First of all, Happy Spring! Okay, I know it doesn’t feel that way yet, but we’re getting there. Hang in there.
Anyway, now that we’ve done the required small talk as outlined in the human interaction manual that my handlers insist I read, I need to remind you all about the importance of securing data on your personal devices, especially laptops.
This can be summed up in three bullet points, each followed by some informative and pithy remarks. So, let’s get to it.
1) Don’t keep sensitive data on your laptop.
If at all possible, anything that’s sensitive should not be stored on your laptop. This includes business-sensitive items, "Official Use Only" documents, or anything that has other restrictions (PII, Export Controls, etc). You can keep most of this stuff in Box (except PII at the moment, more on that lower), however make sure your’e not syncing any Box folders with sensitive data to your laptop. There’s a helpful document at http://inside.anl.gov/questions/information/can-i-store-ouo-pii-ucni-export-controlled-or-nda-type-information-box that outlines what we can and can’t keep in Box.
PII should be kept in Lockbox for the time being. You have a lockbox directory, and you can reach it at lockbox.it.anl.gov/users/<your 8 digit badge number>. If your badge number is 50133, for example, on a windows machine you’d use \\lockbox.it.anl.gov\users\00050133. On a mac, you would use smb://lockbox.it.anl.gov/users/00050133, and so on in that fashion. Instructions can be found here: http://inside.anl.gov/category/computing/cyber-security/personally-identifiable-information.
The key is that if it’s avoidable, this data should not be on your laptop. That way when you lose the laptop or have it stolen (it happens to the best of us), there aren’t any unfortunate newspaper headlines, congressional inquiries, Spanish Inquisitions (which nobody expects), or horrible, horrible fines. Which brings me to the second bullet point…
2) Read your training material!
Did you know you are personally responsible for data protection? Did you know you can be held financially liable for exposing sensitive data? If the answer to either of those is "no", then you haven’t read your training materials. Let’s look at SEC101 (http://www.eshtraining.anl.gov/courses/SEC101/loaders/SEC101.pdf). Specifically:
"Argonne National Laboratory and/or the individual employee may be liable if significant violations of Export Control Regulations occur. Penalties may include seizure of laboratory equipment, fines and prison terms."
Holy Guacamole! (Which is the best Guacamole, IMHO. Not too spicy, just the right amount of salt. Mmmm.)
The crux of it is to not be cavalier with the data you’re handling. You really need to take the necessary steps and precautions to protect it. I know you’re very careful, but you’re not always in control of what happens to your equipment, and it can get stolen before you know it. Just some simple mitigating steps can help everyone (this includes you, you’re part of everyone). The first step is bullet point #1 – keep the data off your laptop. But, okay, I get it. Sometimes you need the data local. Well, then, read on.
3) Protect your data with encryption!
If you’re running and Mac or Windows laptop, it’s super easy to encrypt the entire disk (File Vault for Mac and Bitlocker for Windows) will do the job just fine. You could create a separate encrypted partition or disk image to store data. There are options. But the key is don’t just presume the fact that your laptop requires a password to login is enough to protect it — it’s not.
(Side note: if your laptop doesn’t require a password to login, we’re going to have words. Some of them will be impolite, but part of that’s on you.)
If you’re running a linux laptop, or want help with setting up encryption, we can help you come up with a solution.
There you have it. Three bullet points, some whimsical musings, and some good advice. Well, I think it’s good advice, anyway. End goal here is that if you lose a laptop, the worst case scenario is no data of consequence is exposed, and we’ve demonstrated that we take data security seriously. Because if we don’t demonstrate that, we lose the ability to be in control of our data security. The last thing *I* want to have happen is that all our researchers lose the ability to run and administer their own laptops, but that’s the course we head down if we have data exposure.
I encourage you all to look at the CELS Systems Laptop (and Desktop) support policy at https://wiki.cels.anl.gov/IT/index.php/Laptops. As a group, CELS Systems is dedicated to making sure you can do your research as unencumbered as possible while being in compliance with Argonne and DOE policies – your attention to these details help us maintain that balance.
We now return you to your regularly scheduled programming. How ’bout that weather, huh? Oh right, I already discussed that.