S 4.27 Laptop access protection

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User

Each laptop should be equipped with access protection preventing the laptop from being used in an unauthorised manner. For laptops, the BIOS boot protection should be activated as minimum protection, unless another security mechanism is present, if using this BIOS boot protection is possible. Only after having entered the proper boot password will the computer be booted. The rules to be taken into consideration when handling passwords are described in S 2.11 Provisions governing the use of passwords.

Furthermore, virtually all operating systems offer the option of setting up login passwords and of equipping these with suitable restrictions (e.g. minimum length, lifetime, etc.). Since these integrated means only provide limited security, it is recommendable to use additional security hardware or software on laptops on which large amounts of data quickly accumulate. This includes chip cards or tokens protecting authentication, for example.

If no password routine is installed, storing data requiring protection on the hard disk should be prohibited if the data is not encrypted, and the data should instead only be stored on mobile data media, i.e. diskettes or USB sticks, for example. In this case, these must be stored separately from the laptop, e.g. in the user's wallet.

Access control must be activated in any case during short interruptions of the work, e.g. a screensaver. If it is foreseeable that the interruption will take longer, the laptop must be switched off.

Review questions:

• Is there appropriate access protection for the laptops?
• Are the rules for properly handling the access protection complied with?