You asked for a description of state policy governing confidential or restricted information on laptop computers and mobile data storage devices (such as external hard drives, flash cards, or thumb drives) as and what penalties exist for violating the policies.

SUMMARY

In the wake of the August 17 theft of a state laptop computer with the names and Social Security numbers of 106,000 taxpayers, the Department of Information Technology (DOIT) has issued a new security policy largely prohibiting the storing of confidential data on state mobile computers and storage devices. According to DOIT, this is the state's first comprehensive mobile computing security policy. It permits confidential or restricted data on mobile devices only if the agency head first certifies in writing that it is not possible to provide the user with secure remote access to the confidential data and storing it on the mobile device is necessary to conduct agency business. Furthermore, the data must be (1) encrypted using DOIT authorized methods and (2) removed from the device as soon as possible afterwards.

The DOIT policy covers all executive branch agencies; it does not extend to the Judicial and Legislative branches and constituent units of higher education.

Some of these branches' and units' policies are similar to DOIT's. Like the DOIT policy, the UConn and Connecticut State University (CSU) system polices both require using remote access methods whenever possible rather than storing information on a mobile device. UConn and CSU each require confidential data to be encrypted (scrambled using a software program) when not in authorized use on a mobile device (Judicial requires that confidential data be encrypted or password protected). The Judicial and Legislative branches' policies provide few specifics about security for confidential information on mobile devices.

DOIT LAPTOP SECURITY POLICY

Confidential Data Defined

The policy states that confidential or restricted state data includes:

1. personally identifiable information not in the public domain, which, if improperly disclosed, could be used to steal an individual's identity, violate the individual's right to privacy, or otherwise harm the individual; and

2. organizational information not in the public domain, which, if improperly disclosed, might result in (a) a significant or severe degradation in agency functioning; (b) significant damage to agency assets; (c) significant financial loss; or (d) significant, severe, or catastrophic harm to individuals.

Also, each agency is responsible for the assessment and categorization of its data as confidential or restricted in accord with the definitions in DOIT's Network Security Policies and Procedures.

Agency Authorization

The new DOIT policy largely prohibits storing confidential or restricted state data on state mobile computers and storage devices, with limited exceptions. Instead of putting such information on laptop computers or other similar devices, agencies must use secure, DOIT-approved remote data-access methods. This way data can be accessed from non-agency sites without storing it on a mobile device.

In situations when it is not possible to access the data via remote means, the agency head (or designee) must:

1. authorize and certify in writing, in advance, that storing restricted and confidential data on the mobile device is necessary to conduct agency business;

2. certify in writing that reasonable alternative means do not exist to provide the user with secure remote access to the data;

3. assess the sensitivity of the data to reside on the mobile device and determine that the business need for storage on the mobile device outweighs the risk of data loss or compromise; and

4. authorize in writing the storage of specific data on the mobile device and the acceptance of all associated risk.

Data Storage Requirements

The policy requires that confidential data must be handled and stored on the mobile device:

1. using only the minimum amount of data necessary for the task,

2. for the minimum amount of time,

3. using DOIT-approved encryption methods, and

4. only on secure mobile devices in accordance with DOIT policies.

Furthermore, the agency must document, track, and audit any such data placed on a mobile device. The information tracked must include the identity of the individual authorizing storage of the data on the mobile device, the device's asset tag and authorized user, information about the stored data, and its final disposition.

The state is in the process of installing encryption software on all laptops. The governor announced that SafeBoot encryption software will be “deployed as soon as possible. ” DOIT indicates it will be up to each agency to find the money in their budget to pay for the encryption installation. This process may take several months. Apparently this means an agency cannot take confidential data off-site until it has the encryption software. Here is the link to the governor's announcement: www. ct. gov/governorrell/cwp/view. asp?A=2791&Q=396992

Mobile Device Users

Mobile device users must sign a formal acknowledgement that they understand and agreed to abide by the policy. The agency must keep the signed acknowledgement.

Users in the possession of state mobile devices while traveling or using them in public places, meeting rooms, and other unprotected areas must not leave the devices unattended at any time. Users must take all reasonable and appropriate precautions to protect and control the devices from unauthorized physical access, tampering, loss, or theft.

Lost or Stolen Device Procedures

Agencies must establish and document reporting, mitigation, and remediation procedures for lost or stolen mobile devices containing state data (and for data compromised through accidental or nonauthorized access or disclosure).

If a mobile device with state data is lost, stolen, or misplaced, the user must immediately notify his or her agency of the incident. The affected agency must immediately notify the DOIT Help Desk of the incident in order to initiate an effective and timely response and remediation. The same steps must be followed if the user believes any unauthorized access took place.

Other Steps

Agencies must develop and implement a formal, documented security awareness and training program sufficient to ensure compliance with this policy. They must also maintain the proper safety software on the devices including anti-spyware, anti-virus, firewalls, and intrusion detection.

Penalties

Agencies and users that do not adhere to this security policy and associated procedures may be sanctioned. According to Department of Administrative Services, penalties would follow the standard disciplinary steps that exist for any other policy violation or misconduct. This means discipline can range from written reprimand up to termination, and it would be progressive (harsher for any repeat offenses).

