Page 1 of 1

Robbery - USB backup key taken. Next steps?

Posted: Mon Jun 04, 2018 9:52 am
by jtyewhit
We recently had a break-in. One of the ward clerks let me know this morning that their USB backup key is missing. The one they use after submitting a tithing batch to backup finance info.

We will make that part of the police report, but what are the next steps given that I imagine the drive contains personal information and ward finance information.

Re: Robbery - USB backup key taken. Next steps?

Posted: Mon Jun 04, 2018 10:48 am
by russellhltn
jtyewhit wrote: I imagine the drive contains personal information and ward finance information.
I'm pretty sure it's in an encrypted format, which I think in most cases negates the need to report the data loss.

But I'd call support to if there's any thing you need to do about the theft.

Re: Robbery - USB backup key taken. Next steps?

Posted: Wed Jun 20, 2018 9:36 am
by jtyewhit
I contacted Salt Lake and they confirmed that the data on the USB key is not readable by anyone who doesn't access it via the MLS software.

Re: Robbery - USB backup key taken. Next steps?

Posted: Wed Jun 20, 2018 10:27 am
by drepouille
A related concern of mine is all the documents stored in the file system, outside of MLS. If you store confidential documents on the hard drive, they are readable by anyone who can login to the Windows account that created them, or by anyone with Administrator privileges, or by anyone who can move the hard drive to another system.

If you either copy confidential documents to a flash drive, or just create and manage them directly on a flash drive, similar security concerns arise. Document encryption is possible, as long as enough folks know the passwords used for each document.

Off site storage is an option, as long as you remember to bring the flash drive to church with you. There is no perfect solution.

Re: Robbery - USB backup key taken. Next steps?

Posted: Wed Jun 20, 2018 11:41 am
by russellhltn
drepouille wrote:A related concern of mine is all the documents stored in the file system, outside of MLS. If you store confidential documents on the hard drive, they are readable by anyone who can login to the Windows account that created them, or by anyone with Administrator privileges, or by anyone who can move the hard drive to another system.

If you either copy confidential documents to a flash drive, or just create and manage them directly on a flash drive, similar security concerns arise. Document encryption is possible, as long as enough folks know the passwords used for each document.

Off site storage is an option, as long as you remember to bring the flash drive to church with you. There is no perfect solution.
It's not spelled out in current policy (that I can find), but know I've seen policy that said confidential information was not to be stored on the hard drive. It had to be placed on an external drive and stored in a locked drawer when not in use.

Re: Robbery - USB backup key taken. Next steps?

Posted: Wed Jun 20, 2018 8:09 pm
by lajackson
russellhltn wrote:It's not spelled out in current policy (that I can find), but know I've seen policy that said confidential information was not to be stored on the hard drive. It had to be placed on an external drive and stored in a locked drawer when not in use.
Policies and Guidelines for Computers Used by Clerks for Church Record Keeping, August 2009. The instructions may also be buried at the Help Center, but I am unable to find them there.

Under Security, it says that, other than MLS, confidential files should not be stored on the hard drive. They should be saved on external media and locked in storage when not in use.

Re: Robbery - USB backup key taken. Next steps?

Posted: Wed Jun 20, 2018 8:32 pm
by russellhltn
lajackson wrote:Policies and Guidelines for Computers Used by Clerks for Church Record Keeping, August 2009.
That sounds right. Some may claim it's superseded, especially since I don't think it's available on-line anymore.

I still consider it wise counsel.

Re: Robbery - USB backup key taken. Next steps?

Posted: Wed Jun 20, 2018 8:59 pm
by lajackson
russellhltn wrote:
lajackson wrote:Policies and Guidelines for Computers Used by Clerks for Church Record Keeping, August 2009.
That sounds right. Some may claim it's superseded, especially since I don't think it's available on-line anymore.
I am with the group that would say it is not superseded, but it would be really nice to be able to find it online. Of course, I have trouble finding the current stuff online, as well. I have never really understood why that is. It should not be that hard.

Re: Robbery - USB backup key taken. Next steps?

Posted: Fri Jun 22, 2018 12:31 am
by matthewmidgley
Is enabling BitLocker Drive Encryption an option? I would assume most units are on Windows 10 now. One of the issues however is the age of the hardware it's use on and wether they have TPM. Otherwise, another password is required and I can only imagine the chaos if it's lost or forgotten!

Re: Robbery - USB backup key taken. Next steps?

Posted: Fri Jun 22, 2018 7:28 am
by lajackson
matthewmidgley wrote:Is enabling BitLocker Drive Encryption an option?
Not in the "current" (2009) policy, if you are referring to other confidential files on the hard drive.