5.3 Laptop PC

Description

A portable Personal Computer (Laptop, Notebook) is understood to be a commercially available IBM-compatible PC run with DOS or a comparable operating system. It is equipped with a floppy disk drive and a hard disk. Data transmission devices (modem) are not dealt with here (c.f. Chapter 7.2.). The outstanding design features of this PC are its mobile operational capabilities, including the internal power supply. It is assumed here that the portable PC will be operated by only one user at any time. Any subsequent change of users is also considered.

Threat Scenario

The following typical threats (T) are assumed as regards IT baseline protection of a laptop PC:

Force Majeure:

• T 1.1 Loss of personnel
• T 1.2 Failure of the IT system
• T 1.4 Fire
• T 1.5 Water
• T 1.8 Dust, soiling

Organisational Shortcomings:

• T 2.7 Unauthorised use of rights
• T 2.8 Uncontrolled use of resources
• T 2.16 Non-regulated change of users in the case of laptop PCs

Human Failure:

• T 3.2 Negligent destroying of equipment or data
• T 3.3 Non-compliance with IT security measures
• T 3.6 Hazards posed by cleaning staff or outside staff
• T 3.8 Improper use of the IT system

Technical Failure:

• T 4.7 Defective data media
• T 4.9 Disruption of the internal power supply

Deliberate Acts:

• T 5.1 Manipulation/destruction of IT equipment or accessories
• T 5.2 Manipulation of data or software
• T 5.4 Theft
• T 5.9 Unauthorised use of IT systems
• T 5.22 Theft in the case of mobile uses of IT systems
• T 5.23 Computer viruses
• T 5.43 Macro viruses

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.

In the following, the safeguard group "Laptop PC" is set out:

Infrastructure:

• S 1.33 (1) Safe keeping of laptop PCs during mobile use
• S 1.34 (2) Safe keeping of laptop PCs during stationary use
• S 1.35 (3) Pooled storage of a number of laptop PCs (optional)

Organisation:

• S 2.3 (2) Data media control
• S 2.4 (2) Maintenance/repair regulations
• S 2.9 (2) Ban on using non-approved software
• S 2.10 (3) Survey of the software held
• S 2.13 (2) Correct disposal of resources requiring protection
• S 2.22 (3) Escrow of passwords
• S 2.23 (3) Issue of PC Use guidelines (optional)
• S 2.24 (3) Introduction of a PC Checklist booklet (optional)
• S 2.36 (2) Orderly issue and retrieval of a portable (laptop) PC

Personnel:

• S 3.4 (1) Training before actual use of a program
• S 3.5 (1) Education on IT security measures

Hardware/Software:

• S 4.2 (1) Screen lock
• S 4.3 (2) Periodic runs of a virus detection program
• S 4.4 (2) Locking of floppy-disk drive slots (optional)
• S 4.27 (1) Password protection in laptop PCs
• S 4.28 (3) Software re-installation in the case of change of laptop PC user (optional)
• S 4.29 (1) Use of an encryption product for laptop PCs (optional)
• S 4.30 (2) Utilisation of the security functions offered in application programs (optional)
• S 4.31 (2) Ensuring power supply during mobile use
• S 4.44 (2) Checking of incoming data for macro viruses

Contingency Planning:

• S 6.20 (2) Appropriate storage of backup data media
• S 6.21 (3) Backup copy of the software used
• S 6.22 (2) Sporadic checks of the restorability of backups
• S 6.23 (2) Procedure in case of computer virus infection
• S 6.24 (3) PC emergency floppy disk
• S 6.27 (3) Backup of the CMOS RAM
• S 6.32 (1) Regular data backup

© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update on 6 April 2000