There are multiple aspects and technologies involved in our ongoing data security efforts. We'll try to answer more complicated questions here.
Q: What if I'm at home, on my encrypted personal laptop, using my encrypted HCI USB thumb drive, and my child comes up and wants to show me some photos or other personal items on an unencrypted USB thumb drive she has. Am I in violation of the policy if I insert an unencrypted USB thumb drive in my personal laptop, away from the HCI premises?
UPDATE (7/11/13): The answer to this question is "if you are connected to the network with your encrypted laptop, it is prohibited to use an unencrypted USB thumb drive, or unencrypted external drive."
CATG interpretation: "network" in the response means if you're here physically at HCI, or if you're connecting to resources remotely. In the spirit of the longer response below, the rule of not using an unencrypted thumb drive while connected to the network is intended to prevent situations where you inadverently download to the thumb drive work related data. We would (gently) extend this to include the scenario where you're working on work data, even if you're not connected to the network.
Example: If you're working on a spreadsheet or word file that contains work-related data - even if you're disconnected - don't insert the unencrypted thumb drive. (We can't prohbit this from occurring if you're disconnected, but strongly suggest separating work tasks from personal data tasks.)
The "distracted driving" analog described below is a good way of looking at it.
This scenario illustrates a crucial part of this ongoing data security iniative, which is the need for us to change our culture, change our way of handling data. In future phases of this project, we may (or may not) be able to technologically prevent the insertion of an unencrypted USB thumb drive into a personal system, but these types of scenarios - and many we haven't thought of - will inevitably arise.
We certainly don't advocate that you should ignore your children when they interrupt you at home, but taking the split second to ask yourself "am I practicing safe data procedures?" or verifying that you remove the unencrypted USB thumb drive before resuming work on your laptop might make the difference between inadvertently saving valuable data on an unprotected device, and running the risk of fines and possible organizational sanction, and avoiding that mistake altogether.
I know I've inadvertently saved or downloaded data onto devices I did not intend to. It happens. Computing is often more complex that we'd like it to be.
Changing our mindset when it comes to working with data might include asking yourself "Am I being safe, am I being smart with this data?" (I'm not being facetious, or trying to be dramatic. Changing how we approach handling data is similar to how one might approaching talking on the cell phone while driving. It doesn't hurt to just check yourself, occasionally.)
In the future we intend to implement some safety features, including (basically) a "technological trapeze net" that will help people avoid making inadvertent mistakes, but there will always be scenarios where technology can't police every aspect of safe data policies.
When we presented this new requirement to HCI Senior Leadership, Dr. Beckerle noted the scope and impact, and observed this will really require us to change our culture, change the way we handle data, and how we think about handling data. Beyond the technology changes and new policies, this is certainly the case with this ongoing data security initiative.
