After a spate of embarrassing and potentially dangerous incidents within
various civilian government agencies, the Bush administration has
released an official memo stipulating
that all mobile devices (notebooks, smartphones and I would imagine USB
storage) which carry sensitive data must be encrypted. Remote access
should only be given with two-factor authentication--one of the factors
must be provided by a device separate from the computer gaining access.
Remote access and mobile devices should time-out after 30 minutes of
inactivity. The document also dictates that all data extracts from
databases holding sensitive information should be erased within 90 days
unless its use is still required.
It seems hard to believe the statement inside this memo which reads
"Most departments and agencies have these measures already in place"
given the recent incidents which have no doubt prompted the memos issue.
SecurityFocus has a deeper analysis available and the official memo
is found here.