Your organization has conducted an internal risk assessment led by the Chief Information Security Officer (CISO). While conducting the risk assessment, it becomes apparent that several key areas of the company are at risk of a data loss or breach. To assist the various departments in addressing the inadequacies of the existing system or process, the CISO has identified a list of priorities to address with the organizations leaders and management team. As much of the corporate workforce is geographically diverse and works externally, those employees utilize remote access to the company making the potential for loss great.
The CISO has determined one of the best defenses against intentional or accidental loss of a laptop and all the data stored therein, is creation and utilization of an encryption policy and procedure for all company laptop drives.
As the Assistant CISO of your organization, you must help the CISO prepare a risk assessment briefing to management about the concerns that you have regarding the unencrypted data on the company’s laptops and the ability for employees to remove laptops from the premises to conduct business. Your major concern is the rising issue of data breaches due to lost laptops.
Begin your research about these concerns by evaluating recent breaches that were the result of incomplete risk assessments (e.g., Veteran’s Administration breach) and consulting with the HIMSS.
Introduction to the Toolkit & Security Risk Assessment Basics
Risk Assessment Toolkit
Risk Assessment Toolkit – Breach Notification Guidance under the HIPAA Omnibus Rule
From the toolkit information, make a preliminary selection of the Type of Encryption you might suggest to management, the recommended Encryption Tools, and possible alternatives.
Your policy briefing should include all of the following:
Which computers fall under/are included in this policy?
What encryption would be used company-wide?
Why was this encryption adopted over other options (what are the benefits of your selection)?
How will the systems be retrofitted to include this encryption as most of the systems and users are remote?