|
"LAPTOP PROTOCOL"
DHMH Information Resources Management Administration
Directive:
STANDARD OPERATING
PROCEDURES (SOPs) FOR THE USE OF LAPTOPS/PORTABLE & OFF-SITE DATA PROCESSING EQUIPMENT
Authority:
This SOP is based on the Maryland Executive Order 01.01.1983.18,
"Privacy and State Data System Security,"1 and is consistent with
and further explains both the "Policy On The Use Of DHMH Electronic Information
Systems," Policy # 02.01.01,2 and the DHMH Non-Disclosure Policy
02.01.06. 3 Please review these documents for important background
information. They are available on the DHMH Intranet site at http://indhmh Select the link
to
" l Security Concerns for Information
Systems."
These SOPs comprise the minimum set of standards recognized by the Department as due
diligence in the use, transportation, storage and care of portable or "off-site"
computing devices including personal computers, personal digital assistants (PDAs) and
"laptop" units. These procedures are intended to be in accord with COMAR and
other State property procedures and requirements.
Objective: This SOP directs DHMH Administrations, Facilities, Local Health
Departments, our State agency or private partners, contractors and their sub-contractors
to follow these standard operational procedures to protect valuable, high-risk equipment
and data. The level of protection and care required is directly related to the risk of the
exposure.
Special Security Considerations: Laptops, Personal Digital Assistants (PDAs) and
other portable data processing equipment containing state data, as well as computer
equipment used off-site, ("equipment") present a special security threat. They
are often the highly sought-after targets of thieves who may receive minimal compensation
in quick street sales for the device, but whose data contents potentially expose the
Department and employees, in certain instances, to both civil and criminal penalties as
well as other legal action. Although the loss of the equipment is concerning, there is a
far greater risk if unencrypted Protected or Proprietary Information 3 on
the accompanying storage media fall out of the control of authorized users. The disclosure
of such data could be damaging to our partners and citizens, and catastrophic to the
credibility of DHMH. In general, the protection of these systems and data storage media
that contain non-protected or non-proprietary data requires the exercise of reasonable
controls and precautions. However, reasonable care must be equal to the risk of the
exposure. Special care and a higher level of diligence is required when the system
contains unencrypted or encrypted Protected or Proprietary Information
3,
The SOP is divided into three sections:
Section One: General Care of equipment that contains only Non-Protected
Information 3,
Section Two: Special Care of equipment that contains Protected or Proprietary
Information 3 ,
Section Three: Theft/Loss of Equipment & Termination/Check-Out Procedures:
SECTION ONE
General Care of Equipment that contains only Non-Protected Information
Equipment
containing only non-protected information may be used at Department and off-site
locations. Users are responsible for: (1) ensuring that the equipment is protected at
all times from theft attempts during times of use, (2) operated, maintained and stored
according to the manufacturer's and supplier's guidelines, (3) stored when in transit, or
not in use, in such as manner that makes it difficult for others to gain either physical
or operational access to it, and (4) accessed only by authorized personnel.
To restrict casual access to security of computing equipment and data, system
"power-on" passwords and a password-required "screen saver" set to a
short duration should be used.
When ordering data processing equipment that may at some time be used outside of locked
spaces (e.g. in open-space offices, in cubicles, and at remote locations), please include
at the time of unit purchase appropriate security devices (tethers or other locking
devices) that meet manufacturer's or suppliers specifications. The use of a security
device is considered to be a key part of due diligence in the custody of this equipment.
When carried off the premises, extra precautions are often required to prevent theft or
loss. To reduce casual theft during off-site work sessions, equipment should be locked in
a storage cabinet, desk drawer, storage closet, or secured to an immovable object using a
suitable approved locking device. The system should never be left unattended in an
unsecured condition.
In accord with State Data Security Executive order 01.01.1983.18 , application software
shall not be set up to "remember" network modem telephone numbers or network
access passwords (e.g. Windows Dial-Up Networking Connection screen, "Remember
Password" checkbox not to be selected).
