[unisog] Mobile Workstation Policy

Fred Portnoy fportnoy at mail.plymouth.edu
Wed Apr 7 13:22:17 GMT 2004


i just have one anecdote to offer - - - one of our employees had an EPO
client installed on her laptop; when she left us and moved to another
institution, our EPO guy reported that her machine showed up on his list
with her new IP address and continued to get updated through our system. 

-fp

-----Original Message-----
From: Adam Brons [mailto:abrons at odu.edu] 
Sent: Tuesday, April 06, 2004 7:58 AM
To: unisog at sans.org
Subject: [unisog] Mobile Workstation Policy


We are about to purchase new workstations for everyone in the IT department.
Some of the administrators have opted to get laptops for workstations.  As a
security administrator this doesn't give me the warm and fuzzies.  Some of
the things the security staff are concerned about are:

  - Admins connecting their laptop to their home ISP's network, 
    getting infected with the virus/worm of the day, and bringing it
    back into our network where they may or may not have access to
    sensitive systems which normal users on our network do not.

  - There are times where sensitive data could be stored on an Admin's
    workstation.  With the workstation being stationary on our
    network we can take measures to best insure that the workstation
    is not compromised via the network and by keeping software 
    up-to-date using automated processes we can safe guard against
    software vulnerabilities.  I do not feel that we have the same
    control over laptops.  In most cases, Laptops are not managed 
    centrally as of yet.

  - Though this is not as likely there is also the possibility of
    installing 3rd party software which could install key stroke
    loggers that would capture username/password combinations for
    sensitive systems.  We normally police this on stationary
    workstations through centralized management, which would not 
    be so easy to do on a transient laptop.

  - And of course there is theft.  I could be wrong, but I believe
    that laptops are at the top of the list for items stolen.  Not to
    mention all the information that is sensitive which now belongs to
    the thief.

So to summarize:  
  We're worried about sensitive information being leaked and
  infection of protected networks via the laptop when placed back on
  our network. 

What have other institutions done to safe guard against any of the 
above bullets, or anything else which I've not mentions?

What policies do you have in place?  How do you enforce them?

Any information you can offer would be greatly appreciated.

-- 
Adam Brons           Data Security Administrator
tel: 757.683.4855    Office of Computing and Communications Services
fax: 757.683.5155    Old Dominion University - Norfolk, Virginia. USA

DSA ID F1B1F49B: 72F0 E0FC 08BF A1FE 5677  C48F 4D83 C8B2 F1B1 F49B



More information about the unisog mailing list