Laptop and portable device (e.g. memory sticks, pen drives, mobile phones, blackberries, CDs, disks, etc.) use is a common practice in conducting Athabasca University (AU) business. Theft of such devices is also common. The Freedom of Information and Protection of Privacy (FOIP) Act, R.S.A. 2000, c. F-25 requires that AU protect personal information against unauthorized use or disclosure by making reasonable security arrangements. This responsibility falls on all members of the AU community to safeguard these items from theft and to prevent the loss of personal information held on such devices. Access to confidential and private information can result in embarrassment, loss of business, loss of creditability, or legal action for AU and, potentially, the individual.
The National Institute of Standards and Technology Special Publication 800-30 “Risk Management Guide for Information Technology Systems” has determined that there are various levels of threats posed by other individuals. The level of threat is determined by the individuals’ motivation and potential actions that can be taken. Levels include anyone from insiders who may be seeking information for curiosity, ego, monetary gain or revenge to computer criminals, hackers and crackers to terrorists, who may be looking to blackmail, destroy or exploit and industrial espionage (companies or foreign governments) who are seeking a competitive advantage or are following programs developed for homeland security.
Access can be gained by:
There are primarily two areas of security for laptops and portable devices. These best practices are developed to address the physical and technological security requirements and should be used in conjunction with the AU Information Technology Electronic Data Security Policy.
Laptops and portable devices should not be left unattended in unsecure environments. Items should be locked and secured to an immovable object when available. Special locking mechanisms for laptops can be obtained through the Computing Services Help Desk.
Laptops and portable devices should be stored under lock and key in a locked office or locked filing cabinet with restricted access.
Never leave your laptop or portable device in an unattended vehicle.
The responsibility to protect personal information when being transported is the responsibility of the employee. Laptops and portable devices must not be put through checked baggage when travelling.
Laptops and portable devices are obvious targets for theft. If a laptop is set down for any reason keep an eye on it or position it in a place where you can feel if someone grabs it. Hook the strap around your foot or hand so you can feel any movement. Vulnerable places for laptops include washrooms, check-in counters, restaurants and vehicles.
Avoid using laptop cases – use a padded briefcase, backpack or suitcase – something that does not advertise what you are carrying. Never leave passwords or access numbers with the laptop or portable device.
Be aware of your environment and the people around you. Be aware of anyone trying to hack information or paying particular attention to the information - “shoulder surfing”, etc.
Make yourself aware of the details of reported security breaches. Pay particular attention to how the information was accessed and what “tricks” were used. Remember that any paper files you may carry with you are also an important source of information.
It is the responsibility of the employee to be aware of what types of information are confidential and personal information. Keep only data that is necessary on your laptop or portable device. Do not download an entire database onto your laptop if it contains personal or confidential information. If it is required to download computer files, only download the relevant pieces. Always remember to move the information to a more secure location as soon as reasonably possible.
It is important to be aware of the contents of all emails held on your laptops or portable devices. Large amounts of personal information can be held in files of this type. Utilize good record keeping practices and regularly go through your emails to determine if records are transitory and should be stored in a more suitable location.
Pay particular attention to identifying information of students and staff – ID numbers, names, addresses, etc. Refer to the AU FOIP website at http://www.athabascau.ca/foipp for more information regarding confidential and personal information.
Do not use your laptop or portable device to store long term records. Make yourself familiar with the records retention policies relevant to your specific area and general AU retention policies. If you have any questions regarding retention you should contact Institutional Record Management. The Alberta Freedom of Information and Protection of Privacy Act requires that if personal information has been used to make a decision about a person the public body is required to retain that information for a period of one year. If you are in doubt or have questions contact the AU FOIP office.
Back up important files regularly and keep the back up in a secure location. Contact Computing Services Help Desk to assist you regarding backing up files from laptops or portable devices.
AU requires the use of log on passwords and screen saver password protection. These items are normally preconfigured by the Computing Services Help Desk. Passwords should be used for protecting specific files containing personal information. Think carefully when changing passwords. Don’t use common words – the longer the password is the harder it is to guess. Make passwords alpha-numeric.
However, remember that passwords can be easily bypassed. Hard drives can be physically removed and accessed. There are free programs available on the internet that can be used to figure out user names and passwords and to restore information that you thought had been deleted. If the will is there, information can be accessed.
Encryption is a vital technological tool and is mandatory for laptops and off-site AU owned desktops. Passwords and encryption that cannot be disabled by an unauthorized user need to be used. AU has encrypted memory keys for use by AU staff who are required to transport AU information. Contact the Computing Services Help Desk if you require these technologies.
When using a portable device, be aware of the type of internet connection you are accessing. Do not download files if the system can be remotely accessed. Avoid using unknown wireless internet connections. If you need to use a wireless internet connection, ensure identifier broadcasting on your wireless router is turned off so your computer is not signaling devices in the vicinity and disable the wireless connection when not in use. AU currently has technologies that are much more secure. If you require remote access to AU systems, contact the Computing Services Help Desk for assistance.
Be wary of phishing, pop-ups and unknown emails – don’t respond or click on embedded links. Thieves can use these devices as tools to access information.
Keep firewalls, anti-virus software and operating systems up-to-date. Turn off file sharing when using your laptop or portable device. Ensure that your firewalls and anti-virus software are not disabled. The Computing Services Help Desk can provide assistance to keep your computer systems and portable devices up-to-date.
Permanently delete unnecessary files from laptops and portable devices when they are no longer required. This will involve the deletion of metadata that is stored on your device. Assistance can be obtained from the Computing Services Help Desk.
If your laptop or portable device is stolen or lost immediately notify the FOIP/ Policy Coordinator and the Computing Services Help Desk. A list of the types of information contained on the device will need to be provided in order to assess if any privacy breaches have occurred. Report any unusual activity following the incident as soon as possible.
Always assume the worst. Passwords will need to be changed, accounts may need to be shutdown, and people may need to be officially notified. Even if the data is encrypted, assume that the thieves will be able to unencrypt the information.
Violations of the Information Technology Electronic Data Security Policy could result in disciplinary action.
AU wishes to acknowledge its reliance on publications issued by the Access & Privacy Branch, Alberta Government Services, which were used in the preparation of these best practices.
A sequence of characters that uniquely names a specific user that is transmitted to allow for connection of that user to a desired wireless network when multiple networks operate in a specific area. Information transmitted in this format can be intercepted.
In a computing context, phishing is an impersonation of a corporation or other trusted institution. The goal of the impersonation is to extract passwords or other sensitive information from the victim. It is a form of criminal activity that utilizes social engineering techniques. Phishing is typically done using e-mail or an instant messaging program. The attempt of the message is to appear to be from an authentic source so that victim will either directly respond, or will open a URL link to a fake web site run by the criminals.
Office of the University Secretariat, July 2006
Updated May 30 2014 by Office of the University Secretariat