Keeping Your Laptop and Data Secure

Laptop computers offer the convenience of mobility, connectivity and technology—virtual offices on the road—but these qualities also make them vulnerable to the risk of loss or theft. Losing possession of your NIH-issued laptop creates opportunities for wrongful or malicious access to NIH data. The recent theft of an NIH employee’s laptop containing sensitive patient data has led to a renewed focus on ensuring the installation and use of full-disk encryption on all NIH laptops (unless a waiver is in place). However, beyond encryption, laptop users need to be aware of precautions they should be taking. Anyone who has in their possession an NIH-owned laptop should take a few minutes to review the recently revised, NIH Laptop Computer Security Brochure (http://irm.cit.nih.gov/security/laptop_sec_broch.doc).

The brochure includes useful tips on preventing theft or loss, data protection, NIH policy requirements and resources for assistance. Excerpted from this useful brochure is the following basic advice on keeping your NIH laptop, and the sensitive information stored there, safe.

Preventing theft or loss

It only takes a moment of distraction for your laptop to vanish. No one thinks their laptop will be stolen—at least not until they find the trunk of their car broken into, notice that their laptop isn’t waiting at the other side of airport security, or get a refill at the coffee shop only to turn around and find their laptop gone. Always assume thieves are watching and waiting patiently for your moment of distraction.

• Treat your laptop like cash: Never leave it unattended in an unsecured environment—even for a few seconds.


• Never store passwords: Including your password in a carrying case or on your laptop is like leaving the keys in your car.


• Keep it locked: In the office, store the laptop in a locked drawer and lock your door when you leave.


• Keep it off the floor: When in public—at a conference, coffee shop or a registration desk—avoid putting your laptop on the floor. If you must put it down, place it between your feet or against your leg, so that you are constantly aware of it.


• Pay attention at airports: Hold on to your laptop until the person in front of you has gone through the metal detector. Then, keep a watchful eye on it as the laptop emerges on the other side of the screener.


• Keep it out of the car: Don't leave your laptop in the car—not on the seat, not in the trunk. If you must leave it behind, keep it out of sight. Avoid putting it in the trunk just prior to leaving your car—anyone watching knows it's in there! Don't leave laptops in vehicles for extended periods. Winter temperatures can freeze and split LCD screens, and a hot summer day can melt components.


• Disguise the bag: When transporting your laptop, using a laptop carrying case advertises what's inside. Consider using a suitcase, a padded briefcase or backpack instead.


• Be vigilant in hotels: A security cable may not be enough. If available, put the laptop inside the in-room safe. At minimum, keep it out of sight (in a drawer or in your suitcase). Consider putting the "Do-Not-Disturb" sign out when you leave.


• Alarms: Consider laptop alarms, hard drive locks and/or "lo-jack" type devices—a program that reports the location of a stolen laptop once it's connected to the Internet. Some machines come with fingerprint readers.

If Your Laptop is Lost or Stolen: Immediately notify: the NIH Help Desk, your supervisor and your Information Systems Security Officer (ISSO). As soon as possible, notify law enforcement personnel, the building security office and your IC property manager.

Protecting data and external media

• Passwords: Use a strong log-in password that is not easily guessed. Immediately change the default password on new laptops and never set the log in dialog box to remember your password. Use a password-protected screen saver that comes on after a few minutes of inactivity.


• Keep your system up-to-date: This includes antivirus and spyware programs. Operating system and application software must be patched with the latest security fixes. Bring your laptop to work at least every 30 days and connect it to the NIH network—this will ensure all updates and patches are installed.


• Back up your data: Copy data to a CD, DVD, USB flash drive or a local or network server that is backed up on a regular basis. If the data is sensitive, make sure the back-up is secure. For example, if you back up sensitive data to a USB flash drive or other portable device, that device must be encrypted.

NIH policy requirements

The brochure addresses various policies that apply to the use of NIH-owned laptops, including requirements for asset tags and property passes, warning banners, automatic updates of anti-virus software, wireless and remote access to NIHnet.

All government-owned laptop computers must have fully functional encryption software installed. Sensitive information, including personally identifiable information, cannot be stored on any laptop or portable/mobile device unless it is encrypted. PointSec encryption software currently in use for Windows 2000, XP, Vista and Linux, will soon be available for Macintosh platforms.

Resources and assistance

While using an NIH-owned laptop has incredible benefits, remember that it’s also a privilege that comes with responsibilities. You are accountable for your laptop, the data that resides on it and the security of its connectivity to other sources—most notably NIHnet. Laptops are stolen every day and the vast majority are never recovered. The value of the laptop itself pales in comparison to the incalculable costs of lost data, a breach of sensitive information and/or unauthorized access to NIH networks. Laptop security should be an ever-present concern. When you think it’s secure—think again and make doubly sure you have taken every necessary precaution.

If consulting the NIH Laptop Computer Security Brochure leaves you with further questions, CIT offers a number of other resources to address security concerns:

Information System Security Officers: http://irm.cit.nih.gov/nihsecurity/scroster.html

Information Security website: http://www.cit.nih.gov/security.html

Information Security and Policies: http://irm.cit.nih.gov/security/sec_policy.html

If you have further questions or are unsure how best to secure your laptop and the data it contains, ask the NIH Help Desk at http://ithelpdesk.nih.gov or by phone at 301-496-4357, 301-496-8294 (TTY) or toll free at 866-319-4357.

Note: To view the Word document linked above if you do not have Word installed, you can download Microsoft's Word Viewer.