DHMH Information Resources Management Administration
Directive: STANDARD OPERATING PROCEDURES (SOPs) FOR THE USE OF LAPTOPS/PORTABLE & OFF-SITE DATA PROCESSING EQUIPMENT
Authority: This SOP is based on the Maryland Executive Order 01.01.1983.18, "Privacy and State Data System Security,"1 and is consistent with and further explains both the "Policy On The Use Of DHMH Electronic Information Systems," Policy # 02.01.01,2 and the DHMH Non-Disclosure Policy 02.01.06. 3 Please review these documents for important background information. They are available on the DHMH Intranet site at http://indhmh Select the link to
" l Security Concerns for Information Systems."
These SOPs comprise the minimum set of standards recognized by the Department as due diligence in the use, transportation, storage and care of portable or "off-site" computing devices including personal computers, personal digital assistants (PDAs) and "laptop" units. These procedures are intended to be in accord with COMAR and other State property procedures and requirements.
Objective: This SOP directs DHMH Administrations, Facilities, Local Health Departments, our State agency or private partners, contractors and their sub-contractors to follow these standard operational procedures to protect valuable, high-risk equipment and data. The level of protection and care required is directly related to the risk of the exposure.
Special Security Considerations: Laptops, Personal Digital Assistants (PDAs) and other portable data processing equipment containing state data, as well as computer equipment used off-site, ("equipment") present a special security threat. They are often the highly sought-after targets of thieves who may receive minimal compensation in quick street sales for the device, but whose data contents potentially expose the Department and employees, in certain instances, to both civil and criminal penalties as well as other legal action. Although the loss of the equipment is concerning, there is a far greater risk if unencrypted Protected or Proprietary Information 3 on the accompanying storage media fall out of the control of authorized users. The disclosure of such data could be damaging to our partners and citizens, and catastrophic to the credibility of DHMH. In general, the protection of these systems and data storage media that contain non-protected or non-proprietary data requires the exercise of reasonable controls and precautions. However, reasonable care must be equal to the risk of the exposure. Special care and a higher level of diligence is required when the system contains unencrypted or encrypted Protected or Proprietary Information 3,
The SOP is divided into three sections:
Section One: General Care of equipment that contains only Non-Protected Information 3,
Section Two: Special Care of equipment that contains Protected or Proprietary Information 3 ,
Section Three: Theft/Loss of Equipment & Termination/Check-Out Procedures:
General Care of Equipment that contains only Non-Protected Information Equipment containing only non-protected information may be used at Department and off-site locations. Users are responsible for: (1) ensuring that the equipment is protected at all times from theft attempts during times of use, (2) operated, maintained and stored according to the manufacturer's and supplier's guidelines, (3) stored when in transit, or not in use, in such as manner that makes it difficult for others to gain either physical or operational access to it, and (4) accessed only by authorized personnel.
To restrict casual access to security of computing equipment and data, system "power-on" passwords and a password-required "screen saver" set to a short duration should be used.
When ordering data processing equipment that may at some time be used outside of locked spaces (e.g. in open-space offices, in cubicles, and at remote locations), please include at the time of unit purchase appropriate security devices (tethers or other locking devices) that meet manufacturer's or suppliers specifications. The use of a security device is considered to be a key part of due diligence in the custody of this equipment.
When carried off the premises, extra precautions are often required to prevent theft or loss. To reduce casual theft during off-site work sessions, equipment should be locked in a storage cabinet, desk drawer, storage closet, or secured to an immovable object using a suitable approved locking device. The system should never be left unattended in an unsecured condition.
In accord with State Data Security Executive order 01.01.1983.18 , application software shall not be set up to "remember" network modem telephone numbers or network access passwords (e.g. Windows Dial-Up Networking Connection screen, "Remember Password" checkbox not to be selected). 2
Processing and communication of Protected or Proprietary Information on Non-Certified Equipment: Processing of, storage, or transmission of patient-level data on non-certified equipment from remote sites is not permitted on equipment that has not been previously approved for such use.
Collection/Processing of Protected or Proprietary Information on Approved Equipment: Equipment, systems, and procedures for the collection/processing of Protected or Proprietary Information require written certification before being used for this purpose. State Executive Order 01.01.1983.18 requires compliance with all items in the attached checklist "System or Equipment Security Certification Checklist," and approval by IRMA, the designated Information Technology directing authority for DHMH. This signed document is required to be on file with the DHMH State Data Security Coordinator prior to the use of the equipment for this purpose, and/or removal from the regular Department site of business. Federal and State legislation, State data security regulations, and DHMH policies prohibit the removal of Protected or Proprietary information from State property without the express written permission of the Custodian or Designated Responsible Party. Serious penalties are proscribed for non-compliance up to and including termination from State service, as well as civil and criminal penalties.
