New Policy Includes Purge of Sensitive Data on Portable Storage Devices
Governor M. Jodi Rell today announced a new statewide security policy governing laptop and mobile computing devices as well as storage devices. The policy, developed by the Department of Information Technology (DOIT), takes effect immediately and applies to all executive branch agencies.
At the same time, Governor Rell directed all agencies to assess and purge sensitive data currently on laptop computers and portable storage devices if there is no compelling business need for the information to be stored on those devices.
“The safety and security of taxpayer and resident information must be our top priority,” Governor Rell said. “This new policy puts strict requirements and controls on the use of restricted or confidential data on mobile computing devices, including not only laptops but palm-sized devices such as BlackBerries®, and on all sorts of storage media such as floppy disks, ‘jump drives’ and CDs.
“The loss of the Department of Revenue Services information is an accident that never should have happened,” the Governor said. “The public entrusts considerable information to state agencies and it is up to us to keep that trust. The bottom line is very simple: Personal information should not leave the security of state facilities except under certain carefully controlled circumstances – and then it should be safeguarded in every way.”
The policy requires agencies to adhere to new restrictions and accountability measures – including mandatory risk assessments and written authorization from the agency head – for any instance in which restricted or confidential data must reside on a mobile device for business reasons.
The policy requires any data residing on a mobile device under these controlled circumstances to be encrypted, limits the amount of data and length of time it may reside on the mobile device and requires protections from unauthorized access and disclosure.
Governor Rell ordered DOIT to accelerate selection and deployment of enterprise encryption tools for use by state agencies. Since early 2007, a multi-agency working group has been working to identify standards and tools for agency use.
On September 1, Governor Rell ordered the development of a new security policy containing some key features, including the following:
A requirement that agencies immediately notify the Department of Information Technology (DOIT) when a laptop computer is missing, stolen or lost;
A requirement for agencies to monitor and restrict sensitive data from being placed on laptop computers and portable devices, especially when that data is available through more secure means;
An expansion of the use of secure data access and transport tools, including VPN technology, to enable fieldworkers and other State employees to remotely access sensitive data rather that downloading data onto laptop hard drives.
