Re: [Thinkpad] Thinkpad Hard Drive Passwords

I heartily agree! Also, make sure that the CLIENT chooses its security options itself -- in writing. I'd provide tips to lead them
to a wide array of IBM security information and encourage the decisionmakers to explore links and do a thorough web search. Here's
one that might be a useful starting point; it contains links to all sorts of other IBM security publications too.

IBM Client Security Software and the IBM Embedded Security Subsystem
 http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-46391&selectarea=SUPPORT&tempselected=5&brand=IBM%20ThinkPad

No matter how tempting it may be to deliver an oh-so-educated opinion about the relative merits of various security measures, please
don't expose yourself or your company to such liability. Find a diplomatic way to make the client educate itself and make its own
choices. Besides, you'll actually be providing *better* service by doing that, because to achieve any decent level of security, the
client's managers really need to engage and grapple with the issues themselves.

Deanna
dberman@4dv.net

----- Original Message -----
From: <eletourneau@verizon.net>
To: <thinkpad@stderr.org>
Sent: Sunday, February 01, 2004 14:42 PM
Subject: Re: [Thinkpad] Thinkpad Hard Drive Passwords

> In <513A882C4B95574FB9575CEBCC0787CEBBEC15@bulldog.uhc.cc>, on 02/01/2004
> at 03:27 PM, "Greg Langham" <greg@ubh.com> said:
>
> >Hi all,
>
> >Our IT shop supports a financial instituion where Gramm-Leach-Bliley (the
> >"Privacy Act") is of importance. The bank examiners are tellling the bank
> >that notebook computers need to be protected in the event of theft, loss,
> >etc.
>
>
> If you're documenting for the examiners -- and by extension the bank legal
> department -- why don't you ask IBM and get the info your really need.
> You don't need opinions, you need defendable documentation.
>
> Now, where do I send the invoice for the consulting -- I mean you guys
> charge for everything so...
>
>
> >Beyond implementing the normal things (such as power on passwords, OS
> >best practices, etc.) the examiners want notebook drives encrypted. Their
> >concern is that a drive from one machine could be moved to another
> >machine and read. When we mentioned hard disk passwords, they wanted more
> >information regarding the implementation.
>
> >I know the Thinkpad hard disk password "follows" the drive. We have
> >tested the disk password is "user+master" mode it and it works great.
>
> >Still, I would like to hear everyone's opinion on whether this is an
> >adequate security measure for protecting the hard drive data (rather than
> >encrypting it.) If there are work-arounds to the password, I would like
> >to know that they exist, though I really don't want to how to do it. I
> >would also be interested in other thoughts you might have on the subject.
>
> >Thanks,
>
> >Greg
>

_______________________________________________
Thinkpad mailing list
Thinkpad@stderr.org
http://stderr.org/cgi-bin/mailman/listinfo/thinkpad
Received on Sun Feb 1 19:38:04 2004