Computrace Best Practices

	COMPUTRACE BEST PRACTICES


		Introduction
		Locate the Computer Data Delete

		Best Practices
		Decision to Use Computrace Buy-In and Communications Setting Up Computrace – Recommendations for Computrace Liaisons and Users Computrace, Encryption and Other Security Controls When a Laptop is Stolen – Checklist for Users When a Laptop is Stolen – Computrace Liaison Checklist


		Introduction

		In recent years, the use of mobile computing devices, including laptop computers, has increased dramatically. Because such devices can easily be lost or stolen – putting both the device itself and data stored on it at risk – there has been a corresponding increase in adoption of security measures. At Penn, one security measure that is commonly used, and in some cases is required, is installation of Computrace software (“Computrace”) on laptops.

		Computrace software has two major features.

		Locate the Computer
		First, it allows authorized individuals to track the location of the laptop (or other mobile computing device) by causing the device to “call in” via the Internet at periodic intervals. With assistance from law enforcement officials, the information “called in” can often be used to find the location of the stolen device. A theft recovery guarantee, providing for a payment to the user if the device cannot be retrieved and the terms of the guarantee have been met, is also available.

		Data Delete
		In addition, Computrace offers a feature that can enable remote wiping of sensitive data if a device is lost or stolen. This capability, called the “data delete” feature, can often protect the privacy of confidential data stored on such devices.

		The following Best Practices have been developed to promote efficient and effective use of Computrace by Penn constituents. Although the Best Practices refer to laptops, they can be applied to use of Computrace on other mobile and non-mobile computing devices, as well. [1]


		Best Practices

		Decision to Use Computrace
		The potential to delete confidential information stored on a lost or stolen laptop or to recover that information through recovery of the laptop itself are important benefits of installing Computrace software. Therefore, Schools and Centers should consider installing Computrace software on all laptops that may receive, store and/or transmit Confidential University Data,[2] regardless of the devices’ ownership and specific function. Computrace is especially recommended when a breach of the data in question would trigger mandatory reporting. For example, under Pennsylvania law if a breach of Social Security number data occurs, the individuals to whom the numbers pertain may need to be notified.

		You may also wish to consider installing Computrace on laptops purchased with institutional funds.

		Buy-In and Communications
		When considering utilizing Computrace, communicate in advance with School or Center leadership about the reasons for the proposed new approach; provide an overview of how Computrace works; and describe potential use of the data delete feature. School and Center leadership may wish to communicate to affected faculty and staff about these points as well.

		Setting Up Computrace - Recommendations for Computrace Liaisons and Users
		Each School, Department or Center (“ordering entity”) should designate a person or group (e.g., IT support group) to manage the licenses for that entity. The designated person or group is referenced here as the “Computrace Liaison.” Usually, there will be one Computrace Liaison per School or Center.[3] Each ordering entity should procure Computrace licenses, as needed, through the University’s Office of Software Licensing (OSL).[4] Once the Computrace software has been procured, the Computrace Liaison should install it on the appropriate machines, and register those devices on the Computrace “console,” a web-based registration site. The Computrace Liaison should be accountable for ensuring that the number of machines registered on the console does not exceed the number of licenses held; otherwise, the Computrace theft recovery guarantee (providing for potential payment when a device is stolen) is voided on the machines that exceed the licensed number, pending correction of the registration error. The Computrace Liaison should advise users to ensure that their respective devices are connected to the Internet at least once every 30 days. If this requirement is not met and the machine is stolen, attempts to recover the device will be made but, under the terms of the Computrace theft recovery guarantee, replacement funds will not be paid out if the machine is not recovered. Similarly, the Computrace Liaison should advise users to store the original purchase receipts for their devices in a safe place; provision of the original receipt is one of the requirements for payment of replacement funds under the terms of the theft recovery guarantee. The users should be asked to store his or her machine’s serial number and emergency Computrace Liaison contact information in a safe place separate from the device. The Computrace Liaison may wish to provide wallet-sized cards for storage of this information, which will be crucial in any recovery process. When the laptop will no longer be used, the Computrace Liaison should de-register the machine from the console and remove the software from the laptop. However, these steps should not be taken until the laptop has been physically secured, since there will no longer be a tracking capability in the event of loss or theft.

		Computrace, Encryption and Other Security Controls
		Note that to safeguard especially sensitive information, it is highly recommended that such data on laptops also be protected with strong encryption, with a key recovery component, within three months of such technology and service being recommended and supported at Penn. Schools and Centers considering an encryption solution independently should consult with ISC Information Security.

		Note also that implementation of encryption does not do away with the potential utility of Computrace. Computrace’s value, if used in conjunction with full disk encryption and pre-boot authentication, lies in potentially limiting (through data deletion and/or recovery of the device) the exposure of sensitive data in the event that the thief knows the encryption password (i.e., malicious insiders) or the laptop is stolen while it is “on.” However, if resource limitations dictate a choice between Computrace and encryption, it is recommended, from a data security perspective, that encryption be implemented first. In addition, be cognizant of the requirements of Penn’s Critical Host Policy and Penn’s Social Security Number Policy – each of which mandate encryption on the machine in many cases.[5]

