If a university-owned computer is lost or stolen, and if that computer is storing legally protected sensitive data (social security numbers, credit card information, grades, transcripts, etc.), the university may be held liable for this loss. To combat this situation, CaTS is now installing a software program called CheckPoint Full Disk Encryption on new university-owned laptops. This software stores data in an unreadable format unless the proper credentials are provided. By using this software, the university can track which computers have been encrypted and can help avoid potential legal and financial risk. CheckPoint Full Disk Encryption will be licensed when you purchase a new laptop from Pomeroy starting 10/1/11. Because of the network resources required, the software will be installed by CaTS Desktop Services. Read the FAQ below for more info on this software.
If you are planning to travel outside of the U.S. with your laptop, CaTS recommends that you view the Travel Restrictions on Encryption Software (PDF). It contains important information about which countries have restrictions regarding encrypted information on your laptop. If you need to borrow a laptop for traveling outside of the country, please contact the Help Desk at (937) 775-4827.
Why Encryption is Needed
If a university-owned computer is lost or stolen, it may come into question if it may have had important information stored on the hard drive. If there is a possibility that legally-protected data such as credit card or social security numbers, grades, transcripts, etc, were on the computer, the university may be held liable for this loss. The loss of important research data can also negatively impact the university.
Encryption software protects the data on the hard drive by storing it in an unreadable form unless the proper decoder key is provided. By using an enterprise-class encryption product, the university can track which computers have been encrypted and can avoid potential legal and financial risk.
The Mac OS and some versions of Windows have optional encryption software. While Mac FileVault does offer encryption, it lacks central management and reporting features. The management console also allows us to assist users if they forget their password.
If a Mac were lost or stolen there would be no easy legal way for us to prove it was encrypted at that time. Additionally, FileVault (and BitLocker on Windows) can introduce compatibility issues. Our tests indicate that the CheckPoint product offers better functionality and has less impact on system performance after the initial encryption process is complete.
The CheckPoint Full Disk Encryption product will be licensed when you purchase a new laptop from Pomeroy starting 10/1/11. However, because it requires certain network resources, it will be installed once the system is initially set up by CaTS Desktop Services. If your department does not use CaTS to set up the laptop, you'll need to arrange with the Help Desk for installation.
If you purchase a system other than the recommended HPs from Pomeroy, you'll need to arrange for the purchase and installation of CheckPoint FDE from CaTS. This includes all Mac laptops purchased starting October 1st.
The first phase of the rollout is focusing on newly purchased laptops. CaTS will also be working with targeted areas that regularly access known protected data. In these areas we will work with departments to identify existing laptops and potentially desktops that will need the encryption software. Over time, it is our goal to have all laptops configured with the encryption software and to identify key desktops that will require the additional protection that encryption offers.
CaTS maintains information about IT security on our website. You can learn more about how to protect your computer, common hacking methods and what types of information are considered protected.
Everyone is encouraged to watch the short 4-minute Do IT Wright security video available on the CaTS Security website. If you have specific questions about the new drive encryption program, please send an email to firstname.lastname@example.org with the subject "encryption" and someone will get back with you to discuss the matter in more detail.
Microsoft provides several layers of security and protection to control who can access and change your Excel, PowerPoint, Word, and Access data. For optimal security, you should protect your entire workbook file with a password, allowing only authorized users to view or modify your data. Additionally, you can protect certain worksheet or workbook elements with or without a password. This can help prevent anyone from accidentally or deliberately changing, moving, or deleting important data. You can help secure an entire workbook file by restricting who can open and use its data and by requiring a password to view or save changes to the file.
Password security at the workbook file level uses advanced encryption (a standard method of securing the content of a file) to help protect your workbook from unauthorized access. A password can be set on the Security tab of the Options dialog box (Tools menu, Options command). You can specify two separate passwords that users must enter to:
- Open and View the File: This password is encrypted to help protect your data from unauthorized access.
