A BOOMER STRATEGIC ADVANTAGE TM

GUIDE TOMOBILE DATASECURITY &

PRIVACY

GUIDE TO MOBILE DATA SECURITY & PRIVACY

We have moved from concerns about theft of opportunity where laptops were simply sold on eBay® to make a buck.

We are now facing a much more sophisticated thief that is targeting the data stored on professionals’ laptops.

page 1

A BOOMER STRATEGIC ADVANTAGE TM

INTRODUCTIONLaptops are fantastic; they are mobile, powerful, and convenient.

They are also thief magnets. Over 400,000 laptops disappear each year leaving distraught owners wondering whomay be in possession of them, what may be happening with the lost data, and what to do next.

Some laptops are just lost—left in the back of cabs, at hotels, restaurants, or at conferences. Fortunately, many ofthese (but not all) find their way back to their lucky and relieved owners.

Other laptops are opportunity thefts, stolen by individuals looking to resell them on eBay®.

And ever more frequently they are stolen—not for the laptop itself—but for the data on the hard drive—financial, identity, or confidential business data. Visit the Privacy Rights Clearinghouse website athttp://www.privacyrights.org/ar/ChronDataBreaches.htm to see just how many data breaches have occurred sinceearly 2005. It is truly astounding that over 90 million identities have been compromised in that short amount oftime. If nothing else, this should be motivation enough for your firm to start taking the steps necessary to pro-tect its data.

Laptop Theft Facts10% of laptops will be stolen within the first 12 months of purchase.90% are never recovered.49% of companies have had laptops stolen within the last 12 months.57% of corporate crimes are linked to stolen laptops.73% of companies had no specific security policies for their laptops in 2003.

It doesn’t really matter how it happens, but every week we read about another episode of sensitive personal andbusiness information lost to the wild because a business or government agency has had a laptop computer lost orstolen. The common response is to shake our heads and wonder how and why they let it happen. Of course, itcould never happen to us, could it? Stop reading right now and answer three questions:

1. How many laptops, PDAs, or portable storage devices does your firm possess?_____________________________________________________________________________________________________________________________________________________________________________________________________________________

2. How many of your clients are concerned about the confidentiality of information they have entrusted to you?_____________________________________________________________________________________________________________________________________________________________________________________________________________________

3. Are you doing what is necessary to protect that data?_____________________________________________________________________________________________________________________________________________________________________________________________________________________

INTRODUCTION

page 2

Here are the most common answers:1. Don’t know—quite a few I guess.2. All of them.3. Yes, sure we are. I think.

Well, if your firm is like most, it has probably answered the first two questions correctly. Unfortunately, questionnumber three makes this a pass/fail test, and most businesses are currently failing. The problem of data and privacy breaches has reached such epidemic proportion that since 2003, 32 states have enacted laws requiringorganizations to notify victims when personal information is leaked. Several of these laws even allow individuals to sue organizations that fail to safeguard their private data.

This guide provides the information that will allow you to 1) Adequately address the three phases of laptop security; 2) Secure the data on your mobile devices; 3) Develop an incident response plan should you unfortunately have a data breach; and 4) Track and recover assets that go missing.

The key to mobile data security is to be a proactive firm, instead of a reactive firm. It is not something that you can leave solely to the IT department, nor something that can be put off until after the “busy season.”Otherwise, when you think of it next it will be when you’re trying to figure out how and why you let it happen as you read about it in the newspaper.

State Effective DateConnecticut January 1, 2006

Illinois January 1, 2006

Louisiana January 1, 2006

State Effective DateOklahoma June 8, 2006

Pennsylvania June 22, 2006

Idaho July 1, 2006

Minnesota January 1, 2006

Nevada January 1, 2006

New Jersey January 1, 2006

Indiana July 1, 2006

Nebraska July 13, 2006

Colorado September 1, 2006

Ohio February 17, 2006

Montana March 1, 2006

Rhode Island March 1, 2006

Hawaii January 1, 2007

Kansas January 1, 2007

Utah January 1, 2007

Maine January 31, 2006 Arizona December 31, 2006

Wisconsin March 31, 2006 Vermont January 1, 2007

State Effective DateCalifornia July 1, 2003

Arkansas March 31, 2005

Georgia May 5, 2005

North Dakota June1, 2005

Delaware June 28, 2005

Florida July 1, 2005

Washington July 24, 2005

Texas September 1, 2005

North Carolina December 1, 2005

Tennessee July 1, 2005

New York December 8, 2005

Security Breach Notification Laws

INTRODUCTION

CONTENTSMost organizations have spent considerable sums of time and money protecting their local area networks fromthreats such as viruses and external hackers. A few of the more progressive firms have even spent resources onprotecting their networks from internal threats, both malicious and accidental. Unfortunately, gigabytes of yourfirm’s confidential information are walking out the door every day on your staff’s laptops—leaving the protectivecocoon of your network. How do you tabulate the real loss if one of these laptops were stolen?

Personal data stored by your firm will always be subject to some risk. But that level of risk can be controlled with the proper investment in the three phases of mobile data security: Planning, Protection, and Response and Recovery.

