Slashdot Mirror

← Back to Stories (view on slashdot.org)

White House Demands Encryption for Sensitive Data

Posted by ryuzaki0 on from the common-sense-after-the-fact dept.

An anonymous reader writes "Stung by a series of data losses or disclosures at federal agencies over the past month, the White House is requiring all agencies to follow new guidelines when allowing employees to carry sensitive data on laptops or access the information from afar, according to the Washington Post. From the article: 'To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.'"

1 of 214 comments (clear)

  1. Re:Oh, lookie here by tonan · · Score: 5, Informative

    I don't know how other departments and agencies deal with their networks, but all P2P software is banned from our machines (Air Force), and all known P2P/BitTorrent ports are blocked through our firewall. All client computers are scanned for illegal software (which includes Google Earth and iTunes) on a regular basis, and the local Information Protection Office will let you know if you are in violation.

    The 3-foot rule is an old EMSEC (Emmissions Security) rule that seems a bit outdated. It's supposed to prevent signal emmissions of hard-wired machines from being interfered with or being collected by other devices. I know it sounds ridiculous, but the program is is old and outdated.

    Overall, that PDF slideshow is not a very good IA training tool. They probably don't even use that anymore, or it's only used by a small group of people. The link at the end of the document brings you to a course completion page that shows the date of the program as 2004. You guys might not be able to see the site if you are not on a .mil/.gov computer.

    IA training is mandatory for all users of DoD client machines, but the DoD networks have many other safeguards to protect information. As always, a security policy is only as strong as the people abiding by it, so IA training tries to lessen the risk of information leaking out due to poor information protection by the user.