Establishing routines on what to do if a PC gets stolen

From personal experience:

  • Key prerequisite is an effective asset register. Otherwise you wont even know if it is one of your laptops / pc's that is missing or that turns up on the front page of the daily mail (well ok they may help in letting you know it was your device!).

  • Secondly - Establish a clear requirement and ability for your staff to inform you that a device has gone missing. Problem here will be if they then believe that HR will be involved and lead to sanctions - so be very clear on the users responsibility and that if they have done everything right then it is not a disciplinary issue.

  • Lastly the big issue will be the lack of full disk encryption. Without this you will have to presume that the data or sensitive information has been compromised and take action on those lines. This could result in your need to contact the information commissioner if personal data is involved.

Basic flow chart for this type of thing:

alt text


You have a lot of the right ideas in your question, Chris. You need to start looking at high level policy to create a framework for 'reducing risk from computer loss'. Typically when I write policies and standards for companies I look at it from a top down and bottom up perspective:

What is the aim? ie what does the board want? Is it zero risk of confidential information getting out? Is it the reduction of physical theft numbers? Worth knowing the driver here.

Then you will have to look at what is manageable - can you mandate desktop locks for stationary PCs and Kensingtons for laptops? Will your policy for laptop users include guidance on storage etc in hotels, temporary sites, transit?

From a technical perspective it is now relatively trivial to use full disk encryption, bios passwords etc, but you need to make sure it is workable in your environment - frameworks needed for ops teams, IT, helpdesk etc. It is one of the simplest ways to remove the risk of data being leaked, but be aware the papers still report loss of encrypted hardware with the usual spiced up headlines, so reputationally you may still feel the impact.

Also think about the requirements in staff agreements around reporting loss / theft. You need to make it very easy for them to report a theft without punishing them, otherwise you won't find out in a timely fashion.

Tags:

Corporate Policy

Physical

Incident Response

Recent Posts