Encryption tools for MLS computers?

[PNMarkW2]

Like so many elements of security, the human factor is usually the greatest vulnerability.

It's also the greatest strength of any security system. Reliance on technology as the main line of defense often ignores this.

The "human factor" *is* the main line of defense, technology is the backup. To think otherwise is to encourage sloppy user practices (the security is covering me, why should I worry?), user hacking (this security is getting in the way of doing my job/calling), and ultimately failure.

[RossEvans]

As I have researched and pondered this issue and the comments above, I am pretty well convinced that what is needed is a hybrid solution:

1. It would help if someone made clear that password protection is required as a matter of policy on these files after they leave the administrative computer by any means. (I think general policy already forbids any confidential files being left sitting on the hard drive.)
2. End-users should be able to satisfy this requirement by reasonable solutions of their own, which might include password-protected flash drives such as SanDisk U3s or similar products, or more costly and sophisticated products such as Iron Key.
3. Someone, either CHQ or local units, also should provide some generalized encryption solution installed on the administrative computers, which might be open-source software such as 7-Zip or a commercial product such as WinZip. This covers the most general needs, including that of users employing generic flash drives, CD-ROMS, floppies or email attachments.

I have no more authority than the tooth fairy, but that's what I think.

[russellhltn]

Another free product worth evaluating is AxCrypt

[RossEvans]

Meanwhile, another common use of personal flash drives is to store offsite backups from MLS.

Cumulative historical files can be a space eater. I assume these backup files are already encrypted, so a generic drive should be sufficient.

[aebrown]

... it seems a stretch to say that these statements require that export files be password-protected when they are stored on a Church administrative computer, which is itself password protected and should have physical access controlled as well. It may be prudent, but I don't see how it is required. Am I missing some other policy statement?

I'll answer my own question: Yes, I was missing an obvious statement. My apologies.

In the Policy and Guidelines for Computers Used by Clerks for Church Record Keeping, the Security section on page 2 says:

The MLS database is stored on the computer’s hard drive. Other confidential files should not be stored on the hard drive. They should be saved on external media and locked in storage when not in use.

So this is actually an even stronger statement than requiring password protection -- it simply says that no confidential files should be stored on the hard drive at all.

[RossEvans]

So this is actually an even stronger statement than requiring password protection -- it simply says that no confidential files should be stored on the hard drive at all.

I noticed that passage in the older verison of the policy, too. I think a reasonable interpretation of that provision is that such files should not be left sitting on the hard drive, just as confidential papers should not be left sitting on the clerk's desk. But it seems okay to have them there while working in private.

For example, I think our ward clerk sometimes does one MLS export to the hard drive, then copies the four csv files to the flash drives of the bishop, a counselor and himself. (The other counselor is a Blackberry man, so he's out of luck.) The policy problem would arise, I think, if the clerk fails to delete the files behind himself. Similarly, there could be other working files in spreadsheets or word-processing docs that would be confidential. They shouldn't be left on the hard drive either.

Maybe I'm wrong, and a strict textual interpretation requires the use of removable media even while working on confidential files temporarily. That would keep them out of reach of a file-restore utility. I don't know anyone who does that routinely. So if this is the intent, it needs to be underscored in training. And administrative computers should be provisioned with a file-shredder utility as a backstop.

[russellhltn]

a strict textual interpretation requires the use of removable media even while working on confidential files temporarily.

That wouldn't be a bad idea. Cleaning up is a step that one must remember to do. Even when one has become rushed because things are proceeding slowly. If one always makes it a practice to never save on the local drive, then there's no problems. It's just a good work habit.