Am I right to be Upset?

[rockymtnhigh]

Ok, after months of b.s. waiting for my tablet pc (Lenovo's customer service sucks, btw) I cancelled it, and ordered a Fujitsu LifeBook, newest model, from Newegg. Will have it in a couple days.... anyway.... the IT Dept. at the College has instituted some stupid policy requiring ALL portable machines to be encrypted.

They are demanding that I have the encryption software installed on it; even though there is no sensitive data on the machine, and my sole purpose for it, is for note-taking for my research. I am balking at this because: 1) the encryption software puts about a 10% hit on performance; and 2) with the hard drive encrypted, it makes it very difficult to transfer data to other machines (so I am told anyway).

I could understand if I worked in financial aid, and had student social security #s and other sensitive data on this machine, but they have no friggin clue how to craft policy. Lets see.... in order to make sure there is no problem with data getting stolen... we'll conduct surgery with an axe, instead of a scalpel... and just have a blanket policy.

I protested yesterday - haven't heard back - but I fully intend to NOT have this machine (which came from GRANT FUNDS not STATE FUNDS) encrypted. Am I right to be upset?

 

[Neutron]

You have every right to be upset, but I can see it from their point of view too from a security standpoint.

Since it will be on their network, even though you won't have sensitive data, they are just covering their butts in case of something. This way they can say "Any computer on our network is encrypted" in case of a lawsuit.

 

[rockymtnhigh]

You have every right to be upset, but I can see it from their point of view too from a security standpoint.

Since it will be on their network, even though you won't have sensitive data, they are just covering their butts in case of something. This way they can say "Any computer on our network is encrypted" in case of a lawsuit.

My solution for that is simple... it won't go on the network. I don't need to access internet with it, so no network needs.


BUT they do not encrypt EVERY PC on the network, just laptops. So, that argument is weak, IMHO. If they did it across the network, my argument would be weaker.

 

[RandallA]

I would think that they are enforcing this rule for laptops only because they can be lost or stolen. Encrypting every computer on the network is a little overkill but they need to cover themselves at least with the laptops since people take them home or for traveling.

IT is just enforcing the rule, stupid rule probably but it was created for a reason. Sorry but I work in IT for a University and sometimes we just have to enforce the rules whether we agree with them or not.

 

[BigTimMN]

I would be upset as well, but i dont think you will get anywhere Regardless if its state or grant funds, the University does have some control over the money, and if its being used to buy a PC then that PC falls under their rules as they are ultimately buying it.

 

[rockymtnhigh]

Ok, here is what I want to know... if they install the software to encrypt it; is it possible to uninstall the software?

Perhaps I should just get the factory restore discs, and just wipe the hard drive and start over? Or will that not work?


And I disagree that IT is just enforcing the rules; THEY MADE the rule, and like everything else they do, they think about what is easiest for them, and not what makes sense for the people they are there to support. But that is a different issue altogether.

 

[Hermitman]

This policy has obviously not been properly explained to you. It is not for the school's benefit, it's for your benefit. If the school can announce that every laptop on campus is encrypted and will not function without the proper authentication, then the likelihood of anyone stealing any laptop computers on campus drops dramatically. Why would anyone want to steal something they already know won't work? Why would a pawn shop buy something they can't access? Why would a customer buy a laptop the seller doesn't know the password for? If word goes out that a few people aren't complying with the encryption policy, the likelihood of laptop thefts increase sinces thieves will steal any laptop hoping to find an un-encrypted one. This policy is for the benefit of the entire student community from a crime prevention point of view. Think Big Picture.

 

[Van]

I cant see it as a stupid rule considering that in the last year or two several laptops have been stolen from various goverment facilities and or goverment employee's home/car that had sensitive data on it. While it may be annoying you have pointed out that the notebook will be used for note taking so the performance hit wont be an issue as theres nothing intensive about typing into a word processer. Transfering the notes to another computer shouldnt be hard at all if you have the encryption software installed on your other comp.

There is always the possibility that having the intentions to not have anything sensitive on said notebook may change over time or by an unintentional acident and all the better to have the software installed. You most likely will have to go with an industrial grade wiping program to either uninstall ( thats asuming that they havent installed admin rules ) or to wipe the drive, worst case scenario is you will have to buy a new drive if you cant do either.

Hermitman I believe what he's talking about is not for all students but for faculty/staff/researcher's.

 

[Ramy]

Encryption on laptop hard drives is intended for those that take their laptops offsite, not for those that use them only at work. So if some data, any data, were to be on there, they know without a shadow of a doubt that it was encrypted and safe.