Such equipment may be used for the processing of Protected or Proprietary Information 3 at Department and off-site locations. However, users are responsible for ensuring that the system is operated in such a manner as to prevent theft or compromise of the sensitive information processed on the system. These data shall be contained on removable media, unless an IRMA approved encryption scheme is used. It is recommended that unencrypted data storage media be carried separately from the machine, when feasible, to reduce the risk of simultaneous loss due to theft or robbery. If processing is performed using removable media on a system that also has internal non-removable media, the internal media must be disabled or conditioned in such a way as to ensure that Protected or Proprietary Information cannot inadvertently be written to the non-removable media. Data remanence eradication steps (not simple file deletion) may be necessary to assure the non-removable media is purged of temporary or other copies of files created during work sessions. This classification of information may be stored on internal permanent media (non-removable) of portable or "off-site" systems only if it can be adequately secured, both physically and electronically using an IRMA-approved encryption scheme. Note that encryption schemes might not protect the data if the system is stolen while in-use mode, if the encryption is weak or the selected keys are easy to determine, or if valuable password or encryption information is written down and attached to the unit.
Only DHMH employees and other authorized users are permitted to access DHMH equipment containing such data. To restrict casual access to security of computing equipment and data, system "power-on" passwords and a password-required "screen saver" set to a short duration will be used. Application passwords shall be used where possible and appropriate for additional protection of these data.
In accord with State Data Security Executive order 01.01.1983.18 , application software shall not be set up to "remember" network modem telephone numbers or network access passwords (e.g. Windows Dial-Up Networking Connection screen, "Remember Password" checkbox not to be selected).
Protection During Use: To reduce the opportunity for theft during work sessions, equipment containing unencrypted Protected or Proprietary Information is to be secured to an immovable object using a suitably approved locking device. The system shall never be left unattended in an unsecured condition. When ordering data processing equipment that may be used at remote locations, please include in the purchase appropriate security devices (tethers or other locking devices) that meet manufacturer's or suppliers specifications. The use of a security device is mandatory and considered to be a key part of due diligence in the custody of equipment containing Protected or Proprietary Information.
Protection While Traveling: Keep the unit in physical contact when using all modes of public transportation, and be aware that typical laptop carrying cases are obvious targets. When traveling in aircraft, laptops will be hand-carried aboard unless it is essential that such equipment be contained in stowed luggage (not recommended). Extreme care will be taken when in the airport terminal to prevent theft or loss. Security examination requirements often require temporary physical separation from the system. Unless the user is cautious, these periods of separation can be exploited as opportunities for theft or damage.
Robbery and Personal Safety: One important reason for the stringent precautions to assure Protected and Proprietary Information are either encrypted or not contained on the equipment during transit is the threat of confrontation and robbery. Never place yourself in danger to protect equipment. If directed by a robber to surrender your laptop, hand it over.
Protected Storage On-Site: Equipment containing Protected or Proprietary Information shall be securely stored when not in use, or when unattended, in a private office with a locked door and limited access from the ceiling area, or inside other secure storage. Secure storage is defined as a locked metal storage or filing cabinet fitted with a labeled U.L. Listed Burglary Resistant lock, or fitted with an additional recognized auxiliary locking system (e.g. locking bar with a U.L. listed burglary resistant padlock.) "Three point locking" cabinets with non-removable hinge-pins are preferred. The key code number , if present on the lock, shall be noted in a secured file, and then removed or erased from the lock. Appropriate key custody shall be followed, and access to the storage unit shall be appropriately limited.
Protected Storage Off-Site: At off-site locations, equipment containing Protected or Proprietary Information when not in use, will be secured out of view in: (1) a locked cabinet, closet, or container, (2) in a locked office at a state or federal facility, (3) the trunk of a personal vehicle using a manufacturer's approved locking device to an immovable object, (e.g. trunk lid hinge etc.), or (4) it must be kept in the physical possession of the user.
Labeling: Data storage media used with equipment containing Protected or Proprietary Information shall be labeled, handled, transmitted, stored and disposed of in a manner equal to the security level of data being processed according to DHMH "Nondisclosure" and EIS policies and procedures.1 2 3
Isolation of Protected and Proprietary Information: Equipment containing unencrypted Protected or Proprietary Information using internal storage facilities for such processing WILL NOT be used to access E-Mail or used to access the Internet . Equipment with no internal storage, or those having removable/changeable media or hard drives, may be used for dual processing on a waiver basis. Waivers will be obtained from IRMA and will be issued based on the capability of the system and user to strictly enforce physical separation of the processing levels.
Electronic Data Interchange from such equipment shall be consistent with best practice security standards. This includes strong user authentication and approved data and transmission encryption schemes. Other processes and protective actions may be required depending on the calculated risk exposure. Contact IRMA for further information on DHMH approved methods.
Theft/Loss of Equipment: The equipment and data are valuable property and will be afforded the same protection as any high-value item. An immediate report shall be made of the theft, loss, or unaccountability of such Department equipment, or non-state equipment, containing any Department data, to your Director and the appropriate police authority. If Protected and Proprietary Information were contained on the machine, also contact the DHMH State Data Security Coordinator through IRMA (410) 767-6830. A reasonable time period for a report following the discovery of a loss is by the end of the business day.