- Modify the File: This password is NOT encrypted and is only meant to give specific users permission to edit workbook data and save changes to the file.
These passwords apply to the entire workbook file. For optimal password security, it's best to always assign a password to open and view the file, and have users with permission to modify data enter both passwords.
Note: Password protection of a workbook file is separate from the workbook structure and window protection that you can set in the Protect Workbook dialog box (Tools menu, Protection submenu, Protect Workbook command).
Important: Use strong passwords that combine uppercase and lowercase letters, numbers, and symbols. Weak passwords don't mix these elements. Use a strong password that you can remember so that you don't have to write it down. Visit the Do IT Wright site for more information on secure passwords.
For more secure password protection of the workbook file and its properties, you can choose from several encryption types that are available for use with files. Encryption makes text unreadable to all but authorized users who have a public key that matches the encryption type and that allows them to decrypt the text.
To access encryption options, click the Advanced button on the Security tab of the Options dialog box (Tools menu, Options command).
Protecting Specific Worksheet or Workbook Elements
When you share a file so that others can collaborate on the data, you can prevent any user from making changes to specific worksheet or workbook elements by protecting, or locking down, certain parts of the file. You can also specify a password to allow individual users to modify specific elements.
Important: The following types of protection should NOT be confused with file security. They are not meant to make your workbook more secure and cannot protect it from users who have malicious intent.
- Worksheet element protection
- Permission to access specific areas of a protected worksheet
- Password protection of worksheet and workbook elements
- Workbook structure and window protection
- Protection of confidential data
MacOS X FileVault
MacOS X 10.4 provides a system-level option for encrypting files on your hard drive. FileVault secures files in your home folder by encrypting and decrypting these files while you are using them. Files are encrypted with the login password for the individual user. If there are multiple user accounts on the local Macintosh system, each will need to be set up with FileVault separately. To be effective, auto-login of the user on the Macintosh should be turned off, requiring the user to type in their password each time the Mac is turned on or restarted.
FileVault settings are managed under System Preferences. A Master Password can also be set, allowing you to unlock any FileVault account on the computer. If either password is lost, there is no way to reset them and data can be permanently lost. As with any password, they should be selected for their security.
If a Macintosh hard drive protected with FileVault becomes damaged or corrupt, file recovery will be far less likely, so proper backups are all the more important.
Disk Utility (Applications -> Utilities -> Disk Utility) can encrypt data on a more limited basis. It provides the ability to encrypt a disk image of a folder on the local hard disk, which could then be stored according to university security policy. Again, as with FileVault, if the password is lost any data within the disk image cannot be recovered.
The Security Control Panel
This System Preference Panel provides access to several security features. These options include FileVault for encrypting home directories, Secure swap space which eliminates the chance of someone being able to sift through the swap space trolling for passwords. It also provide configuration options as to when passwords are needed to gain system access.
MacOS X Screen Saver
The user password can be required to wake the system from sleep or screen saver mode by going to the Security option under System Preferences. Make sure that the box is checked next to "Require password to wake this computer from sleep or screensaver". This will help prevent people walking by accessing the workstation.
MacOS X Auto Login
Macintosh systems can be set to auto-login as a certain user. Turning this feature off will enhance the security of the system. To check this setting, go to System Preferences, Accounts and click on Login Options. (You may be required to unlock the Accounts screen by providing the password for the admin account to gain access to Login Options.) On the Login Options screen, make sure that Automatically log in is not checked. With this feature turned off, each time the Mac is turned on or restarted, you will be challenged for a user name and password.
Mac OS X includes an application called Keychain. It is used to store and access usernames and passwords, such those used by web sites that require logins. The default Keychain is called "login" and uses the login password. For further security, you can change the Keychain password so that it must be authenticated to separately. This way if someone gained access to your account, they would not have instant access to your Keychain also. Keychain can also be configured to lock after a set period of inactivity. This option can be found under Edit -> Change settings for Keychain Login in the Keychain Access application.