New location for website content
The OCIO website is migrating to https://dom.iowa.gov/state-government/information-technology. The only information which will remain at this location is the IT Standards documentation.
Laptop Data Protection Security Standard
April 12, 2012
Purpose
This standard establishes the minimum security requirements for laptop computers and the data stored on, processed by, or transmitted via laptops.
Overview
Laptop computers provide portability allowing users to work outside of the office. Laptop computers also come with risks. Confidential information may be disclosed as a result of the loss or theft of a device. Laptop devices may be exposed to malware when they connect to insecure network.
Scope
This standard sets minimum security and encryption requirements for laptops that hold state-owned data or connect to internal state-owned or managed networks. Laptops of contractors, state business partners and individuals connecting to internal state networks or storing state data are covered by this standard.
For the purpose of this standard, security is defined as the ability to protect the integrity, confidentiality and availability of information processed, stored and transmitted by an agency.
This standard applies to all agencies as defined by Iowa Code Chapter 8A, Section 101. Non-participating agencies are encouraged to follow this and other enterprise level policies, standards, guidelines, processes and procedures.
Definitions
Selected terms used in the Enterprise Laptop Data Protection Standard are defined below:
-
Laptop Computer: Laptop computers are lightweight, portable devices designed to operate for extended periods of time with a self-contained power source. For the purpose of this standard, a laptop computer includes a tablet computer, netbook, iPad and similar device.
-
Encryption: The process of making information indecipherable to protect it from unauthorized viewing or use, especially during transmission or storage. Encryption is based on an algorithm and at least one key. Even if the algorithm is known, the information cannot be decrypted without the key(s).
Enterprise Laptop Standard
The following minimum standards must be met for all laptop computers:
-
Laptop Inventory. Agencies will maintain an inventory of all laptop computers and their assigned user.
-
Data Encryption and Authentication. All laptop computers shall be encrypted. The encryption software must meet the following criteria:
-
Pre-boot: Pre-boot user authentication must be used by the encryption software.
-
Whole-disk: The entire hard drive, excluding the master boot record, shall be encrypted.
-
Encryption Strength: 256-bit Advanced Encryption Standard (AES) or stronger encryption must be used.
-
Audit Trail: An audit trail shall be maintained to demonstrate that a device was encrypted and the type of encryption software used.
-
Central Management: The encryption process and procedures shall be centrally managed at the agency and/or enterprise level.
-
Hibernation: Laptop encrypts upon hibernation requiring the user to re-authenticate.
-
-
Loss/Theft Procedures. Loss or theft of any laptop computer shall be reported to the Chief Information Security Officer within 24 hours. The notification shall include:
-
Agency name and contact.
-
Date of theft/loss.
-
Description of the theft/loss.
-
Whether confidential/sensitive information was stored on the device.
-
Whether the laptop was encrypted.
-
Whether the password or token was stored with the laptop.
-
Procedures shall also be in place to change authentication credentials to any systems the device\user may have accessed.
-
Physical Protection. Users responsible for the physical protection of their laptops.
-
Laptops shall not be left unattended in a public area unless secured by a cable lock or other anti- theft device.
-
-
Passwords: Strong passwords must be used with laptops. Passwords must be:
-
At least 8 characters.
-
A mix of numbers and letters.
-
Have at least one special character.
-
Written passwords, smart cards, or tokens shall not be stored with the laptop.
-
Primary Storage/Data Backups. To ensure data availability in the event of device loss or theft, a laptop computer shall not be the primary storage device for State of Iowa data. Regular backups of data stored on laptops must be made, according to agency policy.
-
Client security maintained. All laptop computers must have:
-
A properly-configured host-based firewall;
-
Up-to-date anti-malware software; and
-
All laptops shall have the latest critical security patches installed within 5 business days of release.
-
.
-
Assessment. The ISO will periodically conduct assessments of agency compliance with this standard. Agencies will provide access to inventory information and systems as required to determine compliance. If violations of the laptop computer standard are identified, the agency will receive written notification pursuant to IAC 11--25.11(8A).
-
Awareness Training: Laptop computer users shall be provided with mobile device security awareness training. At a minimum, users shall be provided with documentation describing mobile computing risks.
-
Erase Data and Disable Device: Laptops shall be erased and/or disabled:
-
After 10 unsuccessful password attempts.
-
When reported lost or stolen.
-
Before disposal\return to the lessor.
-
-
Inactivity: The laptops shall be set to lock after a maximum of 15 minutes of inactivity.
-
Usage Policy: Agencies shall:
-
Have a policy covering the use of laptops, and
-
Ensure that staff receive and acknowledge the policy.
-
-
Personally Owned Devices: Personally owned laptops shall not connect to internal state-owned networks.
-
Third Party Applications: Users may not download third-party applications to their laptop without agency management approval.
-
Wireless: Laptops shall:
-
Disable peer-to-peer (ad-hoc) networking capabilities.
-
Disable Bluetooth unless required for a legitimate business need. If Bluetooth is required for a legitimate business need the laptop shall:
-
Only pair with agency approved devices.
-
Disable discoverable mode.
-
-
Use an encrypted vpn solution when remotely connecting to an internal agency network using public wireless. The vpn solution shall:
-
Use two factor authentication
-
Not allow two simultaneous connections to different networks (i.e., no split tunneling and no multi-homed connections).
-
-
Updates
This document will be reviewed at least every two years and updated as needed.
Effective Date
This standard shall be effective May 1, 2012.
Enforcement
This standard shall be enforced pursuant to Iowa Administrative Code 11—25.11(8A).
Variance
Iowa Administrative Code 11 - 25.11(2) provides for variances from security standards. Requests for a variance from any of the requirements of this policy will be submitted in writing to the Chief Information Security Officer prior to implementation.