Policy: Laptop Security: Difference between revisions
No edit summary |
|||
(18 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
== Overview == | == Overview == | ||
The aim of the policy is to describe the controls required and necessary to significantly reduce the risks of information security affecting laptops. | <P Align="justify">The aim of the policy is to describe the controls required and necessary to significantly reduce the risks of information security affecting laptops. | ||
Laptop computers are an essential business tool but their very portability makes them particularly vulnerable to physical damage or theft. | Laptop computers are an essential business tool but their very portability makes them particularly vulnerable to physical damage or theft. The fact that they are often used outside the premises of Future Worlds Center, increases the threats.</p> | ||
In addition, portable computers are especially vulnerable to physical damage or loss, and theft, either for resale or for the information they contain which is a vital asset of the Organization. | <P Align="justify">In addition, portable computers are especially vulnerable to physical damage or loss, and theft, either for resale or for the information they contain which is a vital asset of the Organization.</p> | ||
This policy refers to certain general information security policies, but the specific information given here is directly relevant to the organization-owned laptops. | <P Align="justify">This policy refers to certain general information security policies, but the specific information given here is directly relevant to the organization-owned laptops, see [[Procedure: Laptop subsidy|Laptop Subsidy]].</p> | ||
Line 12: | Line 12: | ||
== Physical security controls == | == Physical security controls == | ||
* <P Align="justify">The physical security of the organization-owned laptop is the personal responsibility of the [[Associate|Associate]] uses the computer, so please take all reasonable precautions. The [[Associate|Associate]] may be responsible for certain costs to repair or replace the laptop if the damage or loss is due to negligence or intentional misconduct.</p> | |||
* Keep the laptop in your possession and within sight whenever possible, especially in public places such as airports, railway stations or restaurants. | |||
* <P Align="justify">If you have to leave the laptop temporarily unattended in the office, meeting room or hotel room, even for a short period of time, use a laptop security cable or similar device to attach it firmly to a desk or other heavy furniture in order to prevent easy escape of the thieve.</p> | |||
* <P Align="justify">Lock the laptop away out of sight when you are not using it (at home, in the office or in a hotel). Never leave a laptop visibly unattended in a vehicle, it is much safer to take it with you.</p> | |||
* <P Align="justify">Carry and store the laptop in a padded laptop bag or strong briefcase to reduce the chance of accidental damage. Don’t drop it or knock it about. An ordinary-looking briefcase is less likely to attract thieves than an obvious laptop bag.</p> | |||
* <P Align="justify">If the laptop is lost or stolen, notify the Police immediately and inform the Organization as well as submit the police report to the Organization (within 48 hours). The police report should include the serial number for the lost/stolen computer.Failure to secure and submit a police report may result in personal liability for replacement cost.</p> | |||
Line 28: | Line 28: | ||
== Virus protection == | == Virus protection == | ||
* <P Align="justify">Users must take responsibility for ensuring that security updates take place on laptops in their care. The associate is obliged to take all necessary measures for the security and integrity of all date on the laptop.</p> | |||
- | * The anti-virus software MUST be updated at least monthly. | ||
* <P Align="justify">Email attachments are one of biggest sources of computer viruses. Therefore, avoid opening any email attachment unless you were expecting to receive it from that person.</p> | |||
* <P Align="justify">Always virus-scan the files downloaded to your laptop from any source (CD/DVD, USB hard disks, memory sticks, network files, email attachments, files from the Internet). Virus scans normally happen automatically but the IT responsible of the Organization can tell you how to initiate manual scans if you consider necessary.</p> | |||
* Report any security incidents (such as virus infections) promptly to the IT responsible of the Organization in order to minimize the damage. | |||
* <P Align="justify">Respond immediately to any virus warning message on your laptop, or if you suspect a virus (e.g. by experiencing unusual file activity) by contacting the IT responsible of the Organization. Do not forward any files or upload data onto the network if you suspect your laptop might be infected in order to avoid the spread of the virus.</p> | |||
* Be especially careful to virus-scan your system before you send any files outside the Organization including email attachments and CD-ROMs created by you. | |||
== Controls against unauthorized access to data == | |||
* <P Align="justify">You must use approved encryption software on all organization-owned laptops. Choose a long, strong encryption password/phrase and keep it secure. You can contact to the IT responsible of the Organization for further information on laptop encryption. (If your laptop is lost or stolen, encryption provides strong protection against unauthorized access to the data.)</p> | |||
* <P Align="justify">You are personally accountable for all network and systems access under your user ID, so keep your password safe. Do not share it with anyone including members of your family, friends or IT responsible of the Organization.</p> | |||
* <P Align="justify">Organization-owned laptops are provided for official use by authorized Associates. Do not allow it to be used by others such as family members and friends. </p> | |||