Previous DOIT Policy

The previous DOIT computer security policy, as updated in 1999, primarily addressed the state's computer network. It required passwords and other protections to safeguard access to the network.

It required each state agency to (1) designate an information security liaison, (2) determine what agency information was confidential or restricted and submit it to the DOIT Security Oversight Committee, and (3) develop its own policy to augment the statewide policy where more restrictive security was needed.

This policy's specific mention of portable computers is brief. It prohibited users of laptops, notebooks, or other portable computer devices with confidential data from leaving the devices unattended at any time unless the information was encrypted. It also prohibited state workers in possession of portable devices with confidential information from checking them in at airport luggage systems or with hotel porters. It required the state employees to remain with the devices.

It stated that willful violation of the policy could result in disciplinary action up to and including termination.

JUDICIAL BRANCH

The Judicial Branch policy for computer security was updated in 2002. It focuses primarily on ensuring secure and authorized access to the judicial computer network.

It provides the following regarding security of portable devices:

“Employees in the possession of portable, laptop, notebook or other transportable computers should be sensitive to the risk of theft of this equipment. These computers should not contain any restricted, sensitive, or confidential material unless the information is stored in encrypted form or is password protected. ”

LEGISLATIVE BRANCH

The Legislative Branch's policy primarily focuses on permitting only authorized use of the legislative computer network; it makes no reference to mobile computer device security. It requires user ID and password protection in order to access the network. The policy includes this statement:

“Employees shall not use state equipment for any purpose that is not authorized by policy of [Legislative Management] or in a way that could compromise the security of the legislative computer systems or the integrity of legislative data. ”

UCONN

Like the DOIT policy, UConn's draft security policy for mobile computer devices emphasizes that user's should access UConn information using remote methods to avoid saving sensitive data on mobile devices. UConn defines sensitive data or information to include personally identifiable information and other data that is identified by law, regulation, policy, or practice as confidential or registered confidential.

(The draft policy is pending final approval, possibly in November, and is subject to revisions before that approval. Currently UConn does not have a security policy for mobile devices, although existing policy requires users to preserve the integrity and privacy of information they access. )

Authorization

Under the draft policy, the university's Council of Data Stewards must determine and document the business needs that require sensitive data to be placed in mobile devices and what specific data will be permitted on those devices. Also, the user's dean, director, or department head must grant approval in writing before sensitive data can be stored on mobile devices.

Approval will be granted only after the dean, director or department head assesses the risk and determines the business requirement for storage on the mobile device outweighs the associated risk of data loss or compromise.

Data Storage Requirements

The policy also requires the data be handled and stored on the mobile device:

1. using only the minimum amount of data necessary for the task,

2. for the minimum amount of time,

3. using approved encryption methods, and

4. using other security measures currently used for workstation access.

The university must document, track, and audit any sensitive data placed on a mobile device. The information tracked must include the:

1. name of the authorizing individual,

2. name of the authorized mobile device user,

3. the asset tag or serial number of the mobile device,

4. information about the stored data, and

5. the final disposition of that data.

As yet, the draft policy is not clear on who will be responsible for documenting and tracking the sensitive data.

Mobile Device Users

Users with university-owned mobile devices during transport or use in public places, meeting rooms, and other unprotected areas must not leave them unattended at any time. Users must take all reasonable and appropriate precautions to protect and control the devices from unauthorized physical access, tampering, loss or theft including implementing an autolock mechanism that requires a password that conforms to university requirements.

Users are forbidden from bypassing or disabling any security mechanisms such as anti-spyware, encryption, firewalls and intrusion detection software.

Lost or Stolen Device Procedures

Users must immediately notifying their department in the event that a mobile device containing sensitive data is lost, stolen, or misplaced or the user has determined unauthorized access has occurred. Upon such notification, the department will notify the IT security office and the university police as indicated in the Security Breach Protocol document.

Penalties

Violations of the policy will result in appropriate disciplinary measures in accordance with university laws and bylaws, employee rules of conduct, and any applicable union agreements.

CSU

The CSU system prohibits placing sensitive data (such as Social Security numbers, bank account number, or other personally identifiable information) on mobile computer devices unless there is a compelling business need to do so. Generally, remote access of CSU data is encouraged instead.

When there is a compelling need, the associate executive officer for Information Security must conduct a documented risk analysis. The business need and risk assessment must then be presented to the chancellor or his designee for review and authorization. Unless it cannot be done, sensitive data stored on portable media will be encrypted with a CSUS-approved encryption method. Each laptop user is required to take an online course “Information Security and Mobile Devices,” that is part of the Security Awareness training program.

Instead of copying information to portable media, users must log on to the network via the Internet for remote access to data on CSU servers.

Whenever a CSU mobile device is discovered missing, stolen, or lost the individual responsible for the device must report the loss to his or her supervisor and Information Security within one hour of ascertaining the loss. Paperwork submitted to the Property Control Unit will trigger appropriate tracking of the missing device.

Penalties

The CSU policy does not state penalties for the mobile device security violations.

JM: dw