PHASE I: Planning—pg. 5• Data Classification• Risk Assessment• Mobile Data Policy Development

PHASE II: Protection—pg. 10• Physical Security• Authentication• Encryption• Data Backup• End-User Education

PHASE III: Response & Recovery—pg. 15• Incident Response• Laptop Tracking Technology• Poison Pill Technologies

APPENDIX TOOLS—pg. 18• Sample Data Classification• Sample Mobile Data Policy• Sample One Page Mobile Data Security and Privacy Plan

CONTENTS

page 3

PLANNING PHASE

The planning phase is an important first step that is often ignored. You must first know where you stand and where you are going before you can make an informed decision about the

technologies you should leverage to achieve your goals.

page 4

page 5

PLANNINGPLANNING PHASEDuring the planning phase a firm defines its goals and establishes its game plan for the protection of mobile data.This phase has three significant components:

• Data Classification• Risk Assessment• Mobile Data Policy Development

Data ClassificationThe first step in the planning phase is to establish and/or review the firm’s data classification program. Classifyingfirm data based on business risk, data value, or regulatory requirements makes good business sense. Not all datahas the same value or risks, and a data classification program allows a firm to address its most significant risks byapplying the appropriate levels of security. This, in turn, lowers the cost of overprotecting all data.

Before a firm’s data classification program can be implemented, the following questions need to be answered:

1. What are you trying to protect?_____________________________________________________________________________________________________________________________________________________________________________________________________________________

2. What are you protecting it from?_____________________________________________________________________________________________________________________________________________________________________________________________________________________

3. What are the regulatory requirements to consider?_____________________________________________________________________________________________________________________________________________________________________________________________________________________

First consider what data needs to be protected. Your answer should be based not only on applicable laws or regulations but also on other sensitive business information you may have stored on your mobile devices: businessplans, proposals, employee lists, etc. At a minimum each firm should have at least three classifications of data:

1. Public: Information that—if disclosed outside of the firm—would not harm the firm, its staff,clients, or business partners.

2. Internal Use Only: Information that is not sensitive to disclosure within the firm but couldharm the firm if disclosed externally.

3. Sensitive: Sensitive data includes information requiring compliance-related protection or proprietary information. Data considered to require compliance related protection would encompass any information that 1) May identify an individual and 2) Has potential to harm or embarrass the individual or subject entity.

PHASE I

page 6

DATA REQUIRING COMPLIANCE RELATED PROTECTION

The next question is, “What are you trying to protect the data from?” For the purpose of this guide we assume that unauthorized disclosure of sensitive data is the greatest threat. In other cases, concerns could beunauthorized modification or unintentional destruction of the data.

The last item to address is, “Which of the many laws and regulations affect your firm’s data?” Could your firmfeel the impact of laws such as the Health Insurance Portability and Accountability Act (HIPPA), Gramm-LeachBliley Act (GLBA), or one of the 32 (current) state privacy breach laws? You will often find that you are impacted by more than one of these. Although all of them have many common aspects, each has differentrequirements for data covered, what is considered prudent precautions, etc. As such, the wisest strategy is to base your assessment on the most stringent of the laws.

Risk AssessmentThe next step in the planning phase is to perform a risk assessment. While many firms have conducted riskassessments for other parts of their practices, most have not addressed the risk presented by data stored on theirmobile devices. In its simplest form, your risk assessment should answer the following five questions in relation to your mobile devices and the data stored on them:

1. What could happen?2. If it happened, how bad could it be?3. What can be done?4. How much will it cost?5. Is it cost-effective?

Ordinary Personal Data Sensitive Personal DataData that may identify an individual person but is notgenerally considered “sensitive.”

Data that 1) May identify an individual person and 2)Has potential to harm or embarrass the data subject.

• Name• Telephone # (work and home)• Address (work and home)• E-mail address (work and home)• Gender• Marital status • Number of children• Date of birth or age• Citizenship• Education• Income range• Non-medical benefits information• Purchase history• Buying patterns• Hobbies and interests

• Social Security numbers• National ID Numbers• Driver’s license numbers• Credit card numbers• Account numbers• Passwords, including PINs• Criminal arrests or convictions• Judgments in civil cases• Medical information• Administrative sanctions• Race, ethnicity, national origin• Data concerning sexual orientation or activity• Financial data (such as credit rating)• Salary & Compensation• Disability status

EVALUATING YOUR RISK

The “What could happen?” question should consider every possible threat. Some potential threats include:

• A laptop with client data is lost or stolen.• Sensitive data is compromised over a wireless connection.• A portable data storage device, such as a thumb drive, is lost or stolen.

For each scenario you determine by answering the first question, ascertain what the worst case outcome would bein both financial and non-financial terms:

• Loss of the client• Loss of revenue• A feature article on the front page of the Wall Street Journal• All of the above?

With this step out of the way, look at what actions you can take to mitigate each risk. Encrypt sensitive data onhard drives or don’t allow that data to leave the office.

After you determine what can be done to prevent data from getting into the wild, estimate how much theseactions will cost, both in real dollars and in reduced productivity or other qualitative measures.

Finally—taking these costs into account—is it cost effective to implement the risk mitigation measures, or wouldit be cheaper to transfer any risk to someone else through insurance? In some cases it may be that the risk is simply there, and the business decision for the firm is to just accept it.

R RISK

NOTES

page 7

Mobile Data Policy DevelopmentThe final step in the planning phase is for a firm to develop a mobile data policy based upon the results of thedata classification program and the findings in the risk assessment. Now that you have identified the informationyou need to protect, you must develop a policy stipulating how that data will be protected. A mobile data policyis nothing more than a formal statement of the rules for staff members who have access to a firm’s mobile devicesand data assets. The main purpose of a mobile data policy is to inform users and the administrators of their obligatory requirements for protecting the firm’s mobile devices and the data stored on them.

The policy should specify the protection mechanisms through which these requirements can be met. Anotherpurpose is to provide a baseline from which to acquire, configure and audit computer systems and networks forcompliance with the policy. In order for a mobile data policy to be appropriate and effective, it needs to have theacceptance and support of all levels of employees within the organization.

A good mobile data policy should contain or address the following items:

1. Objective: Identify the business purpose of the policy. For example, the intent of the policy maybe to prevent disclosure of client-confidential data stored on a mobile device—regardless of itsowner.

2. Scope: Define which mobile devices are allowed and under what conditions. The scope shouldbe flexible enough to handle the changing mobile environment and emerging technologies.

3. Risk Assessment: Clearly describe or define what constitutes “sensitive data” and specify whichcategories can be kept on a mobile device if proper protection is followed. Also indicate which categories must never be kept on a mobile device.

4. Security Measures: Define what users must do to comply with this policy. Identify recommended and required mobile data measures and practices users are required to follow,including banned activities. If users understand what they can and cannot do and why, they willbe less frustrated and more likely to comply with the stated policy.

5. Notification Process: Define a notification process to ensure that Management, IT, HumanResources, and Legal are notified of a loss, so that appropriate action can be taken.

6. Enforcement: Define how you plan to implement and verify your mobile data policy. 7. Employee Sign-off: Issue a signed policy statement for all laptop users stating that they know

and understand their responsibilities to protect the laptop from loss and theft and that violationsmay result in disciplinary action—including possible termination.

Once you have completed drafting a policy, ensure that it is communicated to all staff members and that everyone is trained on how to meet its requirements. You may want to provide each mobile user with a checklist to fill out if a laptop is lost or stolen. This checklist should include areas to indicate:

• The circumstances of the loss or theft• A copy of the police report (if filed)• A description of data stored on the laptop (confidential firm data, client data, etc.) • Any necessary notification numbers

Remember, establishing a data classification program, performing a risk assessment, and establishing a mobilesecurity policy do not ensure success. But they do enable the possibility for success. Not doing any of these tasks,however, will ensure failure.

POLICY

page 8

PROTECTION PHASE

page 9

The protection phase looks at the tools at our disposal to protect mobile devices and the data stored upon them.

page 10

PROTECTIONPROTECTION PHASEAfter you have accomplished the planning phase you are ready to implement the protection phase. The protectionphase looks at the available tools to protect mobile devices and the data stored upon them. In the same way firmspractice in-depth defense to protect Local Area Networks (LANS), they must follow the same principles withmobile devices. To ensure that the defense is indeed in-depth, a firm must consider the following five areas:

• Physical Security • Authentication • Encryption • Data Backup• End-User Education

Physical SecurityMany different ways to control the physical security of a laptop are available, and they are the easiest toimplement. Unfortunately, they are also the measures that are most often ignored. The reason is that most ofyour staff members are probably trusting individuals and usually feel comfortable at client sites and conferences.After all, they are surrounded by peers, and besides, they never leave their laptops for more than a few minutes.Many times people will leave laptops unguarded or under conference tables during breaks, figuring that conference staff is around to provide security. But both of these instances present all someone needs to walk away with a laptop and the data it contains.

Here are the minimum physical security measures you should have your staff follow:

• Don’t take data out of the office unnecessarily.• Maintain positive control of your laptop.• Utilize locking security cables and/or motion alarms.• Keep laptops out of sight when not in use.• Attach ID tags or engrave firm information on each laptop.• Use a laptop bag that doesn’t look like one and place a conspicuously colored luggage tag on it.

The first step is to ensure that sensitive data does not leave the office unnecessarily. If the data is not stored on alaptop, it won’t be exposed if something happens to one. Sadly, many people maintain data not only for currentclients, but also every client with whom they have worked on their laptops.

Also emphasize to your staff members the necessity of maintaining positive control of their laptops. This means alaptop should never be out of a staff member’s possession in an unsecured state (without a locking cable or other physical security measure).

Almost all modern laptops are equipped with a security slot for cable locks that can be attached to immovableobjects. This makes it more difficult for potential thieves to simply pick up and walk away with them. Eventhough these cables can be cut with a bolt cutter, they can additionally be combined with a motion detectoralarm. Some even have alarms that sound if the cable is cut. Motion detectors activate whenever the laptop ismoved or when it is moved a specified distance away from the owner’s pocket receiver, which also alerts theowner.

PHASE II

Never leave a laptop in plain sight—if it is visible, you may lose it! This is especially true for laptops left in vehiclesor at hotels. Rental cars are often a special target of thieves, especially at popular restaurants or shopping malls.Don’t leave it in your car, but if you do at least lock it in the trunk.

It’s always a good idea to attach ID tags to a laptop. (A business card would work, but tamper proof tags arebest.) Better yet, engrave your firm information prominently on the outside of the laptop and on its carryingcase. These tags must indicate a contact number and a simple way to identify the laptop. Tags make laptops lessattractive to potential thieves because they make them easy to identify and harder to sell. In addition, a laptopaccidentally left behind is more likely to be returned if there is an easy way to identify its owner.

Use a laptop case that does not look like a laptop case. Toting a laptop case that says Dell or HP is advertisingthat you are carrying a valuable commodity. Consider using a backpack with your laptop in a padded sleeve.Men’s bathrooms at airports and convention centers are prime places for laptop thefts, as well as pay phones inbusy areas. Attaching a large or conspicuously colored luggage tag that is securely affixed makes it less attractivebecause thieves greatly prefer to be “invisible.”

AuthenticationAuthentication is nothing more then a process that verifies a user’s identity. The most recognizable form of this is a network password. Unfortunately, this level of security won’t do the trick for protecting sensitive data. Whileyou may have set up a password that prevents strangers from easily logging onto your machine, the sad fact isthat data on a hard drive is easily accessible to anyone with even a little technical knowledge.

Password systems are vulnerable to various forms of attack. Brute force attacks, which attempt to gain unauthorized access by generating and trying all possible passwords, and dictionary attacks are two of the mostcommon. Other methods of password invasion allow someone to change an administrator account’s password by using a SysInternals or Linux boot CD. Many thieves also simply remove the drive and plug it into anothermachine as a “slave drive”.

These reasons strongly suggest why any system that houses sensitive data should be configured to require strongauthentication. Strong authentication requires the use of two (or more) different authentication methods. Youcan choose from among the following three:

• “Something you know”—Establishing passwords or providing correct responses to previously established questions are the most common examples of this method. This is also themost common user authentication method and the least expensive in initial cost. Perhaps not surprisingly, it is also the least secure of the three.

• “Something you have”—Tokens or smart cards are the most common examples. These provide the advantage of storing robust authentication information that a user does not have to remember—he or she only has to possess the smart card or token.

• “Something you are”—This method relies on biometric technologies that use a personal feature of the user. Common approaches include fingerprint recognition, hand geometry, facerecognition, eye scans, and voice verification. The most commonly used in mobile applications is fingerprint recognition.

Luckily, many mobile computer vendors are starting to build in capabilities for biometric authentication into theirhardware. There is also a plethora of third-party strong authentication products that will work with the majoroperating systems. Even with the use of strong authentication, a thief in physical possession of your laptop will beable to defeat it. So be certain to use encryption as well as authentication.

page 11

page 12

EncryptionThe general rule is that all sensitive data should be encrypted at all times, except when it’s being used by anauthorized user. Encryption will do more to protect your mobile data then any other single technology—if it isimplemented correctly. In fact, encryption provides such adequate protection to mobile data “at rest” that nearlyall breach laws provide an exemption if the sensitive data was encrypted at the time of the disclosure. However,encryption alone is not a “silver bullet.” Nothing is ever 100 percent secure. All encryption can, theoretically, becracked. The purpose of encryption is to make the cost of cracking data so high as to be impractical for any valueit might bring. Let’s discuss some key points to ensure that it is implemented correctly.

First, be aware that there are two ways in which to encrypt information. The first option is whole-disk encryption,which encrypts everything on a computer’s hard disk—including operating system files. This is generally a seamlessprocess for end-users, but there is a greater performance penalty with this method. The second option is targetedencryption, which encrypts everything a user saves either on an individual file basis or on an encrypted virtualdisk. An encrypted virtual disk is simply a file that your encryption software “mounts” as a drive letter on yourmachine. You enter authentication credentials, generally a password or pass phrase, when mounting the virtualdrive and thereafter access it normally. The contents of the drive are automatically encrypted and decrypted. Useof a virtual disk while encrypting only sensitive data is preferable because entire hard drive encryption has anoticeable affect on performance. Most software encryption packages can also be set to mount the virtual disk atstartup so that it looks like any other drive. This procedure ensures a fairly seamless user experience.

The next implementation consideration is to ensure that you have “good-enough” encryption, so that nobody, at least not your average laptop thief, will be reading sensitive data in a short amount of time. You want a product that offers an encryption based upon the Advanced Encryption Standard (AES), which uses a key lengthof 256-bits or better. Using any product that claims to have developed a proprietary encryption algorithm is notrecommended. These have not been subjected to the proper amount of scrutiny to ensure authentic security.

Even when using encryption, train employees to use good passwords or pass phases. Why? Because encryptiondoes not make a bad password any more secure. A “brute force” attack may certainly be mounted against yourencrypted data. If you choose something obvious, the attack would no doubt be successful.

The last consideration is definitely the most challenging. It isn’t selecting the latest and greatest algorithms—it’smanaging your end users, devices, and data by assigning and keeping track of keys and enforcing proper usage.An encrypted virtual disk does you no good if the sensitive data that you care about is elsewhere on a machine.Ensure that you always have a master key or that users leave behind a copy of their keys. Like authentication sys-tems, encryption systems require a key: a pass phrase, digital certificate, or some other identifier. Since mostencryption systems don’t have a “back door,” you won’t be able to regain access to encrypted data if an employeeloses the only copy of a key—or he or she leaves the firm on less than favorable terms. As such, always keep anon-encrypted copy of data secured on a LAN back at the office.

Data BackupOne of the biggest mistakes many make with mobile data is to take the only copy of data on the road. If a laptopis stolen or a hard drive crashes, productivity is devastated. Even if data was encrypted, the firm will still incurcosts trying to recreate what was lost. So always require end users to back up any laptop data onto a CD-ROM,DVD-ROM, or the local area network. Not only will this ensure you still have access to data if a laptop is stolen,but it can also help identify exactly which data a thief may be able to access. As such, you may be able to takemeasures to reduce the amount of damage that exposure could cause.

SECURE YOUR LAPTOP

End-User EducationThe last, but certainly not least important, aspect of the protection phase is mobile security awareness educationfor all end users. You may have issued laptop-locking cables, implemented strong biometric authentication, andconfigured encrypted virtual disks on every laptop, but using it is different than installing it. Not only must endusers be educated on how to use particular protection measures, you must also educate them on why it is necessary and what the repercussions are for not following the firm’s policy. Also ensure that they are prepared to handle any potential security breach.

This does not require hours worth of education. Schedule classes of about half an hour to an hour, repeated atleast quarterly for all staff, as well as present an introductory class to all new employees during the orientationprocess. You cannot provide this information once and expect your staff to remember and follow through. Assuch, the firm has to emphasize the importance it places on mobile data security, and one way to do that is byinvesting time in an ongoing education process. At minimum, your curriculum should:

• Promote awareness of the firm’s mobile security policies and procedures.• Explain why this policy is necessary.• Teach best practices to follow while traveling or visiting a client site.• Recite procedures for any incident or data breach.• Explain how compliance will be monitored and any penalties for non-compliance.

NOTES

PTOP

page 13

RESPONSE & RECOVERY PHASE

In the unfortunate event that you experience a data breach, it is vital that you have an action plan in place to respond

immediately and start the process of recovering lost assets and mitigating the risks for all victims whose data has been breached.

page 14

page 15

RESPONSE & RECOVERYRESPONSE AND RECOVERY PHASEProtecting data before it is lost or stolen is an essential first step, but you may eventually come face-to-face withunfortunate incidents. When these occur you must have an action plan in place to respond immediately and startthe process of recovering any lost assets while ensuring the thief will not have time to recover any sensitive datafrom his ill-gotten gains.

Incident ResponseHopefully you never have to deal with a stolen or lost laptop, but in the event you do—be better prepared thanmost. The most significant step in this preparation is to draft an Incident Response Plan (IRP). An IRP providesa structured logical action plan to follow during what, at best, would be a chaotic situation for any firm. This formal action plan breaks the incident into more manageable stages that can be followed as a roadmap. Also, following a formal methodology provides evidence of due diligence, which may become a consideration if liabilityissues arise in the aftermath of a data breach.

A formal IRP and related procedures are critical to a successful incident response. They must have the approvaland support of a firm’s senior management to ensure that appropriate resources are available when required.Additionally, each member of the incident response team must be informed and knowledgeable of not only theplan, but also his or her specific responsibilities.

So what information should be included in a firm’s Incident Response Plan?It should identify the response team of individuals inside and outside the firm who would be affected by an incident and who might be required to provide any necessary skills or knowledge (such as computer security professionals or legal counsel). Also identify the response escalation process and how and when each member of the incident response team is notified.

Consider the action/reaction steps for each incident. They must be addressed quickly, efficiently, and withinappropriate legal boundaries. Reacting to an incident blindly will not reduce the impact. In fact, it will likely compound the issue. When dealing with a data security breach, ascertain three key items:

• What data was impacted?• What are the relevant legal requirements?• What are the necessary breach notification procedures?

Lastly, perform a post-mortem after every incident. Your firm should always seek to learn from the experience.Here are some questions to use as a guide for this process:

• Was there any data against policy on the laptop?• If so, how did it get there?• How can the firm prevent it from happening again?

• Was all data on the laptop properly secured?• How was the laptop lost or stolen?• How can additional training help avoid the same incident in the future?• Did the incident response team follow the plan?

• What worked well, and what didn’t?• What was the team not prepared for?

PHASE III

It is not always enough to know that whoever stole your laptop while you were held up in the airport securityline will have a tough time trying to read your encrypted data. Sometimes it is necessary that you find the systemand recover it. Granted, the primary value of a lost or stolen laptop is the data, but occasionally there are otherreasons you may want to track it down – the most important being to determine who has it.

Laptop Tracking TechnologyAccording to Ben Haidri, a PC theft recovery expert with Absolute Software, theft is 80 percent internal. Hisresearch indicates that it’s not uncommon for people to falsely report that a laptop has been stolen. In some casesan employee’s peer or the employee of a client may take an unsecured laptop. Determining who the thief is mayallow you to rid the firm of an untrustworthy employee and help your clients do the same.

The best solution is laptop-tracking software, commonly referred to as Lo-Jack for laptops. This type of softwarereports the laptop’s IP address to an operations center when the system connects to the Internet. From there, thetracking company works with Internet service providers and local authorities to track backwards in order to findthe laptop.

According to the FBI, 97 percent of stolen laptops are never recovered. While this type of system works well forinternal theft, it is not necessarily reliable when a computer is stolen for its data or even for quick cash. Smartcriminals know how to bypass this software easily. Most people think the first thing a thief will do is get online. Infact, most professional data thieves merely create an image of the hard drive and then either sell the laptop forcash or just dump it. If a thief sells the laptop, the tracking software will generally lead you to its buyer. You mayget it back, but rarely will you ascertain the thief’s identity. But in the case of dishonest employees who just wanta free computer, it will lead you right to them.

Poison Pill TechnologiesAgain, although recovering a stolen computer is preferable, data is still the most important consideration. Someview “poison pill” software as a fail safe solution for a missing laptop. This software will perform a (theoretically)unrecoverable wipe of everything on the hard drive. This data wipe is generally configured to trigger in one oftwo ways:

1. By some sort of remote mechanism, such as a command sent to the laptop the next time that it isconnected to the Internet.

2. A check-in timer that requires the “poison pill” software to check in with its control server on apre-determined basis. If the software hasn’t communicated with its control server during thistime frame, it wipes the data.

This “poison pill” technology is frequently bundled with other mobile security software as an additional feature.To ensure no accidental data wipes, a firm using this type of technology must take into account audit teams thatmay be in the field for extended periods of time.

CONCLUSIONLaptops are a pervasive part of the accounting profession, and some will disappear. However, you will minimizeliability by implementing a policy based on the three phases of mobile data security outlined in this guide. Withsensitive data safe and sound, your only concern will be which shiny new laptop model to put in your shopping cart!

page 16

RECOVERY

CONCLUSION

TOOLS FOR PROTECTING YOUR FIRM

page 17

You now have a model for approaching the important and complex issue of data security and privacy in a mobile environment.

The tools in this section will assist you in following the model and help you to plan, protect and, respond to potential threats.

page 18

APPENDIX ASAMPLE DATA CLASSIFICATION

Purpose:Data classification describes methods to categorize information for different levels of security protection.Alternatives vary in rigor (i.e., the degree of protection that they provide) and cost. Cost can be tabulated in dollars or in manual effort. In general, rigor and cost are directly proportional—the more rigorous a method, the more it costs. The firm should select methods that provide as high a level of assurance as possible within cost constraints.

Description ofData

Not sensitive - available to anyone internal orexternal to the firm

Slightly sensitive - notintended for external entities

Sensitive - required to becontrolled

Impact ofUnauthorizedDisclosure

N/A Adversely affects theorganization

Adverse impact on individuals, the public &entire system, financial orlegal liabilities incurred,undermines confidence inand the reputation of theorganization

Possible Examples Marketing materials, general information about the firm

Internal phone numbers,client phone lists & business plans

Client financial data, socialsecurity numbers &account numbers

Access All Available to employeesand approved nonemployees

Available to only authorized users

Public Internal Use Only Sensitive

SAMPLE MOBILE DATA POLICYPurpose:The purpose of the Portable Computing Security Policy is to establish safeguards for the use of portable mediaand computing devices, including their connection to the Firm’s network.

Scope:Portable computing devices are becoming increasingly powerful and affordable. With the growing need forinstant communication and data access, the use of portable computing devices is becoming ever more desirableto replace traditional desktop devices in a wide number of applications.

APPENDIX B

page 19

This policy applies to anyone who utilizes portable computing devices to access the Firm’s information and com-puting environment, including firm owned, personally owned, or third-party owned portable computing devices.

This policy is not intended to address the use of portable computing devices by the general public to access theFirm’s electronic data and services.

Policy:The Firm shall determine whether it will permit the use of both privately owned and company-owned portablecomputing devices and the level at which the devices are maintained and managed.

Definitions:• Portable Computing Devices: These include, but are not limited to, Portable Digital

Assistants (PDAs), notebook computers, Tablet PCs, Palm Pilots, Microsoft Pocket PCs, RIMBlackberrys, MP3 players, text pagers, smart phones, and other similar devices.

• Portable Media: This includes, but is not limited to, compact disks, DVD disks, memorysticks, USB drives, floppy disks, etc. The portability offered by these devices may increase the riskof exposure to groups using the devices.

• User: Anyone with authorized access to the the Firm business information systems, includingpermanent and temporary employees or third-party personnel such as temporaries, contractors,consultants, and other parties with valid Firm access accounts.

• Firewall: Software, or a combination of hardware and software, that implements security policygoverning traffic between two or more networks or network segments. Used to protect internalnetworks, servers, and workstations from unauthorized users or processes. Firewalls have variousconfigurations, from stand-alone servers to software on a laptop computer, and must be configured properly to enable protection.

• Screen Locking: Mechanism to hide data on a visual display while the computer continues tooperate. A screen lock requires authentication to access the data. Screen locks can be activatedmanually or in response to rules.

• Screen Timeout: Mechanism to turn off a device or end a session when the device has notbeen used for a specified time period.

Procedures:Section 1—Physical Security Users must protect Firm-owned (or authorized) portable computing devices, removable storage components,and removable computer media from unauthorized access. Physical security measures shall, at a minimum,include the following:

• Portable computing devices, computer media, and removable components, such as disk drivesand network cards, must be stored in a secure environment. Devices must not be left unattendedwithout employing adequate safeguards such as cable locks, restricted access environments, orlockable cabinets.

• When possible, portable computing devices, computer media, and removable components mustremain under visual control while traveling. If visual control cannot be maintained, then necessarysafeguards shall be employed to protect the physical device, computer media, and removablecomponents.

• Safeguards shall be taken to avoid unauthorized viewing of sensitive or confidential data in publicor common areas.

APPENDIX B CONTINUED

page 20

APPENDIX B CONTINUED

Section 2—Operation and Maintenance The Firm has established minimum portable computing device configuration requirements for company-owned,privately owned, or contractor-owned devices authorized for work use. The requirements must identify whois authorized to prepare portable devices for use on the Firm Business Information Systems, network, ortelecommunications systems. The configuration guidelines address the following:

• Anti-virus Software: Portable computing devices must be equipped with anti-virus software inaccordance with the the Firm User Malicious Software Policy.

• System Configuration: Mandatory system configurations, settings, and software for either company-owned or authorized non-company-owned devices must not be modified without priorauthorization by the Security Administrator. Portable computing device operating systems mustbe maintained with appropriate vendor security patches and updates.

