Public Safety and Emergency Preparedness Canada - Sécurité publique et Protection civile Canada
Skip all menus (access key: 2) Skip first menu (access key: 1)
Français Contact Us Help Search Canada Site
About us Policy Research Programs Newsroom
Public Safety and Emergency Preparedness Canada
Home

INFORMATION FOR...
Citizens
Communities
Governments
Business
First responders
Educators
ALTERNATE PATHS...
A-Z index
Site map
Organization
OF INTEREST...
SafeCanada.ca
Tackling Crime
EP Week
Proactive disclosure


Printable versionPrintable version
Send this pageSend this page

Home Programs Emergency management Response CCIRC Analytical releases2 Other analytical products IN04-001: General best practices for laptop security

General best practices for laptop security

Purpose

The purpose of this paper is to provide advice on best practices for securing sensitive data stored within laptop computers. This includes physical security in the handling of laptops and securing the information therein.

Audience

This Public Safety and Emergency Preparedness Canada (PSEPC) Information Note is intended for both laptop users and those responsible for the security of laptop computers that store sensitive data, such as programs related to the functionality of critical assets.

Introduction

Laptop computers are increasingly being used by Canadian industry and government to store and transport sensitive data. Laptops are a desirable tool due to their portability and ease of use; however, as computer technology becomes more advanced so do methods of compromising vulnerabilities inherent in the laptop's configuration and existing security protocols. Theft of industry-owned laptop computers from residences and offices is not an uncommon occurrence in Canada.

If an unauthorized user has physical access to a laptop computer system, then gaining administrative access (i.e. the ability to run any program) to the laptop, and its sensitive data, is a simple process. There are some hardware-based security devices available that can increase the time required to break into a system from a few minutes to a few hours.

Best Practices

Strong Authentication

Enforcing strong authentication on laptops is one of the best measures to prevent unauthorized access to sensitive data. To ensure only authorized personnel are able to gain access to a laptop computer, a user should be required to present at least two of the following:

a) something they know (password/passphrase matched with a username);
b) something they have (hardware token, smart card); or,
c) something they are (biometrics).

Encryption

It is recommended that sensitive information on laptop computers be kept encrypted at all times. Encryption involves scrambling a file or other type of data, known as the "plaintext," in order to render it unusable or unreadable. Properly-implemented encryption will make it extremely difficult for unauthorized users to gain access to stored data. Encryption technologies most commonly used include full disk, volume, and file and folder encryption.

Full disk encryption is recommended as a comprehensive method of ensuring that data is secure. Once all partitions of a hard drive are encrypted, they are very difficult to compromise. Encrypting the full disk drive also prevents access to any sensitive software applications that may be on the laptop.

Additional Tools

  • Maintaining up-to-date anti-virus, patching, and personal firewall software is a good general network security practice.

  • Laptops are not to be left unattended in any environment that is not secure.

  • Locking cables are inexpensive and they help to prevent the physical theft of laptops.

  • Asset tags are a low-technology security device that will assist in protecting the security of laptops. These semi-permanent tags will leave a type of tattoo if removed. This simple security measure may deter those thieves who realize an identifying mark will be left on the laptop.

  • Another type of tag includes radio frequency identification (RFID) tags. The RFID tag transmits identifying information about the laptop to nearby sensors that are located along a specified perimeter. When the laptop is removed from the perimeter, an alarm is triggered. Location tags will disable the system if the laptop is removed from a specified area.

  • Motion-detection devices can identify when a laptop is being moved. Moving the system will trigger an alarm that increases in volume as the system is in motion. A password for activating or deactivating the motion-based security device can be added.

References

Grant, Chris Defense-In-Depth Applied to Laptop Security: Ensuring Your Data Remains Your Data. 14 October 2003. GIAC GSEC Practical -- Version 1.4b, Option 1.
http://www.giac.org/practical/GSEC/Chris_Grant_GSEC.pdf This link will open in a new window.
Top of Page
Last updated: 2005-10-19 Top of Page Important notices