You can’t expect your personnel to know how to safeguard information and computing devices if you do not tell them *HOW* to safeguard them!
Humans are not born with an inherent instinct to automatically safeguard information assets. In fact, some folks seem to be born with a pre-disposition to fling caution to the wind when it comes to protecting information. Why else would someone drink three tall beers while working alone in a busy airport bar/restaurant and then leave their laptop completely unsecured on the table top to go somewhere else down the hallway out of sight for 30 minutes? (Saw this on a recent trip.) Yes, I know the alcohol had some impact on their decision-making, but think about all the folks in your organization who have a tendency to do risky activities even without the influence of alcohol.
The fourth section from the second article in the June issue of my “IT Compliance in Realtime Journal” discusses why all organizations must provid training and ongoing awareness communications to their personnel for how to protect mobile computing devices.
You cannot expect your personnel to know how to safeguard information and mobile computers if you do not provide them with training and ongoing awareness for how to do it! Deja vu…did I already say this? You bet; and I’ll probably say it a few million times more in my lifetime because it is so important, yet so seldom considered!
Here’s an unformatted version; you can download a much nicer PDF version of it with the entire June Journal…
—————————-
Tell Personnel How to Protect Mobile Computing Devices and Storage Media
Here is a list of some precautions for you to communicate (either one at a time each week or all at once on a poster or quick reference card for each employee to post at their desk, as appropriate and applicable to your organization) to help ensure your personnel have an easy resource to reference to keep mobile computing and storage security and privacy at the forefront of their minds:
Awareness and Training
- Appropriately secure mobile computing devices and storage media according to the organization’s policies and procedures. Protect your mobile computing device passwords!
- Do not share mobile computing devices you use for business; this is a train wreck waiting to happen!
- It is each employee’s responsibility to ensure the security of mobile computing devices and storage media.
- Store only the minimal amount of data necessary on mobile computing devices and storage media. Many well- publicized incidents have occurred with laptops containing information about hundreds of thousands of people.
Physical Protection
- Keep your mobile computing devices and storage media with you at all times while you are away from corporate facilities. Do not to leave the devices in cars, unattended meeting rooms (even within corporate facilities), and so on.
- Use company-provided locks and cables to secure mobile computing devices when you are away from corporate facilities.
- Install the company-provided motion sensors or alarms on your mobile computing devices. The last thing a thief wants in a populated area is to have a 110 or more decibel alarm bringing everyone’s attention to him or her. Be sure you follow the company’s instructions for how to use them so that you don’t accidentally blast your own eardrums!
Policies and Device Management
- Use only the software that is allowed by the security policy on your mobile computing and storage devices.
- Back up the software and data on your mobile computers as required by the security policy.
- Do not use the mobile computing devices and storage media that you use for business purposes for personal use.
Encryption
- Encrypt all confidential and personal information stored on mobile computing devices and storage media using corporate-approved encryption solutions.
- Encrypt data transfers from mobile computing devices. Never send or receive sensitive data over a wireless link unless another more secure end-to-end encryption technology is also being used. Mobile devices that retain company-sensitive information must implement a corporate encryption solution to safeguard such information.
- Encrypt all data on mobile storage devices, such as USB sticks and thumb drives.
Data Issues
- Do not store entire databases containing PII on mobile computing or storage devices. If PII is necessary for some approved business reason, use only the records you truly need for business purposes.
- Do not use real PII for demonstration purposes on mobile computing or storage devices.
Miscellaneous Technology Protections
- Install and activate the corporate-approved firewall on your mobile computing device. Mobile devices must include a software firewall for protection.
- Use a corporate-approved malicious code protection system on your mobile computing device and keep it up to date.
- Use the corporate-required user identification and password authentication, and do not share your passwords!
- File sharing on all mobile devices must be disabled, and auditing and logging on all mobile computing devices must be enabled, per corporate policy.
—————————-
Comments? Feedback? Helpful?
Tags: awareness and training, Information Security, IT compliance, laptop theft, mobile computing, mobile computing risks, policies and procedures, privacy training, risk management, security training, stolen laptop