Protecting the huge variety of information the University collects and manages is everyone’s responsibility. For those of us with IT roles, people whose IT needs we support look to us to provide safe and secure ways to manage information. The need is particularly critical when it comes to protecting personal and private information on students, employees, research subjects, and other affiliates. No one wants to be responsible, even by accident, for exposing personal information that could cause harm to individuals, impact UVM’s reputation, and incur significant costs.
As IT people, it’s our responsibility to help others work securely, including implementing critical laptop and “desktop” protections such as encryption and domain joining. Some protections are mandated by policy, and others are best practices. ETS can help.
How We Need to Help
One of the most important ways we can help our clientele work securely is to help them secure their computers and other devices. The Information Security Procedures mandate several precautions that IT personnel generally need to set up for their clients:
- Encryption of UVM- and personally-owned devices that could carry institutional data
- Use of University storage and email (rather than external, cloud services)
- Malware protection
- Automatic software updates
- Software that is supported with prompt security fixes (especially operating systems)
- Requiring a password for start-up and wake from sleep or screen saver (ten-minute time-out)
- Destruction of data when a device is transferred or recycled
- Protection from theft
In addition, best practices include:
- Working as a nonprivileged user, without administrative rights (a separate admin account can be set up for use only when needed)
- Workstation management via joining Windows computers to the Campus domain and, for Macintoshes, Casper
- An inventory of all departmentally owned IT equipment
Encryption Works Now
Any University-owned laptop computer used to access UVM non-public data or file services must have its storage system encrypted using a University-approved encryption system, with UVM retaining the encryption key. That’s a very good idea for “desktop” computers, too, since they also are subject to theft. When devices are stolen, encryption gives UVM a safe harbor under privacy protection laws such as Vermont Act 162; without encryption, legally mandated investigation and notification steps are time-consuming and can be expensive.
PGP Whole Disk Encryption was far from easy and problem-free, and consequently, the number of laptops protected by encryption has been low. But with BitLocker for Windows and Casper/FileValult for OS X, we really must finish the job and get all laptops encrypted. Encryption is mandatory for all laptops and portable devices — and it’s a feasible, reasonable precaution for desktops, as well. The best way to ensure compliance is to use centrally provided deployment services for each platform and ensure encryption is enabled at deployment. All new laptops configured by the ETS Client Services Computer Depot will have BitLocker or Casper/FileVault encryption, and ETS is discussing configuring new desktops for encryption. For computers that are already in service, ETS can help, and instructions are available.
Encryption works now; let’s take advantage and use it.
One-Step Security: Join the Domain
Managing UVM-owned computers through Active Directory (Windows) and Casper (OS X) is the best way to take care of key usability, support, policy compliance, and security needs — while preserving user flexibility and local control. It works well. It encourages consistency. It enhances security. It ensures legal safe harbor for stolen devices by proving encryption status. It keeps an inventory. And it’s free. Contact firstname.lastname@example.org for more information.
Providing and enforcing a secure computing environment involves a mix of best practices and actions that are mandated by policy or by law. I recognize that the urgency of putting out today’s fires can push security to the back burner, but in the long term, letting security slip will have a greater and more painful cost. I hope that each of us will do everything we can to give it priority.
Are there ways that ETS or the Information Security Operations Team could help you provide and promote good security? Please let us know.
Information Security Officer
Enterprise Technology Services
Dean.Williams@uvm.edu | 802-656-1174
Find information security news, best practices, and how to report concerns on the UVM Computing Web site: