The 16 security managers currently attending the postgraduate university-accredited Security Management Stage 1 Course spent Monday 24th November tackling the difficult problem of information security, a subject of topical concern given the recent high profile data loss incidents.
The training day concluded with a look at laptop security, during which delegates formulated procedures which could be realistically implemented in order to reduce exposure to hardware loss and data compromise. The recommendations included:
1. Laptops should be equipped with a basic security software suite to ensure that they are protected when in use off-site. This should include anti-virus software, anti-spyware software and a firewall.
2. Encryption should be available on all laptops.
3. Boot sector password protection as standard.
4. Card and PIN access control to be fitted. Biometrics may provide an alternative, but currently most biometrics systems on laptops have a password override, thereby reducing security.
5. USB ports should be disabled, or access managed using special software.
6. During working hours, laptops should be secured to worktops using cable locks. Security staff should patrol to ensure that this rule is not violated at night.
7. If laptops are left on site overnight, they should be secured in a special cabinet.
8. There should be comprehensive policies and procedures to cover laptop security. These should be realistic, communicated and understood. Compliance should be audited.
9. Staff should be made aware of the risks, and trained in laptop risk management.
10. User should exercise good email discipline so that laptops do not become infected with malware when off-site.
11. Laptops should never be left unattended.
12. Laptop losses should always be investigated and, if necessary, action taken against the employee if negligence can be established.
13. Off-site communications with the corporate network should take place over virtual private network (VPN) tunnels.
14. Users should be denied permissions (by logical controls) to install any software.
15. Data should be backed up regularly. If in frequent off-site use, special provisions should be made for this.
16. There should be regular reviews of data held, and any unnecessary data should be destroyed using a shredding programme.