Section 3—Data ProtectionsGiven their small size and portable nature, it is more likely that these portable computing devices will fall into the wrong hands than a desktop system. The following guidelines are used to govern the management and maintenance of personal and company data on portable computing devices:

• Sensitive Firm data should not be stored on portable computing devices. However, in the eventthat there is no alternative to local storage, all sensitive Firm data stored on portable computingdevices must be secured in accordance with the Firm’s data encryption policy.

• All portable computing devices used to access the Firm’s data must follow the appropriate methods for securing the system. Methods for securing portable computing devices include, but are not limited to:

• Personal Firewalls• BIOS Passwords• Screen Locking• Screen Timeout• Security Tokens

• Firm data must not be transmitted via wireless to or from a portable computing device unlessapproved wireless transmission protocols along with approved encryption techniques are utilized.

• If sensitive data is transferred/synchronized either via wire (LAN/WAN or Public Internet) orwireless connections (including to and from web sites, server databases, or email servers), it mustbe transmitted in an encrypted format using the the Firm’s centralized, secured server. Usingalternative methods of synchronization including PC/MAC based synchronization softwareincluded with the portable computing devices to synchronize with the Firm’s sensitive datasources is prohibited and subject to progressive discipline up to and including termination.

• Use of the included synchronization software from the portable computing devices manufactureris permitted when the data sources are not considered sensitive under the Business SystemsManagement Control Framework policy.

• Portable computing devices must not be equipped with remote system or application administrator privileges unless authorized. Portable computing devices equipped with remote system administrator capabilities must be assigned higher levels of security in accordance with the increased risk of an IT security breach or loss of device pursuant to the Business SystemsManagement Control Framework Policy.

page 21

• All remote access (dial in services) to the Firm must be either through an approved modem pool or via an Internet Service Provider (ISP). Refer to the Remote Access Policy for more information.

• Real time access to sensitive data using internal or public wireless networks requires the installation of the Firm’s Virtual Private Network (VPN) software on all portable computingdevices. This software will provide for the requisite strong authentication and continuous encryption of the data.

• There are policies and procedures for the return of Firm-owned portable computing deviceswhen the user’s employment or contract terminates, or the user’s assignment no longer requiresthe company-owned device. Such policies and procedures will include whether non-companydata and software are permitted and if so, who is responsible for their removal.

• When a device is removed from service, the IT equipment must be sanitized to remove information.

• The Firm must ensure that all company data and software are recovered, deleted, and securelyoverwritten as appropriate from privately owned and contractor-owned portable computingdevices when the user’s employment or contract terminates, or when the portable computingdevice is no longer authorized for work use.

Section 4—Inventory and Audit The Firm must develop and maintain an inventory for all company owned, privately owned, and contractor-ownedportable devices authorized for work use with the Firm’s Business Information Systems. The inventory shallinclude the device make, model, serial number, date introduced into service, and party responsible for the device.

Inventory and security audits of portable computing devices are conducted and documented on both a regularand random basis.

Section 5—EnforcementAny user found to have violated this policy may be subject to disciplinary action, up to and including terminationof employment, or legal action as appropriate, or both.

Section 6—Policy Update and NotificationThe Firm reserves the right to revise the conditions of this policy at any time by giving notice via the InformationSecurity Policy Update Procedure. Users are responsible for understanding or seeking clarification of any rulesoutlined in this document and for familiarizing themselves with the most current version of this policy.

Section 7—Related Documents• Business Systems Management Control Framework Policy• Information Security Policy Update Procedure• Remote Access Policy• User Malicious Software Policy

page 22

1. Obtain firm-wide consensus on the importanceof protecting firm data in a mobile environment

• Owners, Managers, and employeesunderstand and promote the initiative

• A task force has been created and assigned toaddress mobile data security & privacy

2. Perform the Planning Phase to define the firm’sgoals and establish a game plan for protectingmobile data

• Data classification program has beendeveloped

• Sufficient understanding of laws andregulations has been achieved

• Risk Assessment has been performed• Mobile Data Policy has been established

3. Identify and utilize technology as theaccelerator for Mobile Data Security & Privacy

• Identify systems that will allow the use oftechnology throughout the firm

• Monitor training opportunities that willinsure compliance within the technologyenvironment

4. Develop an Incident Response Plan • Timeliness of response to a data breach• Appropriateness of response to a data breach• Ability of firm to communicate externally

with a single voice

5. Educate, monitor and enforce compliance withthe Mobile Data Policy

• Entire firm understands and complies withthe Mobile Data Policy

• Survey of team members pre and postimplementation

Strategic Objective MeasurementDEVELOP APLAN FORMOBILE DATASECURITY &PRIVACY.

Sample Plan MOBILE DATA SECURITY & PRIVACY JONES & Company LLPAPPENDIX C

page 23

February 1, 20xxFebruary 28, 20xx

March 15, 20xxMarch 30, 20xx

Executive TeamTask Force

Task ForceTask Force, Executive Team

2.1 Develop a Data Classification Program• Identify and Classify Public Data• Identify and Classify Internal Use Only Data• Identify and Classify Sensitive Data

2.2 Identify regulations that pertain to your firm regarding a potentialbreach of sensitive data

2.3 Perform a Risk Assessment for data on Mobile Devices• Threat assessment• Cost-benefit analysis of potential actions

2.4 Develop a Mobile Data Policy

April 15, 20xx

April 30, 20xx

May 15, 20xx

May 31, 20xx

Task Force

Task Force, Legal Counsel

Task Force

Task Force

3.1 Research potential hardware and software to address threats identifiedin risk assessment

3.2 Contact technology vendors for demonstrations or trialsoftware/hardware

3.3 Insure that the technology vendor has training materials and/ortraining personnel available for the firm’s use

June 15, 20xx

June 30, 20xx

June 30, 20xx

Task Force, I.T.

