Securing So Cal

Dec 1, 2007 12:00 PM, By Stephanie Silk

As current events repeatedly highlight laptop loss and theft — such as the 2006 theft of laptops containing the Social Security numbers of millions of U.S. veterans — more companies and federal departments are taking notice. Los Angeles County and its 38 departments have about 12,500 laptops and other portable devices that the county's constituents expect to be protected.

Al Brusewit, chief information security officer for the county, says the L.A. County Board of Supervisors became concerned about the risk of another major laptop theft. “We decided to encrypt all laptops — whether or not they contain sensitive information — and not to allow the user to disable the encryption. It would be centrally controlled, installed and driven by policy in order to maintain protection of those assets,” he says.

“Any private business that loses customer data or business partner information puts themselves at risk,” he says. “And now there is a general awareness in the country that we need to take special care of portable devices. That kind of event is just too common these days, and I don't think you can wait around to have an event to protect yourself.”

The county has experience with stolen laptops. Some of the county's past thefts involved sensitive information, and some did not. When a computer that had private records on it was stolen, Brusewit says they had to notify each person affected and tell him or her what they needed to do. But he says even when a stolen laptop doesn't have that kind of data on it, the county still needs to be careful. “[In the case] where we had unencrypted devices stolen from cases in cars and they didn't contain sensitive information, we obviously still want to protect ourselves,” he says.

So what's the motive of a thief if the data isn't crucial? Brusewit says it's mostly to resell the laptop. “Stealing a laptop is fairly common. It's an easy PC that they can turn around and resell,” he says. “I don't think it's to get information for privacy or for stealing people's IDs.”

Even so, L.A. County's goal is to treat any theft as though it is a motive to get sensitive data.

After deciding that the county needed its laptops to be encrypted, Robert Pittman, deputy chief information security officer for the county, says that they developed a detailed request-for-proposal (RFP) in June 2006. The RFP specified 182 technical requirements when it was released to vendors in October 2006. The county evaluated the submissions, and a month later received proof-of-concept from the top-rated vendors.

Based on its quick configuration, easy deployment, little administration bandwidth from the IT team, strong encryption and low operational cost, L.A. County awarded the contract to Check Point Software Technologies Ltd., Redwood City, Calif., in January 2007. It took another five months to develop a price schedule and a master agreement.

“Based on our requirements and the proof-of-concept testing, it was Check Point's Pointsec product through The Vantage Group, that received the contract,” Pittman says.

Check Point Software Technologies Ltd. is a worldwide securer of the Internet. Its Pointsec line of products protect and encrypt sensitive corporate information stored on PCs and other mobile computing devices.

Through The Vantage Group, a Check Point partner that designs, implements and supports data security solutions, L.A. County purchased Pointsec PC for more than 12,500 laptops and received more than 100 hours of Quick-Start consulting and options on Pointsec Protector.

Pittman says the training was twofold. “Vantage did a great job of developing a day-and-a-half Quick-Start training session. For 12 hours, a technical representative from each department was trained. Once they attend and leave, they then train the rest of technical staff within their department,” he says.

“The objective was to create a training and knowledge transfer vehicle to provide practical guidance and diagnostic techniques,” says Les Flammer, managing partner for The Vantage Group.

The end-users did not require training because the program is fairly transparent to the user. “[End-users] do not see a difference from Windows logon. That was a strategy to solve this,” Brusewit says.

Pointsec products also extend to mobile devices such as phones and PDAs, but the system at L.A. County is not set up for that yet. “We contracted for Pointsec for PDAs, but we have not started that implementation yet,” Brusewit says. “However our policy says that if anyone has personal sensitive info on a PDA, it must be encrypted.”

The installation is still ongoing and is expected to be 90 percent done by the end of the year. Flammer reports monthly to county management on the status of the project.

It's hard to see results thus far, but Brusewit says that no news is good news. “We haven't had any real results yet, but that must mean it's working. I'm comfortable that should a laptop fall into the wrong hands, all data on the device will remain protected.”

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

Story Missing Your Link?

• Unexpected Crisis Spark Opening of Georgia Training Facility
• New Technology Facilitates Planning For Active Hurricane Season
• Iris Readers Speed Travelers Through Security