Ruairi Quinn (Dublin South East, Labour)
Link to this: Individually | In context

Question 464: To ask the Minister for Social and Family Affairs the policies in place to secure portable electronic data devices in her Department; if those policies have been published; if so, the locations where they can be viewed; if a system of whole disk encryption has been rolled out to all laptops in her Department; the date by which she expects a satisfactory security policy on portable electronic data devices to have been implemented; and if she will make a statement on the matter. [32409/08]

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

The Department has a comprehensive written Portable Computing Device Security Policy, which is published on its in-house intranet site. Staff are advised, inter alia, that sensitive Department data should not be stored on portable computing devices or portable storage media. However, in the event that there is no alternative to local storage, all sensitive Department data stored on portable computing devices must be secured using one or more of the following as appropriate: Personal Firewalls; BIOS Passwords; Data/Application encryption using approved encryption techniques; Screen Locking; Screen Timeout.

Users are also instructed to protect Department-owned (or authorised) portable computing devices, removable storage components, and removable computer media from unauthorised access. Physical security measures should include the following: Portable computing devices, computer media, and removable components, such as disk drives and network cards, must be stored in a secure environment. Devices must not be left unattended without employing adequate safeguards such as cable locks, restricted access environments, or lockable cabinets.

When possible, portable computing devices, computer media, and removable components must remain under visual control while travelling. If visual control cannot be maintained, then necessary safeguards shall be employed to protect the physical device, computer media, and removable components. Safeguards shall be taken to avoid unauthorised viewing of sensitive or confidential data in public or common areas. Loss or theft of portable computing devices or storage media containing sensitive data must be reported via local management to the Head of Information Security.

The Department is currently engaged in a comprehensive review of the implementation of the policy across the organisation. All new laptops are issued with whole-disk encryption software. The Department is currently arranging a recall of its current stock of laptops to install encryption software. The process is expected to be completed by the end of December 2008. The Department is also engaged in implementing a policy to restrict the use of USB memory devices.

Ruairi Quinn (Dublin South East, Labour)
Link to this: Individually | In context

Question 465: To ask the Minister for Social and Family Affairs the number of Department owned computer desktops or laptops or other data devices, such as blackberrys and memory keys, reported lost, missing or stolen from her Department to date in 2008; the number of same later recovered or found; the number still missing; if sensitive or private data was compromised; and if she will make a statement on the matter. [32424/08]

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

The following data devices, owned by the Department, were reported stolen or lost to date in 2008 — Two Laptops — (1 house break-in, 1 office break-in); Two Desktops — Buncrana SWLO. None of these devices have been recovered. As all client data is held on central databases, no client data is held on the stolen computer desktops. Laptops can be used to access centrally stored client information through a secure remote log-in. No client data is retained on the laptops after the remote session ceases. Similarly, the Department's e-mail system retains its data in a central location although it can be accessed through a secure remote log-in.

It is now Departmental policy to password protect all laptops. All new laptops issued are encrypted and existing laptops are being recalled for encryption. The Department is also engaged in implementing a policy to restrict usage of USB memory devices. Members of staff who need such devices will be issued with encrypted devices and future usage will be restricted to these.