		When a Laptop is Stolen – Checklist for Users
		Immediately report the incident to the local or University police. Do not wait for the police report to be completed before reporting the loss/theft to the Computrace Liaison. Report the incident to Computrace Liaison immediately after contacting the police. To report a computer to Computrace as being lost/stolen and initiate tracking, the Computrace Liaison needs to know: The serial number of the computer (if you do not have this, ask your group’s Local Support Provider (LSP) for assistance in finding it). The primary user of the computer. The address, including city/state, from which the computer was stolen. The details of the loss/theft, including the last known location of the computer and, if known, how it was lost/stolen. If the power cord was stolen along with the computer. You should also inform your group's LSP about the loss/theft. Determine if sensitive information is stored on the computer. Using the definition of Confidential University Data provided above [6], determine if any data stored on the lost/stolen computer meets these criteria. Check with your LSP to see if backup data exists; backups of data may help to determine whether Confidential University Data exists on the lost/stolen computer. If any Confidential University Data does exist on the lost/stolen computer, report this to the Computrace Liaison as soon as possible with as much detail about the data as possible. Do not send copies or examples of the data itself to the Computrace Liaison via e-mail. Finalize the police report and follow-up with the Computrace Liaison. When filing a report with the police, make note of: The name and phone number of the police agency to which the loss/theft was reported (for example – Penn Police; Philadelphia Police Department). The police file number of the report. The name and/or badge number of the investigating officer, if possible. Follow-up with the Computrace Liaison once the police report has been finalized and you have the information requested above. Also provide the Computrace Liaison with the original purchase receipt for the lost/stolen device.

		When a Laptop is Stolen – Computrace Liaison Checklist
		In general. The Computrace Liaison is responsible for working with police agencies and Absolute Software (which licenses Computrace) in laptop recovery efforts. The Computrace Liaison is also responsible for determining whether reimbursement is available under the theft recovery guarantee. Lost Laptop with Confidential University Data. In cases where the user reports that Confidential University Data was or may have been stored on the lost/stolen laptop, the Computrace Liaison should convey this report to the appropriate IT Director or Security Liaison. In addition, the Computrace Liaison should prompt the examination of any backup data that can reveal whether and what Confidential University Data was resident on the lost or stolen laptop. Incidents must be reported to ISC Information Security under Penn’s Incident Response Policy.[7] Additional procedures are then dictated by that policy. Possible Use of Data Delete Feature. The Computrace Liaison should be responsible for following up on potential use of the Computrace data delete feature (when it has been installed).[8] The decision to execute a data delete capability on a laptop should be made on a case by case basis. In cases where Confidential University Data is at issue, Penn’s Incident Response procedures must be utilized to make such a determination. At times, a Senior Response Team will need to be convened to determine if this function should be utilized.
		In contemplating possible use of the data delete function, the following important technical features must be considered:
		If data is deleted remotely and the device is later recovered, it will not be possible to do a forensic analysis of the hard drive. This can have an impact in the area of potential breach notification. The data delete feature is offered in three levels: File- or directory-specific deletion (PC only), Full data deletion, excluding operating system, and Full data deletion, including operating system. If anything more than file- or directory-specific deletion is carried out, Absolute cannot install the “spyware” that aids in the recovery of the laptop.
		If there is any question as to whether the data on the laptop may be needed in a legal or regulatory proceeding, consult the Office of General Counsel prior to any data deletion activity.

		ENDNOTES
		[1] When deciding whether to install Computrace software on a non-mobile device, it is recommended that the physical security of the device, and the sensitivity of the data stored on it, be taken into account.
		[2] Confidential University Data includes: (a) Sensitive Personally Identifiable Information – Information relating to an individual that reasonably identifies the individual and, if compromised, could cause significant harm to that individual or to Penn. Examples may include, but are not limited to: Social Security numbers, credit card numbers, bank account information, student grades or disciplinary information, salary or employee performance information, donations, patient health information, information Penn has promised to keep confidential, and account passwords or encryption keys used to protect access to Confidential University Data. (b) Proprietary Information – Data, information or intellectual property in which the University has an exclusive legal interest or ownership right, which, if compromised, could cause significant harm to Penn. Examples may include, but are not limited to, business planning, financial information, trade secret, copyrighted material, and software or comparable material from a third party when the University has agreed to keep such information confidential. (c) Any other data the disclosure of which could cause significant harm to Penn or its constituents.
		[3] This Computrace Liaison may or may not also serve as the Data Delete Administrator (see below). Note that there should be a person designated as the backup person, to handle Computrace Data Delete functions when the primary Data Delete Administrator is not available. See below for more detail.
		[4] The only current exception to this recommendation relates to the School of Medicine, which has an independent relationship with Absolute Software, the entity which licenses Computrace.
		[5] For the full text of the Critical Host Policy see http://www.isc-net.upenn.edu/policy/approved/20000530-hostsecurity.html. For the full text of Penn’s Policy on Social Security Numbers, see http://www.upenn.edu/almanac/volumes/v54/n16/sspolicy.html.
		[6] See endnote 2 above.
		[7] Penn’s Incident Response Policy may be found at http://www.net.isc.upenn.edu/policy/approved/20070103-secincidentresp.pdf.
		[8] This assumes that the ordering entity has designated the Computrace Liaison as the authorized Data Delete Administrator. Absolute Software sends to the authorized Data Delete Administrator an RSA SecurID token, which displays a password that changes every sixty seconds. This password (among other safeguards) is required in order to initiate the data delete function. If the Data Delete Administator is not available, there should be a backup person who can initiate a Data Delete with the RSA SecurID token.

Privacy Statement