HomeData Protection GuidelinesStorage & SecurityGuidance on Laptops and other portable devices
 

Guidance on Laptops and Other Portable Devices

Extract from the Centre for Management and Organisation Development (CMOD), Department of Finance 2008 – Protecting the Confidentiality of Personal Data Guidance Note: “Laptops and Other Mobile Storage Devices (incl. Mobile Phones, PDAs). 

Laptops and Other Mobile Storage Devices (incl. Mobile Phones, PDAs, USB memory sticks, External Hard Drives, etc.)

The use of laptops, USB memory sticks and other portable or removable storage has increased substantially in the last number of years. Likewise, the use of personal communications and storage devices such as mobile phones, PDAs, etc. has also increased. These devices are useful tools to meet the business needs of staff. They are, however, highly susceptible to loss or theft. To protect the content held on these devices, the following recommendations should be followed:

  1. All portable devices should be password protected to prevent unauthorised use of the device and unauthorised access to information held on the device. In the case of mobile phones, both a PIN and login password should be used. Manufacturer or operator-provided PIN codes must be changed from the default setting by the user on receipt of the device
  2. Passwords used on these devices should be of sufficient strength to deter password cracking or guessing attacks. A password should include numbers, symbols, upper and lower case letters. Password length should ideally be around 12 to 14 characters but at the very minimum 8 characters. Passwords based on repetition, dictionary words, letter or number sequences, usernames or biographical information like names or dates must be avoided. Departments must ensure that passwords are regularly changed
  3. Personal, private, sensitive or confidential data should not be stored on portable devices. In cases where this is unavoidable, all devices containing this type of data must be encrypted. With regard to laptops, full-disk encryption must be employed, regardless of the type of data stored
  4. With regard to mobile technologies, staff should be aware that when ‘roaming’ abroad, communications may not be as secure as they would be within Ireland
  5. Data held on portable devices should be backed up regularly to the Department’s servers
  6. When portable computing devices are being used in public places, care must be taken to avoid unwitting disclosure of information, e.g. through overlooking or overhearing by unauthorised persons
  7. Portable devices must not contain unauthorised, unlicensed or personally licensed software. All software must be authorised and procured through a Department’s IT Unit
  8. Anti-virus/anti-spyware/personal firewall software must be installed and kept up-to-date on portable devices. These devices should be subjected to regular virus checks using this software
  9. Departments should ensure that when providing portable devices for use by staff members, each device is authorised for use by a specific named individual. The responsibility for the physical safeguarding of the device will then rest with that individual
  10. Laptops must be physically secured if left in the office overnight. When out of the office, the device should be kept secure at all times
  11. Portable devices should never be left in an unattended vehicle
  12. Portable storage media should only be used for data transfer where there is a business requirement to do so, should only be used on approved workstations and must be encrypted
  13. In order to minimise incidents of unauthorised access and/or incidents of lost/stolen data, Departments should restrict the use of personal storage media and devices (e.g. floppy disks, CDs, DVDs, USB memory sticks, etc.) to staff that require to use these media/devices for business purposes
  14. Only storage media provided by a Department’s IT Unit should be permitted for use with that Department’s computer equipment. Departments must put in place solutions which only allow officially sanctioned media to be used on a Department’s computer equipment (i.e. on networks, USB ports, etc.)
  15. Staff owned devices such as portable media players (e.g. iPods, etc.), digital cameras, USB sticks, etc. must be technologically restricted from connecting to Department computers
  16. Departments should consider implementing additional log-in controls on portable devices such as laptops
  17. Departments should implement technologies that will allow the remote deletion of personal data from portable devices (such as mobile phones and PDAs) should such devices be lost or stolen. A procedure for early notification of such loss should be put in place. This would allow for the disconnection of the missing device from a Department’s email, calendar and file system.
  18. Departments should implement procedures that will ensure that personal data held on mobile storage devices is fully deleted when the data is no longer required (e.g. through fully formatting the device's hard drive).