The Department has a comprehensive written Portable Computing Device Security Policy, which is published on its in-house intranet site. Staff are advised, inter alia, that sensitive Department data should not be stored on portable computing devices or portable storage media. However, in the event that there is no alternative to local storage, all sensitive Department data stored on portable computing devices must be secured using one or more of the following as appropriate: Personal Firewalls; BIOS Passwords; Data/Application encryption using approved encryption techniques; Screen Locking; Screen Timeout.
Users are also instructed to protect Department-owned (or authorised) portable computing devices, removable storage components, and removable computer media from unauthorised access. Physical security measures should include the following: Portable computing devices, computer media, and removable components, such as disk drives and network cards, must be stored in a secure environment. Devices must not be left unattended without employing adequate safeguards such as cable locks, restricted access environments, or lockable cabinets.
When possible, portable computing devices, computer media, and removable components must remain under visual control while travelling. If visual control cannot be maintained, then necessary safeguards shall be employed to protect the physical device, computer media, and removable components. Safeguards shall be taken to avoid unauthorised viewing of sensitive or confidential data in public or common areas. Loss or theft of portable computing devices or storage media containing sensitive data must be reported via local management to the Head of Information Security.
The Department is currently engaged in a comprehensive review of the implementation of the policy across the organisation. All new laptops are issued with whole-disk encryption software. The Department is currently arranging a recall of its current stock of laptops to install encryption software. The process is expected to be completed by the end of December 2008. The Department is also engaged in implementing a policy to restrict the use of USB memory devices.