 

[lumpkin666]

The last university I went to supplied laptops to students (and the student retained the laptop after completion of the course). Every laptop was harddrive encrypted and many had the bios password enabled. Every computer also had some "low-jack" type of software installed that could be used to track a laptop to the connection point where the laptop was last connected to the internet.

I have only heard of one laptop being stolen in the last several years, and that was stolen from the backseat of a professor's car when they were 100 miles away from the school. That laptop was recovered rather quickly (and there was a writeup about the incident in the capital city's newspaper).

 

[Allin4greeN]

My previous employer, a fairly large Research I institution, had no such policy or encryption software, that I'm aware of. I accessed institutional data and "sensitive" student information on a regular basis from my home, on both a desktop and laptop, via VPN... although, these PC's were both mine...

In fact, it was only two years ago that they shifted from using SS#'s to institution unique indetifyers.

On an institution provided machine, grant funded or not, I'd probably welcome the security measures...

 

[Hermitman]

This is the type of policy that should be in effect for the entire campus, not just faculty or management if that's the case. On a college campus using this policy, I don't see the primary reason to be the security of data on the laptop but the laptop itself. It's an item of monentary value that a thief or druggie could use to turn into cash. If you can make an item valueless (like encrypting a laptop) then a criminal has less motivation to steal it. The security of on-board data just happens to be a positive spinoff.

 

[Foxbat]

Rocky, it's all fallout from Enron/Tyco/CIA/FBI news from the past decade. IT has gone from being a good job to just another cog in the bureaucracy. In the past, if one of our engineers or technicians needed access to data that they were sharing with their colleagues, I could add that person's account to the security group in under a minute. While I had user on the phone, I'd have them log out and back in so they could test the new access. After that, they could start being more productive for the Company. Five minutes, tops.

Now, we have a management review process that can take up to 72 hours to do what was done in 30 seconds before, all so we have something to show the SOx auditors. I'm sure your University IT staff are under similar constraints. Our notebook policies have to cover a worldwide user base with differing standards (The French are very protective of individuals' rights, for example). Disk Encryption is not something you need fear if they take advantage of the built-in hardware that marries the hard disk to the notebook. I see no difference in speed on my P4 notebook with that feature. Of course, I get challenged twice every time I reboot the notebook, but that's a small price to pay for security.

The only problem with the "deters theft" argument is not every notebook thief is aware that they are stealing a worthless brick. Etching the notebook with a big florescent "Property of..., contents encrypted" label would let the thief know that what they are about to steal is worthless. Assuming they CAN read, of course...

 

[JAG72]

1) the encryption software puts about a 10% hit on performance

At least in my experience the encryption software does not even come close to taking a 10% hit on performance. Once my drive was encrypted I can not even notice that the software is on there. I had the same concern but I soon found it was no big deal.

2) with the hard drive encrypted, it makes it very difficult to transfer data to other machines (so I am told anyway).

It only makes it difficult if you put the drive into another computer and try to access it, but that is kind of what the software is supposed to do. Why would there be encryption software if it was easy to put the drive and transfer the contents to another drive.

 

[JAG72]

And I disagree that IT is just enforcing the rules; THEY MADE the rule, and like everything else they do, they think about what is easiest for them, and not what makes sense for the people they are there to support. But that is a different issue altogether.

It is not always IT that make the rules. Most of the time they are the ones that need to find a software to enforce the rules. Most companies rules are not made by IT but by there Audit and Information Security departments or even external agency's.


Rocky, Is this laptop your personal property or a University asset?

 

[Jeff T]

If this is personal property, do not install the software. However, if the university owns the laptop then they can do what they want.

 

[rockymtnhigh]

I had a long chat with my IT Director; we made peace. He has implemented the least intrusive encryption possible; no pre-boot authentication. I can live with it.

 

[Captante]

This policy has obviously not been properly explained to you. It is not for the school's benefit, it's for your benefit. If the school can announce that every laptop on campus is encrypted and will not function without the proper authentication, then the likelihood of anyone stealing any laptop computers on campus drops dramatically. Why would anyone want to steal something they already know won't work? Why would a pawn shop buy something they can't access? Why would a customer buy a laptop the seller doesn't know the password for? If word goes out that a few people aren't complying with the encryption policy, the likelihood of laptop thefts increase sinces thieves will steal any laptop hoping to find an un-encrypted one. This policy is for the benefit of the entire student community from a crime prevention point of view. Think Big Picture.

Encrypting the data on the laptops HD does little to de-value the laptop hardware itself because HD's can be easily replaced by anyone with a bit of technical knowledge & Windows/Linux etc can be re-installed just as easily.

All the encryption is protecting is the actual content of the drive & as a side benefit the operating system license.