June 12, 2018
In the last few months, our office has received an increasing number of laptop theft reports. These incidents occurred both on and off campus, and in varying circumstances, however, in all the recent cases the laptops involved were not configured for Full Disk Encryption (FDE). In a few of these cases, the laptops were used to access sensitive data as part of campus business processes, and the Security team is concerned about possible data exposure due to lost and stolen devices with access to campus protected data.
Campus Minimum Security Standard for Electronic Information (MSSEI) requires strong encryption for UC P4 data stored on laptops, mobile devices, and removable media: https://security.berkeley.edu/data-encryption-removable-media-guideline. Even in cases where the data is accessed but not “stored” on the device, data may be temporarily cached and could end up unintentionally written to disk. It can be very difficult after the fact to determine how much, if any, data remained on the mobile device, and therefore we strongly recommend that all mobile devices used to access UC P4 data be configured with full disk encryption. This will significantly reduce the workload required to resolve these incidents, and also protect the end user if any of their own personal data remains on the device.
Also, based on new best practice guidance, as well as policy changes coming from Office of the President, Full Disk Encryption is likely to be a future requirement: https://security.ucop.edu/policies/security-controls-everyone-all-devices.html
Here are some additional tips for preventing and addressing laptop theft: https://security.berkeley.edu/resources/best-practices-how-articles/security-awareness/preventing-laptop-theft
Please continue to report lost and stolen laptops to security@berkeley.edu, and thanks for your help in securing our information assets.
Campus Minimum Security Standard for Electronic Information (MSSEI) requires strong encryption for UC P4 data stored on laptops, mobile devices, and removable media: https://security.berkeley.edu/data-encryption-removable-media-guideline. Even in cases where the data is accessed but not “stored” on the device, data may be temporarily cached and could end up unintentionally written to disk. It can be very difficult after the fact to determine how much, if any, data remained on the mobile device, and therefore we strongly recommend that all mobile devices used to access UC P4 data be configured with full disk encryption. This will significantly reduce the workload required to resolve these incidents, and also protect the end user if any of their own personal data remains on the device.
Also, based on new best practice guidance, as well as policy changes coming from Office of the President, Full Disk Encryption is likely to be a future requirement: https://security.ucop.edu/policies/security-controls-everyone-all-devices.html
Here are some additional tips for preventing and addressing laptop theft: https://security.berkeley.edu/resources/best-practices-how-articles/security-awareness/preventing-laptop-theft
Please continue to report lost and stolen laptops to security@berkeley.edu, and thanks for your help in securing our information assets.