UAB's Portable Computing Security Initiative and Personal Laptops

Introduction

UAB's Portable Computing Device Security - Laptop Standard was approved on May 15, 2009.  The purpose of the standard is to outline the supported portable computing device security configurations for laptop computers at UAB.

Which Laptops are Affected?

UAB-owned laptops and personally-owned laptops are covered by this policy if they are being used for UAB Business, which is defined as any laptop accessing or storing information covered by the Information Disclosure and Confidentiality Policy.  That policy defines sensitive data as including (but not limited to) individually identifiable information, Social Security numbers, credit card numbers, driver's license numbers, proprietary research data, privileged legal information, and data protected by law such as student and patient records.

Examples of UAB Business

Examples of UAB Business include (but are not limited to) connecting to the UAB network if accessing secured network drives, accessing any system at UAB where you have more than "self-service" privileges (e.g. Oracle HR/Finance, Banner, OptiDOC, Budget Model System, Xtender, Sunflower, UAB Report Viewer, BlazerNET, Blackboard Vista, and Health Information Systems), contributing to or corresponding regarding research projects that UAB participates in or sponsors, storing UAB email via an email client (e.g. Outlook, Thunderbird) or saving attachments or files from your email or remote machine to the local laptop.

Requirements for Laptop Compliance

All such laptops performing UAB Business must meet the following requirements:

1. Use a UAB-approved encryption solution (currently, UAB approves PGP for Windows laptops and either PGP or FileVault for Mac laptops)
2. Use a strong login password
3. Use a screensaver password with automatic timeouts after 15 minutes of activity
4. Use antivirus software with up-to-date definitions
5. Upon retiring the laptop from UAB Business use, the data must be destroyed via a UAB-approved method

In addition, the department is responsible for keeping an inventory of all laptops conducting UAB business, including personally owned laptops.

How to Comply with this Laptop Standard

UAB Owned Laptops - The department has already contacted all personnel who are in possession of a UAB owned laptop that is being used for UAB Business, and the department IT staff is responsible for installing and configuring all necessary components in order to bring the laptop into compliance. 

Personally Owned Laptops - Users who wish to use their own laptops for UAB Business are responsible for complying with the policy.  Specifically:

• Users are responsible for understanding the policy requirements
• Users are responsible for ensuring that their laptop complies with the standards (e.g. installing encryption and antivirus software)
• Users are responsible for obtaining approval from their department once the laptop has been brought into policy compliance.  You will be asked present your laptop for inspection and to furnish information that the department is required to keep on file, such as your MAC addresses, serial number, model number, and how the laptop is used for UAB Business.

The relevant policies and publications may be found at the following links:

• Portable Computing Device Security - Laptop Standard
• UAB Strong Password Guidelines
• Data Protection and Security Policy
• Approved Encryption Methods
• Information Disclosure and Confidentiality Policy
• UAB IT Security Practices
• Secure Media Destruction
• Drive Wiping Procedures

Many of these policies can also be found at the UAB IT Related Policies page.

CIS IT will assist CIS users if they have any questions about any part of this process for their personal machines.  We have published the following documents as guidance to help users bring their personally owned laptops into compliance with the policy.  The documents include instructions for obtaining and installing antivirus and encryption software that is provided by UAB for your use on your personally owned laptops.

• Personally Owned Windows Laptops - Technical Guidance
• Personally Owned Mac Laptops - Technical Guidance

Once you have prepared your laptop, please contact your local IT staff to obtain department approval for your device.

Exceptions

The UAB Portable Computing Device Security - Laptop Standard states that "Laptops that cannot be encrypted due to incompatibility or obsolescence may not be used for UAB business."

If you have a laptop which is conducting UAB Business but which cannot comply with the UAB policy for technical reasons (e.g. unsupported OS, hardware too old to support encryption), there is an exception request process in place which may allow you to use the laptop.  The exceptions request form is found in Appendix A of the policy (page 4 of the PDF).  Please note that exceptions are granted only very rarely.

You will need to provide documentation regarding the lack of an alternate solution which would meet policy requirements, the technical reason why the laptop cannot be brought into compliance, a demonstrated need to conduct UAB Business from that device, the type of data which is accessed/stored on the device, and the alternative steps you are taking to provide data security. 

All exceptions must be approved by the department, the Dean, and the office of the President of the University, and appropriate paperwork must be filed with UAB Information Security.  Please contact your local IT staff to request more information.