    • physically secure it with a cable lock and/or
    • lock it away in a robust cabinet or alternatively lock the door of an individually occupied office
  • It is important that in vulnerable situations, e.g. public areas such as airport lounges, hotels and conference centers, Portable Data Devices never be left unattended.
  • Portable computers should, whenever permitted, be carried as hand luggage when traveling, in bags sporting bright colours or large tags.
  • Where any of the above rules are either inappropriate or impractical (e.g. academics on field trips) the user is responsible for taking all reasonable steps to minimize the risk of loss or damage of the laptop.
  • Equipment that can be traced is not attractive to thieves. All equipment, where feasible, should be permanently marked with an identification number that can be traced by police. If the equipment is property of The University of Western Ontario, it should be marked with an Operation Provident Number, which can be provided by Campus Community Police Services.

Access control/authentication

lockIt is critical that Portable Data Device users select a complex password

All users of The University of Western Ontario IT resources need to select a complex password. Please refer to the ITS website for details on complex passwords.

lockComputer displays should be secured when left unattended.

All Portable Data Device screens need to be secured with a password protected screen when left unattended.

Data protection

lockAll sensitive information should be stored on University network servers by default.

This ensures that such data is secure and is automatically backed-up as a matter of course. Only when working away from "base" should sensitive data be copied to a local drive on the Portable Data Device.

In all cases the minimum information required should be copied to the local drive.

unlockPortable Data Device users should use an encryption option when saving information that is considered to be confidential.

The University of Western Ontario’s ITS department can advise on the most suitable data encryption options.

unlockWhen working away from base, it is important to back-up all sensitive data on a regular basis in a secure fashion.

Tracking/Recovery

lockPortable Data Device users should notify the appropriate authorities immediately if their device is lost or stolen.

If a Portable Data Device is stolen or lost the Campus Community Police Services and then the ITS Helpdesk and your Unit Head or delegate should be advised as soon as possible. This will ensure that recovery procedures can be activated as soon as is practicable.

SECTION 2: Departmental security requirements

Physical security

unlockAs a minimum precaution, all Laptop user desks should be fitted with a cable lock device.

These devices are very effective and provide good protection against the casual thief at moderate cost. However, if they are to have any effect, Laptop users need to use them. This requirement should be clearly communicated to users by departmental management.

lockLaptops at higher risk should be fitted with additional security devices.

See the Portable Data Device Security Best Practices document for additional details.

Access control/authentication

lockWhere feasible, Laptops should be protected by boot passwords and a hard disk format that precludes access in the event the machine is booted up using alternative media.

This simple precaution would provide sufficient protection to thwart many casual thieves from accessing sensitive data.

lockNon University of Western Ontario owned Laptops connecting to the network must comply with the Computing Resources Security Policy (1.20).

All non-University of Western Ontario Laptops (e.g. those belonging to students or contractors) connecting to the network need to meet the following criteria

  • Connection is only permitted via authorized and approved facilities
  • Connection is only to an authorized network domain
  • All access is authenticated
  • The Portable Data Device is running up-to-date anti-virus software

Data protection

lockIt is important that Unit Heads, including Directors, of those who need to leave Portable Data Devices in vehicles during the day assess the risk to the University.

This situation might arise, for example, when Portable Data Devices are being used on fieldwork. The risk level is based upon frequency and duration of storage in the vehicle and the crime profile of the area worked in. Advice on appropriate security measures should be obtained from The University of Western Ontario Campus Community Police Services office.

unlockWherever possible, mobile users with sensitive data should be provided with the ability to encrypt data and to back-up off-line.

Data encryption systems protect information stored on Laptops and other Portable Data Devices in the event other access control mechanisms fail. Any user who locally stores information considered to be confidential, or who has remote access to sensitive data or systems, should have a hard drive encryption solution installed on their laptop.

Solutions that encrypt the whole of the hard drive should be used by preference.

Extremely sensitive data may need to be kept on compact, removable PCMCIA, USB drives or similar which are kept with the user at all times.

Off-line back-up, for users away from their base location, can vary from the simple; e.g. copying data to floppy disks or CD, to the sophisticated; e.g. scheduled back-up software that copies sensitive data to portable drives.  The back-ups should be treated as securely as the original data as it represents similar risks.

In all cases, the Unit Head needs to ensure that users are fully aware of the security issues and are sufficiently confident in the use of the solution/s provided.

lockAll Laptops need to have at minimum, the University standard anti-virus software installed. To ensure continued protection, all Laptops should have their system and application software updated on a regular basis and, where possible, protected by a firewall.

This ensures the University’s information systems and data are protected from the risk of virus infection and other threats. A process should be in place to ensure AV signatures and other software are kept up-to-date if the Portable Data Device is to be used off-line (from the University network) for an extended period.

lockAll computers, including Laptops, should be configured with a password protected screen saver that activates after no more than 15 minutes idle time.

This ensures additional security when users are absent from their desks. It should be noted that all users are required to secure the screen whenever they leave a machine unattended.

Tracking/Recovery

unlockPortable Data Devices used to store highly sensitive data may justify the use of software tracking and recovery agents.

Tracking software (combined with an irremovable tag) residing in an undetectable file on the hard drive, will trace stolen Laptops and other Portable Data Devices as soon as they are connected to the Internet. The IP address, computer ID number and telephone number the Portable Data Device is calling from can then be provided to the police, hopefully leading to recovery of the machine and any sensitive data it contains.

Wireless

lockSecure Wireless should be used where available.  Western provides secure wireless access and it is important that this be used with all Western owned wireless devices on campus.

This ensures that the University’s information systems and data are protected from userid and password theft.  Users should exercise due diligence in public areas where encryption and secure transmission are not available.

Western provides the best student experience among Canada's leading research-intensive universities.