S 2.36 Orderly issue and retrieval of a portable (laptop) PC

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User, Administrator

Depending on the purpose, laptops and other portable IT systems are only used by one employee, e.g. as workstation computer also used in a portable manner. However, they may also be used by different employees in an alternating manner, e.g. for presentations. Depending on the type of use, there are different security requirements. Therefore, the purpose and the type of use should be planned carefully in advance.

When used as workstation computers, these computers are typically used in a mobile and stationary manner alternately. In this, access to different networks is possible. For this, the laptops must be protected in such a way that the mobile use may not result in the important data of the laptops being compromised, manipulated, or lost on the one hand. On the other hand, the laptops must not introduce any threats into the internal networks.

If laptops are used alternately by different persons, controlled transfer is extremely important. In order to ensure this, a laptop pool should be established (see S 1.35 Pooled storage of portable IT systems).

The following items must be taken into consideration when issuing and retrieving a portable IT system:

Issue:

• The new user must change the old password of the laptop and/or the default password directly when issued.
• The new user should be provided with a leaflet regarding secure handling of the portable IT system.
• In order to ensure the traceability of the locations of the devices at any time, every user should be entered into an issue/retrieval journal, including the name, the organisational unit, the phone number, and the purpose.

Retrieval and/or forwarding:

• The user discloses his/her most recently used password and/or sets a default password such as "LAPTOP".
• The laptop must be checked for computer viruses with the help of an up-to-date anti-virus program.
• The user must ensure that all data still required by the user is transferred to data media accessible to him/her (e.g. his/her PC) before forwarding the device. Furthermore, the user must ensure that all files and data he/she generated are deleted (physically if possible). For this, suitable tools must be present.
• The retrieval of the laptop and the result of the virus scanning procedure must be documented. The completeness of the device, the accessories, and the documentation must be ensured.
• In order to ensure the presence of the defined, secure basic configuration and the absence of any sensitive files on the laptop, the laptop should be newly installed with a reference installation (see also S 4.28 Software reinstallation in the case of change of laptop users).
• Returned data media must be re-formatted.

The intended types of use of the laptops must be documented.

Review questions:

• Have all security-relevant aspects regarding the issue and retrieval of portable PCs been regulated if laptops are used alternately by different persons?
• Are the portable IT systems accompanied by a leaflet for secure handling?