2
Processing and communication of Protected or Proprietary Information on
Non-Certified Equipment:
Processing of, storage, or
transmission of patient-level data on non-certified equipment from remote sites is not
permitted on equipment that has not been previously approved for such use.
SECTION TWO
Collection/Processing of Protected or Proprietary Information on Approved
Equipment: Equipment, systems, and procedures for the collection/processing of Protected
or Proprietary Information require written certification before being used for this
purpose. State Executive Order 01.01.1983.18 requires compliance with all items in the
attached checklist "System or Equipment Security Certification Checklist," and
approval by IRMA, the designated Information Technology directing authority for DHMH. This
signed document is required to be on file with the DHMH State Data Security Coordinator
prior to the use of the equipment for this purpose, and/or removal from the regular
Department site of business.
Federal and State legislation, State data security
regulations, and DHMH policies prohibit the removal of Protected or Proprietary
information from State property without the express written permission of the Custodian or
Designated Responsible Party. Serious penalties are proscribed for non-compliance up to
and including termination from State service, as well as civil and criminal penalties.
Such equipment may be used for the processing of Protected or Proprietary
Information 3 at Department and off-site locations. However, users are
responsible for ensuring that the system is operated in such a manner as to prevent theft
or compromise of the sensitive information processed on the system. These data shall be
contained on removable media, unless an IRMA approved encryption scheme is used. It is
recommended that unencrypted data storage media be carried separately from the machine,
when feasible, to reduce the risk of simultaneous loss due to theft or robbery. If
processing is performed using removable media on a system that also has internal
non-removable media, the internal media must be disabled or conditioned in such a way as
to ensure that Protected or Proprietary Information cannot inadvertently be written
to the non-removable media. Data remanence eradication steps (not simple file deletion)
may be necessary to assure the non-removable media is purged of temporary or other copies
of files created during work sessions. This classification of information may be stored on
internal permanent media (non-removable) of portable or "off-site"
systems only if it can be adequately secured, both physically and electronically
using an IRMA-approved encryption scheme.
Note that encryption schemes might not
protect the data if the system is stolen while in-use mode, if the encryption is weak or
the selected keys are easy to determine, or if valuable password or encryption information
is written down and attached to the unit.
Only DHMH employees and other authorized users are permitted to access DHMH equipment
containing such data. To restrict casual access to security of computing equipment and
data, system "power-on" passwords and a password-required "screen
saver" set to a short duration will be used. Application passwords shall be used
where possible and appropriate for additional protection of these data.
In accord with State Data Security Executive order 01.01.1983.18 , application software
shall not be set up to "remember" network modem telephone numbers or network
access passwords (e.g. Windows Dial-Up Networking Connection screen, "Remember
Password" checkbox not to be selected).
Protection During Use: To reduce the opportunity for theft during work sessions,
equipment containing unencrypted Protected or Proprietary Information is to be
secured to an immovable object using a suitably approved locking device. The system shall
never be left unattended in an unsecured condition. When ordering data processing
equipment that may be used at remote locations, please include in the purchase appropriate
security devices (tethers or other locking devices) that meet manufacturer's or suppliers
specifications. The use of a security device is mandatory and considered to be a
key part of due diligence in the custody of equipment containing
Protected or
Proprietary Information.
Protection While Traveling: Keep the unit in physical contact when using all modes
of public transportation, and be aware that typical laptop carrying cases are obvious
targets. When traveling in aircraft, laptops will be hand-carried aboard unless it is
essential that such equipment be contained in stowed luggage (not recommended). Extreme
care will be taken when in the airport terminal to prevent theft or loss. Security
examination requirements often require temporary physical separation from the system.
Unless the user is cautious, these periods of separation can be exploited as opportunities
for theft or damage.
Robbery and Personal Safety: One important reason for the stringent precautions to
assure Protected and Proprietary Information are either encrypted or not contained
on the equipment during transit is the threat of confrontation and robbery.
Never place
yourself in danger to protect equipment. If directed by a robber to surrender your laptop,
hand it over.