* <P Align="justify">Do not leave your laptop unattended and logged-on. Before walking away from the laptop, always shut down, log off or activate a password-protected screensaver.</p> | |||
== Other controls == | |||
''Unauthorized software'' | |||
<P Align="justify">Do not download, install or use unauthorized software programs. Unauthorized software could create significant security issues regarding the networks of the Organization as well as affecting the performance of the laptop. Software allowing the laptop to be ‘remote controlled’ (e.g. PCanywhere) and ‘hacking tools’ (e.g. network sniffers and password crackers) are strictly forbidden on organization-owned laptops without prior permission from the IT responsible of the Organization and the President of Board.</p> | |||
''Unlicensed software'' | |||
<P Align="justify">Most software, unless it is specifically identified as “freeware” or “public domain software”, may only be installed and/or used if the defined license fee has been properly paid. Shareware or trial version of software must be revoked from the laptops or licensed by the end of the permitted free trial period. Some software is limited to free use by private individuals only, therefore please observe the license condition of the software before download.</p> | |||
''Backups'' | |||
<P Align="justify">Associates are responsible for maintaining an appropriate backup of their laptop, especially of the work-related documents and data files created that are not restored when reinstalling the operating system and programs. | |||
The preferred way to do this is to upload the data from the laptop to the network (Webex)on a regular basis (ideally on daily basis but weekly at least). | |||
It would be prudent to establish a process of copying the data files to an external drive/CD/DVD (off-line backups) as an added precaution against data loss, since if the laptop is stolen, lost, damaged or malfunctioned, it may be impossible to retrieve any of the data from the laptop.</P> | |||
''Inappropriate materials'' | |||
<P Align="justify">Future Worlds Center does not tolerate inappropriate materials such as pornographic, racist, defamatory or harassing files, pictures, videos, email messages that may cause offense or embarrassment. '''Do not store, use, copy or circulate such material on the laptop and avoid visiting such websites.'''</p> | |||
<P Align="justify">IT responsible of the Organization routinely monitor the network/system for such materials therefore he is responsible to report serious/repeated offenders and any illegal materials directly to the President of the Board, and disciplinary processes will be launched.</p> | |||
If you receive inappropriate material by email or other media, delete it immediately. | |||
If you accidentally browse to an offensive website, click ‘back’ or close the window without delay. | |||
If you receive a lot of spams, check your spam settings or contact to the IT responsible of the Organization for assistance. | |||
''Health and safety aspects of using laptops'' | |||
<P Align="justify">As laptops have relatively smaller keyboards, displays and pointing devices than desktop systems, constant usage of them increases the chance of repetitive strain injury (especially in case of usage without desk). Therefore, limit the amount of time you spend on using the laptop. Wherever possible, place the laptop on a conventional desk or table and sit comfortably in an appropriate chair to use it. If you use the laptop in the office most of the time, you are advised to apply a ‘docking station’ with a full-sized keyboard, a normal mouse and a display permanently mounted at the correct height.</p> | |||
<P Align="justify">Stop using the portable and consult your physician in case of experiencing symptoms such as wrist pain, eye strain or headaches that you suspect may be caused by using the laptop.</p> | |||
[[Category:Policies]] |
Latest revision as of 08:01, 25 September 2012
Overview
The aim of the policy is to describe the controls required and necessary to significantly reduce the risks of information security affecting laptops. Laptop computers are an essential business tool but their very portability makes them particularly vulnerable to physical damage or theft. The fact that they are often used outside the premises of Future Worlds Center, increases the threats.
In addition, portable computers are especially vulnerable to physical damage or loss, and theft, either for resale or for the information they contain which is a vital asset of the Organization.
This policy refers to certain general information security policies, but the specific information given here is directly relevant to the organization-owned laptops, see Laptop Subsidy.
Physical security controls
The physical security of the organization-owned laptop is the personal responsibility of the Associate uses the computer, so please take all reasonable precautions. The Associate may be responsible for certain costs to repair or replace the laptop if the damage or loss is due to negligence or intentional misconduct.
- Keep the laptop in your possession and within sight whenever possible, especially in public places such as airports, railway stations or restaurants.
If you have to leave the laptop temporarily unattended in the office, meeting room or hotel room, even for a short period of time, use a laptop security cable or similar device to attach it firmly to a desk or other heavy furniture in order to prevent easy escape of the thieve.
Lock the laptop away out of sight when you are not using it (at home, in the office or in a hotel). Never leave a laptop visibly unattended in a vehicle, it is much safer to take it with you.
Carry and store the laptop in a padded laptop bag or strong briefcase to reduce the chance of accidental damage. Don’t drop it or knock it about. An ordinary-looking briefcase is less likely to attract thieves than an obvious laptop bag.
