Encryption Is Only Part
of the Solution"> As part of that plan, companies should employ data forensics technology and other forms of investigation that will help them determine what information was stored on a particular device and how to find out whether or not the information has been compromised. While its unlikely that the missing laptop will be recovered, as it was in the VAs case, knowing exactly what data may have been exposed on each specific machine before it goes missing will give companies a starting point for launching their security efforts.In maintaining a round-the-clock point of contact for workers when something goes wrong, the firm can respond to incidents and mitigate risks much faster, Rider said. The amount of time needed to begin reacting to a laptop theft is one of the most important factors in minimizing the impact of such a situation, Rider added. Another step that businesses must take to respond to stolen laptops is to organize a team of specialists who can help determine how serious the implications of the event may be, and what requirements their firms may face in reporting incidents publicly. CSC advises its customers to craft a panel of technology specialists, human resources officials and legal counsel to try to get those facts straight and determine whatever regulations must be adhered to. Executives at Pointsec Mobile Technologies, which markets endpoint device encryption applications, said enterprises must start with an internal policy that dictates how sensitive every piece of information is and how that specific data and the device it resides on must be protected. "A big part of this is making sure that the user base and the entire IT department know what they need to do to protect the information," said Bob Egner, vice president of product management for the Lisle, Ill., firm. "If you dont engage in this type of planning before you implement security technologies, you may find that your needs arent met by a lot of the products that are out there." Pointsec recommends that its customers review all of the various device images they maintain, and the configurations of every type of machine to determine what encryption tools fit each computer model best. Click here to read about how the VA recovered a stolen laptop. Companies should also look at their administrative and help desk systems to make sure computers are being updated properly, and that users have access to expertise to help them mitigate risks after a machine has gone missing. Even when applying encryption software to their laptops, companies must plan strategically to best secure their data, said Chris Parkerson, senior product marketing manager at RSA Securitys Data Security Division, in Bedford, Mass. Throwing a blanket encryption policy over your entire enterprise wont solve problems as effectively as examining the types of data that could be affected by a laptop theft, he said. "CIOs cant just go out in a panic mode and start encrypting everything; its smarter to be tactical and look at where exactly the data lives, what type of device its on, and then it becomes a more understandable risk management problem," said Parkerson. "It obviously wont help at all if you dont encrypt the right content," he added. "Traditionally, people have looked at securing systems, but now people are looking at where the data resides, and thats the right idea." Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Internally, CSC has created a security incident control center that serves as a clearinghouse for any IT mishaps.