Protected Storage On-Site: Equipment containing Protected or Proprietary
Information shall be securely stored when not in use, or when unattended, in a private
office with a locked door and limited access from the ceiling area, or inside other
secure storage. Secure storage is defined as a locked metal storage or filing cabinet
fitted with a labeled U.L. Listed Burglary Resistant lock, or fitted with an additional
recognized auxiliary locking system (e.g. locking bar with a U.L. listed burglary
resistant padlock.) "Three point locking" cabinets with non-removable hinge-pins
are preferred. The key code number , if present on the lock, shall be noted in a secured
file, and then removed or erased from the lock. Appropriate key custody shall be followed,
and access to the storage unit shall be appropriately limited.
Protected Storage Off-Site:
At off-site locations, equipment containing Protected
or Proprietary Information when not in use, will be secured out of view in: (1)
a locked cabinet, closet, or container, (2) in a locked office at a state or federal
facility, (3) the trunk of a personal vehicle using a manufacturer's approved locking
device to an immovable object, (e.g. trunk lid hinge etc.), or (4) it must be kept in the
physical possession of the user.
Labeling: Data storage media used with equipment containing Protected or
Proprietary Information shall be labeled, handled, transmitted, stored and disposed of
in a manner equal to the security level of data being processed according to DHMH
"Nondisclosure" and EIS policies and procedures.1 2
3
Isolation of Protected and Proprietary Information: Equipment containing
unencrypted Protected or Proprietary Information using internal storage facilities
for such processing WILL NOT be used to access E-Mail or used to access the Internet .
Equipment with no internal storage, or those having removable/changeable media or hard
drives, may be used for dual processing on a waiver basis. Waivers will be obtained from
IRMA and will be issued based on the capability of the system and user to strictly enforce
physical separation of the processing levels.
Electronic Data Interchange from such equipment shall be consistent with best
practice security standards. This includes strong user authentication and approved data
and transmission encryption schemes. Other processes and protective actions may be
required depending on the calculated risk exposure. Contact IRMA for further information
on DHMH approved methods.
SECTION THREE
Theft/Loss of Equipment:
The equipment and data are valuable property and will be
afforded the same protection as any high-value item. An immediate report shall be made of
the theft, loss, or unaccountability of such Department equipment, or non-state equipment,
containing any Department data, to your Director and the appropriate police authority. If Protected
and Proprietary Information were contained on the machine, also contact the
DHMH State Data Security Coordinator through IRMA (410) 767-6830. A reasonable time period
for a report following the discovery of a loss is by the end of the business day.
Termination/Check-Out Procedures: At separation of employment , or if a change in
job duties makes this agreement unnecessary, all employees, vendors, or agents who have
completed this form will counter-sign the original and date the document when returning
the equipment. A completed copy is to be forwarded to the DHMH State Data Security
Coordinator, and the original kept on file for one year from the agreement termination
date.
For further information or assistance, please contact IRMA at (410)
767-6830.
_________________________________________________
End Notes & Citations
1 Maryland Executive Order 01.01.1983.18, "Privacy and State Data System
Security,
2 DHMH "EIS" Policy on the Use of Electronic Information Systems, June
1998, Policy #02.01.01
3 DHMH "Non-Disclosure" Policy #02.01.06, April 1999. Pending
Secretary's approval. See Definitions below:
Non-protected Information - DHMH data or information, in any form or format, which
has not otherwise been identified as confidential, highly confidential, commercial, or
sensitive data. Data in which the Department has a proprietary interest may or may not be
classified as non-protected.
Proprietary Information -
Non-protected and
protected data files in which the Department has a proprietary interest established
through a copyright.
Protected Information
- Confidential, highly confidential, commercial, or sensitive
data or information in any form or format.
4 DHMH, IRMA Data Remanence Protocol, October 1998
5 COMAR, Article 27, §45A (b)(2)
See attached Employee Agreement
DHMH Employee Laptop/Portable & Off-Site Equipment Use Agreement:
All equipment users must first sign the DHMH EIS and Non-disclosure policies2 3,
and be provided with a copy of this DHMH standard operating procedure (SOP). Upon request,
IRMA will provide specific training in the procedures for securing these equipment. Each
user of a laptop/portable, or "off-site" data processing system must demonstrate
an understanding of and agreement with this SOP by reading and signing this document. If Protected
or Proprietary Information are later loaded or communicated using equipment originally
stated to contain Non-Protected Information, it is the duty of the employee to resubmit
this form for approval. Please contact IRMA if you have questions at (410) 767-6830.
