1. Information Security Office
Riverside County Information Security Office

2. Laptop Theft: How Serious?
More than 600,000 laptop thefts occur annually, totaling an estimated $720 million in hardware losses and $5.4 billion in theft of proprietary information. Safeware Insurance, 2003
According to Gartner, the chances of a laptop being stolen this year are 1 in 10. Gartner Group, 2002
Gartner estimates approximately 70% of all laptop thefts are internal. Gartner Group, 2002
Laptop theft has been attributed to 59% of computer attacks in government agencies, corporations, and universities during Baseline, 2004
80% of those surveyed acknowledged financial losses due to computer breeches. CSI/FBI Computer Crime and Security Survey, 2002
97% of stolen computers are never recovered. FBI
Nearly 40 percent of victims do not report computer intrusions. CSI/FBI Computer Crime and Security Survey, 2005
81% of companies surveyed “reported the loss of one or more laptops containing sensitive information during the past 12 months.” “Data Loss Common for US Firms” PC World, August 17th, 2006

3. Data Theft: How Serious?
67.7% of respondents report the estimated value of proprietary data on their stolen computing device at $25,000 or less; 9.2% estimated the value at $1, or more and 2.3% estimated the value at more than $10,000,000.
The value of proprietary data on respondents stolen Computers averaged $690, per stolen Computer.
45.6% of respondents report other items were stolen at the time of the Computer theft, with removable media (including spare disks, stored files on CDs, removable media and spare hard drives) accounting for 21.8% of the additional stolen items.
Average total replacement cost of stolen computing devices was $14, per device. This does not include the cost of the data on the computing device BSI Computer Theft Survey

4. It’s not the Laptop – It’s the Data!

5. What’s an Identity Worth?
208 Identity Incidents this year
September, 2006:
Telesource – 11 SEP 06 (Social Security numbers and other personal information found in dumpster)
Cleveland Clinic (Florida) – 8 SEP 06 (Social Security numbers, dates of birth, addresses and other details of 1,100 patients stolen)
University of Minnesota – 8 SEPT 06 (Personal information of 13,084, including 603 Social Security numbers, on stolen computers)
Linden Lab / Second Life – 8 SEP 06 (Names, address, and payment information of almost 650,000 on hacked server)
BMO Bank of Montreal – 8 SEP 06 (Stolen laptop contains personal data for about 900 clients)
Florida National Guard – 7 SEP 06 (Social Security numbers of up to 100 soldiers on stolen laptop)
Chase Card Services – 7 SEP 06 (Tapes with information on over 2.5 million Circuit City cardholders thrown in trash)
Transportation Security Administration – 6 SEP 06 (Social Security numbers and birth dates of 1,195 mailed to wrong addresses)
Wells Fargo – 1 SEP 06 (Social Security numbers and names of Wells Fargo employees on stolen laptop)
City of Chicago / Nationwide Retirement Solutions – 1 SEP 06 (38,443 names, addresses, Social Security numbers, and dates of birth on stolen laptop)
Virginia Commonwealth University – 1 SEP 06 (Names, Social Security numbers, and addresses of 2,100 exposed online)
3,206,922 – Just in September.

6. ISO Policy “Hardware & Software Control”
...[A]ll hardware and software shall be obtained from or authorized by the department head or their designated agent.
This includes equipment such as Servers, PCs, Laptops, Printers, Cell Phones, Radios, PDAs, Telephones, portable media such as USB drives, CD-ROMs, CDRWs, DVDs, DVRs, [and] Software.
Department heads or their designated approving agent will authorize the adding of any networked component that is connected either directly to the County’s Wide-Area-Network, indirectly connected via a Local-Area-Network segment, or attached to an existing system.

7. Board Policy H-26 Board Policy H-26:
“As a minimum, departments will track laptop computers, and high-end cell phones, PDA’s and GPS receivers.”
“Any device used to store sensitive data or connect to the county’s network will be tracked […]”

8. But what is Sensitive Data?
HIPAA, Privacy Act, Personnel Data
California Public Records Act California Government Code
What about data that’s not covered?

9. Data Classification Policy
ISO Proposed Board Policy
Categorizes Public vs. Sensitive Data
Defines categories of Sensitive Data
Restricted Data
Private
Protected
Intellectual Property
Defines who decides what’s public and what’s sensitive.
Defines who owns the data
Still in work; under review by County Counsel

10. Theft or Loss Policy
Many departments have no policy or procedures on the theft of loss of IT equipment or the data it may contain
ISO Proposed Board Policy
In the event of theft or loss, the employee must immediately notify the:
Applicable Law Enforcement Agency (in the case of theft).
Department ITO
In all cases, Department must notify:
Information Security Office
Auditor-Controller’s Office
Still in work; under review by CISO

11. What about Personally Owned Devices?
Personally owned devices expand and blur the County’s information borders
Introduces new entry points for hackers, viruses, and other dangers.
In general, use of personally owned devices should be prohibited
If a county employee needs a tool for a job, the county should provide it.
Most uses of personally owned devices is for the users convenience – not the good of the County

12. What if a Department wants to allow Personally Owned Devices?
See last slide – don’t!
Department head is ultimately responsible for permitting use of Personally Owned Devices
Authorization in writing
List all required safeguards
List any limits to it’s use
Record specific acknowledgement that any county related information on the device belongs to the County

13. Questions?