S 2.310 Appropriate selection of laptops

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Purchasing Department, Administrator, Head of IT

There are numerous types and device classes of laptops. These do not only differ in terms of their dimensions and the features they offer, but also in terms of their security mechanisms and ease of use. In addition, they place different requirements on hardware and software components in the operational environment.

Given the large number of different laptop models equipped with a wide variety of operating systems, compatibility issues regarding hardware, software on laptop and PC, as well as interfaces are natural.

If it the use of laptops has been decided on within an organisation, a list of requirements should be drawn up that can be used in order to evaluate the products available on the market. The products to be purchased should then be selected based on the evaluation. Based on various requirements for use, it has been shown in practical applications that it may make perfect sense to select several types of devices for purchase. The variety of devices should be limited, though, to simplify support.

Initially, a requirements analysis should be performed. The goal of the requirements analysis is to determine possible operational scenarios coming into question for the specific case on the one hand, and to derive the requirements for the necessary hardware and software components thereof on the other hand.

The following list provides an overview of possible general evaluation criteria, but it is by no means complete and additional general requirements may be added to it.

General criteria

• Maintainability
  • Is the product easy to maintain?
  • Does the manufacturer offer software updates regularly?
  • Is it possible to sign maintenance contracts for the product?
• Reliability/failure safety
  • How reliable and fail-proof is the product?
  • Can the product be used in continuous operations?
  • Does the product offer an integrated backup mechanism? Is it possible to back up the data automatically?
• User-friendliness
  • Is the product easy to install, configure and use?
  • Can the use of the synchronisation software be configured in such a way that the users are only burdened with as few technical details as possible?
  • Is security guaranteed at all times in spite of this?
  • Are the dimensions and the weight appropriate considering the purpose? Is the battery runtime sufficient for the daily work?
• Cost
  • How high is the initial purchase cost of the hardware and software?
  • How high is the expected running cost for hardware and software (i.e. for maintenance, operation, and support)?
  • How high is the expected running cost for the personnel (administrator/support)?
  • Do additional software or hardware components have to be procured (e.g. docking station, converting software)?

Function

• Installation and initial operation
  • Can the device and the synchronisation software be configured in such a way that the specified security objectives can be achieved?
  • Can important configuration parameters be protected against being changed by the users?
  • Does the product work together with common hardware and software (operating systems, and drivers)?
• Administration
  
  • Does the documentation supplied with the product contain exact descriptions of all technical and administrative details?
  • Can the laptops be administrated using centrally controlled management software? Is the administrative interface designed in such a way that it points out incorrect, insecure, or inconsistent configurations or prevents these?
• Logging
  
  • Does the product offer logging functions?
  • Can the level of detail of the logging function be configured? Does the logging function record all relevant data?
  • Is access to the logged data protected by access control?
  • Does the product provide for the option of also storing the logged data on remote computers (central logging function) and not only locally?
• Communication and data transmission
  
  • Does the laptop support all necessary data transmission technologies (e.g. infrared, Bluetooth, or GSM)?
• Security: communication, authentication, and access
  
  • Does the laptop provide suitable mechanisms for the identification and authentication of the user?
  • Can the product be used to transmit data securely to other terminal devices?
  • Is it possible to use additional protection mechanisms (e.g. encryption or virus protection programs)?
  • Does the product architecture allow for the subsequent installation of new security mechanisms?
  • Is the mobile user only allowed to access local terminal devices upon successful authentication?
  • Is the system architecture designed in such a way that new authentication mechanisms can be integrated later on?

Once all requirements regarding the product to be purchased have been documented, it is necessary to examine the products available on the market to determine the extent to which they fulfil these requirements. You cannot expect every product to fulfil all requirements at the same time or with the same quality. For this reason, the individual requirements should be weighted based on how important it is to fulfil the corresponding requirement. Based on the performed product evaluation (according to the requirements catalogue drawn up) it is possible to make an informed purchase.

Review questions:

• Has a requirements analysis been performed regarding the selection of laptops?
• Does the requirements analysis also include additionally required hardware such as docking stations and screens?
• Have the devices considered been evaluated based on the criteria derived from the requirements analysis?
• Has the purchase decision been coordinated with the administrators and the technical personnel?