It’s a common practice to allow employees to use enterprise computers outside of the enterprise. This has become more common where employees are increasingly working at home. Though a common practice, these occurrences are not always best practices. Anytime an employee leaves work with a company computer, the expectation is that all information is vulnerable. Malware, ransom ware “supply chain attacks”, hacking and other threats are prevalent. In many cases this can be controlled through applying NIST standards and strong cybersecurity measures. This article will focus on limiting use of loaned laptops and not on technical cybersecurity application.
The organization should assign a strong risk assessment based on use prior to assigning company computers for at home use. This risk assessment should limit the information to be provided and for specific purposes. For example, if a user works on a specific project, then the laptop might only contain information for that specific use. The laptop removed for home use should not contain all information available unless that information is absolutely necessary. Even though there may be strong policy and cybersecurity requirements required by the organization, the CUI on the computer is still vulnerable to the whims of whether or not the employee will follow the guidance.
A specific example of a common, but not best practice is providing a laptop to an employee for college use. In this case, the employee would take the provided laptop to college, home, and many places along the way. They may connect to wifi and choose not to use a VPN. This would leave any information stored on the laptop vulnerable to exploitation. The organization should also expect to have the any number of hacking, thieving, or destroying attacks. This is a high risk activity if the laptop contained CUI. However, a low risk if the laptop does not contain any information.
The point is to control data, not the laptop. If assigning laptops for non business (but approved) use, it should be provided with only the information absolutely needed and with the right protections. Performing work with CUI should be limited to the CUI necessary to accomplish tasks and with the controls in place required to protect CUI. If assigned for non CUI tasks, such as college or professional development, no CUI should be on the computer.
Laptop issuing risk management should identify contingencies for which astute technology control officers, export compliance officers and security specialists plan. Sensitive, and protected technology should not be contained within computer and related media without proper permissions.
Consider following export controls and applying these best practices to the risk assessment. Export violation can occur within the U.S. borders.
Foreign governments want US Technology and aggressively seek it and defense contractors should make the information very difficult to get. Cyber hacking and supply chain attacks are increasing, calling for stronger controls. Relying on technical controls is not enough, often appointing too many resources for actions that don’t address the real threat. For example physical security efforts may focus on fortifying laptops with barriers, alarms, access control, and etc. These are important, but the employee may make information vulnerable when the first time they use public WIFI without first logging in to VPN for example. Risk assessments include technical controls AND limiting data to be used on the laptop. CUI is leaked through careless or malicious employee behavior or actions taken due to poorly understood responsibilities and security discipline.
Export compliance officers and Facility Security Officers should develop a culture within their organizations to prevent unauthorized disclosure of economic, classified or sensitive information. Such practices include destroying sensitive waste properly, locking all desk and cabinets drawers after work, and using access control to keep employees, vendors and non-US persons from accessing unauthorized areas.
Prior to removing any devices with CUI, employees should understand the risks. A defensive security briefing is for cleared employees who travel overseas and may be vulnerable to foreign entity recruiting methods. These or similar types of training could be tailored and given to all employees who remove information from the enterprise.
If technical data and laptop computers will be removed from the organization, CUI and other sensitive information, export controlled information not under license or TAAs should be limited to the need to know to perform necessary work.
If you need assistance with FSO or security training please contact me or visit my consulting site www.jeffreywbennett.com. Additionally, we have NISPOM fundamentals training perfect for studying and applying to your CDC facility. https://bennettinstitute.com/course/nispomfundamentals/
Join our reader list for more articles.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and training: NISPOM Fundamentals/FSO Training" and Cleared Employee Training".Jeff is available to consult. Consulting Website"