Task Force, I.T.

Task Force, I.T., Training/LearningDirector

4.1 Identify required capabilities and form an Incident Response Team4.2 Develop a communication plan including an escalation process4.3 Develop a plan with action/reaction steps required in the event of a

data breach4.4 Develop a post-mortem process to learn from previous incidents and

increase preparedness for subsequent incidents4.5 Educate and communicate the plan throughout the firm

May 31, 20xxJune 15, 20xxJune 15, 20xx

June 15, 20xx

June 30, 20xx

Executive Team, I.T., Legal, H.R.Incident Response TeamIncident Response Team

Incident Response Team

Incident Response Team, Training/Learning Director

5.1 Develop and administer training on the policy and technologyimplemented

5.2 Develop reports within the system that will ensure that all staffmembers are complying with the policy

5.3 Insure that Partners, Managers, and Supervisors are informed of anynon-compliance with the policy

Quarterly

Quarterly

Quarterly

Training/Learning Director

I.T. Director

I.T. Director

Strategy/Initiative Due date Assigned to1.1 Develop a task force to address mobile data security & privacy1.2 Research the threats in today’s mobile environment and collect

supporting information1.3 Present the problem to the Executive Team to obtain buy-in1.4 Present the problem to employees throughout the firm

OBILE DATA SECURITY & PRIVACY JONES & Company LLP

page 24

ERIC MCMILLEN, CISSP, CISM, CISAEric is the CEO and Chief Security Architect with The McMillen Group, LLC headquartered in Plano, Texas.He has been a consultant for the last ten years of his 15-year career. Eric’s expertise includes hacker attacks anddefenses, the information security industry, and computer privacy issues. He has performed numerous penetrationtests, vulnerability assessments, security audits and architecture reviews for clients in financial, accounting, healthcare, and other industries.

Prior to forming The McMillen Group, he was a Manager in both the Network Security and Infrastructure practice and the National Information Systems Assurance practice for BDO Seidman, LLP, an internationalaccounting and consulting practice. He was also previously the Chief Technology Officer for an internationalconsulting firm, specializing in the Accounting and Professional Services sector. He is a Certified InformationSystem Security Professional (CISSP), has published numerous articles and is often invited to speak at variousindustry conferences.

Eric McMillen

The McMillen Group, LLCemcmillen@mcmillengroup.comTelephone: 214-329-9730Facsimile: 866-375-6006

mcmillengroup.com

JIM BOOMER, MBAJim Boomer is a Senior Consultant with Boomer Consulting, Inc. where his responsibilities include the BoomerTechnology Circles™, strategic technology consulting, and internal project management. He recently completedhis Masters in Business Administration at the University of Texas at Austin.

Prior to joining the Boomer team in 2004, Jim spent more than four and a half years with BearingPoint (formerly KPMG Consulting) in San Francisco, CA and Arthur Andersen Business Consulting in the Phoenix,AZ and San Francisco, CA offices. Throughout Jim’s professional career, he has worked on many diverse projectsin varied industries. His consulting has focused on IT strategy and implementation. His past client list includesseveral Fortune 500 companies. Jim’s most recent projects have focused on Knowledge Management, DocumentManagement, Workplace Collaboration, and Corporate Portals. He has also had experience with several e-Business and Business Intelligence technologies.

Jim Boomer

Boomer Consulting, Inc.jim@boomer.comTelephone: 785-537-2358

boomer.com

ABOUT THE AUTHORS

page 25

…provides strategic planning andconsulting services to the leading firmsin the accounting industry throughThe Performance3™ Formula: Planning,

People and Processes. Ourstrategies provide a road map fortransformation, team buildingand excellence.

Our unique processes include TheBoomer Technology CirclesTM,The Boomer Advantage GuidesTM,The Firm SummitTM, as well astechnology and managementrelated consulting services.

BOOMERCONSULTING

Boomer Consulting specializes in thefollowing service areas:• The Firm SummitTM

• The Strategic Planning ProcessTM

• The Technology ReviewTM

• The Team IntegratorTM

• The Paperless TransitionTM

• The Boomer Technology CirclesTM

• The Firm CoachTM

For more information on any of these services,please contact Eric Hunt at erich@boomer.com,or call us at 888-266-6375.

boomer.com

The Boomer Advantage Guides:• Guide to Strategic Planning• Guide to Paperless Transition• Guide to Human Capital• Guide to Training and Learning• Guide to Outsourcing• Guide to Succession Planning• Guide to Partner Compensation• Guide to Selecting a Managing Partner• Guide to Risk Management in the

Digital World• Guide to Performance Management• Guide to Mobile Data Security & Privacy

This publication is meant to strengthenyour common sense, not to substitute for it.It is also not a substitute for the advice ofyour advisors, personal and professional.

If you would like further information aboutThe Boomer Technology Circles™

or other Boomer Consulting, Inc. services andproducts, please telephone 785·537·2358 or

888·266·6375—or by E-mail at:sandra@boomer.com

610 Humboldt StreetManhattan, KS 66502–6035

TM and © 2006 Boomer Consulting, Inc. All rightsreserved.No part of this publication may be repro-duced in any form, or by any means whatsoever,

without the written permission from the publisher,except in the case of brief quotations embodied in

critical articles and reviews.

8951 10.18.06