If the laptop is lost or stolen, notify the Police immediately and inform the Organization as well as submit the police report to the Organization (within 48 hours). The police report should include the serial number for the lost/stolen computer.Failure to secure and submit a police report may result in personal liability for replacement cost.
Virus protection
Users must take responsibility for ensuring that security updates take place on laptops in their care. The associate is obliged to take all necessary measures for the security and integrity of all date on the laptop.
- The anti-virus software MUST be updated at least monthly.
Email attachments are one of biggest sources of computer viruses. Therefore, avoid opening any email attachment unless you were expecting to receive it from that person.
Always virus-scan the files downloaded to your laptop from any source (CD/DVD, USB hard disks, memory sticks, network files, email attachments, files from the Internet). Virus scans normally happen automatically but the IT responsible of the Organization can tell you how to initiate manual scans if you consider necessary.
- Report any security incidents (such as virus infections) promptly to the IT responsible of the Organization in order to minimize the damage.
Respond immediately to any virus warning message on your laptop, or if you suspect a virus (e.g. by experiencing unusual file activity) by contacting the IT responsible of the Organization. Do not forward any files or upload data onto the network if you suspect your laptop might be infected in order to avoid the spread of the virus.
- Be especially careful to virus-scan your system before you send any files outside the Organization including email attachments and CD-ROMs created by you.
Controls against unauthorized access to data
You must use approved encryption software on all organization-owned laptops. Choose a long, strong encryption password/phrase and keep it secure. You can contact to the IT responsible of the Organization for further information on laptop encryption. (If your laptop is lost or stolen, encryption provides strong protection against unauthorized access to the data.)
You are personally accountable for all network and systems access under your user ID, so keep your password safe. Do not share it with anyone including members of your family, friends or IT responsible of the Organization.
Organization-owned laptops are provided for official use by authorized Associates. Do not allow it to be used by others such as family members and friends.
Do not leave your laptop unattended and logged-on. Before walking away from the laptop, always shut down, log off or activate a password-protected screensaver.
Other controls
Unauthorized software
Do not download, install or use unauthorized software programs. Unauthorized software could create significant security issues regarding the networks of the Organization as well as affecting the performance of the laptop. Software allowing the laptop to be ‘remote controlled’ (e.g. PCanywhere) and ‘hacking tools’ (e.g. network sniffers and password crackers) are strictly forbidden on organization-owned laptops without prior permission from the IT responsible of the Organization and the President of Board.
Unlicensed software
Most software, unless it is specifically identified as “freeware” or “public domain software”, may only be installed and/or used if the defined license fee has been properly paid. Shareware or trial version of software must be revoked from the laptops or licensed by the end of the permitted free trial period. Some software is limited to free use by private individuals only, therefore please observe the license condition of the software before download.
Backups
Associates are responsible for maintaining an appropriate backup of their laptop, especially of the work-related documents and data files created that are not restored when reinstalling the operating system and programs. The preferred way to do this is to upload the data from the laptop to the network (Webex)on a regular basis (ideally on daily basis but weekly at least). It would be prudent to establish a process of copying the data files to an external drive/CD/DVD (off-line backups) as an added precaution against data loss, since if the laptop is stolen, lost, damaged or malfunctioned, it may be impossible to retrieve any of the data from the laptop.
Inappropriate materials
Future Worlds Center does not tolerate inappropriate materials such as pornographic, racist, defamatory or harassing files, pictures, videos, email messages that may cause offense or embarrassment. Do not store, use, copy or circulate such material on the laptop and avoid visiting such websites.
IT responsible of the Organization routinely monitor the network/system for such materials therefore he is responsible to report serious/repeated offenders and any illegal materials directly to the President of the Board, and disciplinary processes will be launched.
If you receive inappropriate material by email or other media, delete it immediately.
If you accidentally browse to an offensive website, click ‘back’ or close the window without delay.
If you receive a lot of spams, check your spam settings or contact to the IT responsible of the Organization for assistance.
Health and safety aspects of using laptops
As laptops have relatively smaller keyboards, displays and pointing devices than desktop systems, constant usage of them increases the chance of repetitive strain injury (especially in case of usage without desk). Therefore, limit the amount of time you spend on using the laptop. Wherever possible, place the laptop on a conventional desk or table and sit comfortably in an appropriate chair to use it. If you use the laptop in the office most of the time, you are advised to apply a ‘docking station’ with a full-sized keyboard, a normal mouse and a display permanently mounted at the correct height.
Stop using the portable and consult your physician in case of experiencing symptoms such as wrist pain, eye strain or headaches that you suspect may be caused by using the laptop.