Termination/Check-Out Procedures: At separation of employment , or if a change in job duties makes this agreement unnecessary, all employees, vendors, or agents who have completed this form will counter-sign the original and date the document when returning the equipment. A completed copy is to be forwarded to the DHMH State Data Security Coordinator, and the original kept on file for one year from the agreement termination date.
For further information or assistance, please contact IRMA at (410) 767-6830.
End Notes & Citations
1 Maryland Executive Order 01.01.1983.18, "Privacy and State Data System Security,
2 DHMH "EIS" Policy on the Use of Electronic Information Systems, June 1998, Policy #02.01.01
3 DHMH "Non-Disclosure" Policy #02.01.06, April 1999. Pending Secretary's approval. See Definitions below:
Non-protected Information - DHMH data or information, in any form or format, which has not otherwise been identified as confidential, highly confidential, commercial, or sensitive data. Data in which the Department has a proprietary interest may or may not be classified as non-protected.
Proprietary Information - Non-protected and protected data files in which the Department has a proprietary interest established through a copyright.
Protected Information - Confidential, highly confidential, commercial, or sensitive data or information in any form or format.
4 DHMH, IRMA Data Remanence Protocol, October 1998
5 COMAR, Article 27, §45A (b)(2)
See attached Employee Agreement
DHMH Employee Laptop/Portable & Off-Site Equipment Use Agreement:
All equipment users must first sign the DHMH EIS and Non-disclosure policies2 3, and be provided with a copy of this DHMH standard operating procedure (SOP). Upon request, IRMA will provide specific training in the procedures for securing these equipment. Each user of a laptop/portable, or "off-site" data processing system must demonstrate an understanding of and agreement with this SOP by reading and signing this document. If Protected or Proprietary Information are later loaded or communicated using equipment originally stated to contain Non-Protected Information, it is the duty of the employee to resubmit this form for approval. Please contact IRMA if you have questions at (410) 767-6830.
I agree to follow the above procedures, and to exercise due diligence in maintaining the custody of the equipment in my charge in accordance with the policies cited in this document.
Employee: ________________________________ Date:__________
Copy to Property Accountable Officer only if Non-Protected Information is contained on this machine. NO FURTHER INFORMATION IS REQUIRED.
If box is checked below stating that Protected or Proprietary Information is to be contained on or transmitted by this machine, send a copy to Administration Director (or designee) for approval and to the DHMH State Data Security Coordinator.
[ ] Protected or Proprietary Information as defined in this document is contained on this equipment and might be transported to and from State offices and other locations.
NOTE: The "System or Equipment Security Certification Checklist" is required to be completed for this system.
If checked above, please list equipment type and serial number
Equipment Description DHMH Property # Manufacturer's Serial #
_____________________ ___________________ ___________________
_____________________ ___________________ ___________________
Equipment Returned [ ] Serial Number match
Property Accountable Officer or Supervisor
DHMH 1999 VERSION
Information Resources Management Administration
System Or Equipment Security Certification Checklist
For Laptops/Portable & Off-Site Data Processing Equipment Containing Protected or Proprietary Data
Pursuant to Maryland Executive Order 01.01.1983.18, "Privacy and State Data System Security, and IRMA requirements, all Items must be completed on this checklist. Please sign and date, and forward to the DHMH State Data Security Coordinator for approval prior to use. Please note all equipment is subject to spot-check audits.
*Required Security Practices Checklist*
||Is this notebook, portable, (off-site) microcomputer protected with access control software, passwords and boot/power-on passwords?
||Are network modem telephone numbers and network passwords absent from this equipment?
||Are related software and files on removable media put into a locking storage unit when not in use or maintained in areas that are locked when not in use?
||Are only authorized, properly licensed and work related software packages being used on this equipment?
||Are backup procedures implemented on a routine basis for this equipment?
||Is a virus scan protection program used on this equipment on a regular basis?
||If YES in #6, will this program updated every 2 years?
||Has the primary user of this equipment signed the DHMH Software Policy, EIS policy, and the Non-Disclosure Policy?
||Is documentation available for each system application run on this equipment that address sufficient controls for maintaining the security of source documents, before, during and after the data entry process, and distribution (transmission) of the output?
||Is this equipment year 2000 compliant?
||Are appropriate precautions in place to prevent theft of this equipment?
||Is the level of protection and security provided for this equipment the same or higher than that provided for office-based equipment.
||When sent to disposal, are all data contained on this type equipment, or on portable media used with this system, properly eradicated.
||Is encryption software used on this equipment?
||Does the user understand and have they signed the DHMH Employee Laptop/Portable & Off-Site Equipment Use Agreement? Signed copy to be attached to this document
Unit/Agency Name Contact Telephone
Director or Designee Title
If the equipment contains Protected or Proprietary data, please send this completed form with a copy of the signed user agreement to: DHMH, IRMA, 201 W. Preston St. 21201, LL-4, Attention: State Data Security Coordinator
Version 1 - March 1999