I agree to follow the above procedures, and to exercise due diligence in maintaining
the custody of the equipment in my charge in accordance with the policies cited in this
document.
Employee: ________________________________ Date:__________
Copy to Property Accountable Officer only if Non-Protected Information is
contained on this machine. NO FURTHER INFORMATION IS REQUIRED.
If box is checked below stating that Protected or Proprietary Information is to be
contained on or transmitted by this machine, send a copy to Administration Director (or
designee) for approval and to the DHMH State Data Security Coordinator.
[ ]
Protected or Proprietary Information as defined in this document is contained on
this equipment and might be transported to and from State offices and other locations.
NOTE: The "System or Equipment Security Certification Checklist" is required
to be completed for this system.
If checked above, please list equipment type and serial number
Equipment Description DHMH Property # Manufacturer's Serial #
_____________________ ___________________ ___________________
_____________________ ___________________ ___________________
Equipment Returned [ ] Serial Number match
Date:_____________
Comments:______________________________________________________
Property Accountable Officer or Supervisor
____________________________________ Date:_________
DHMH 1999 VERSION
CONTROL #____________________
DHMH
Information Resources Management Administration
System Or Equipment Security Certification Checklist
For Laptops/Portable & Off-Site Data Processing Equipment Containing
Protected or Proprietary Data
Pursuant to Maryland Executive Order 01.01.1983.18, "Privacy and State Data
System Security, and IRMA requirements, all Items must be completed on this checklist.
Please sign and date, and forward to the DHMH State Data Security Coordinator for approval
prior to use. Please note all equipment is subject to spot-check audits.
| |
* Required Security Practices Checklist* |
YES |
NO |
| 1 |
Is this notebook, portable,
(off-site) microcomputer protected with access control software, passwords and
boot/power-on passwords? |
|
|
| 2 |
Are network modem telephone
numbers and network passwords absent from this equipment? |
|
|
| 3 |
Are related software and files on
removable media put into a locking storage unit when not in use or maintained in areas
that are locked when not in use? |
|
|
| 4 |
Are only authorized, properly
licensed and work related software packages being used on this equipment? |
|
|
| 5 |
Are backup procedures implemented
on a routine basis for this equipment? |
|
|
| 6 |
Is a virus scan protection
program used on this equipment on a regular basis? |
|
|
| 7 |
If YES in #6, will this program
updated every 2 years? |
|
|
| 8 |
Has the primary user of this
equipment signed the DHMH Software Policy, EIS policy, and the Non-Disclosure Policy? |
|
|
| 9 |
Is documentation available for
each system application run on this equipment that address sufficient controls for
maintaining the security of source documents, before, during and after the data entry
process, and distribution (transmission) of the output? |
|
|
| 10 |
Is this equipment year 2000
compliant? |
|
|
| 11 |
Are appropriate precautions in
place to prevent theft of this equipment? |
|
|
| 12 |
Is the level of protection and
security provided for this equipment the same or higher than that provided for
office-based equipment. |
|
|
| 13 |
When sent to disposal, are all
data contained on this type equipment, or on portable media used with this system,
properly eradicated. |
|
|
| 14 |
Is encryption software used on
this equipment? |
|
|
| 15 |
Does the user understand and have
they signed the DHMH Employee Laptop/Portable & Off-Site Equipment Use Agreement?
Signed copy to be attached to this document |
|
|
__________________________________ __________________________
Unit/Agency Name
Contact Telephone
__________________________________ ___________________________
Director or Designee
Title
Date ___________________
If the equipment contains Protected or Proprietary data, please send this
completed form with a copy of the signed user agreement to: DHMH, IRMA, 201 W. Preston St.
21201, LL-4, Attention: State Data Security Coordinator
Version 1 - March 1999
|
are PDF. Download
Adobe Acrobat Reader for viewing .pdf files
