The latter two issues are easy to prevent: All confidential information should be encrypted when stored on portable computers and media, including backup media. Actually, all confidential data should be protected, but I'm assuming your nonportable assets and media have other offsetting controls.

Although no federal laws or guidelines require encryption to protect confidential information, disk or data encryption is the easiest way to prevent unauthorized access. If your company stores confidential data on said equipment or media, follow these rules:

1. Create a data encryption information policy and educate employees. 2. Select and use a proven and secure encryption software product. 3. Enable automatic encryption of data or the media it resides on. 4. Ensure that the password, passphrase, or secret key used to protect the data is nontrivial and stored securely. 5. Create and maintain a key escrow program so that encrypted data can be recovered if the main user loses the key.

That's it. Following this advice will go a long toward protecting confidential information if the portable computer or media gets lost or stolen. How nice it would be for your company to not have to report lost information to its customers, government, and the media.

The hardest choices will be what to encrypt and what product to use. You can encrypt the entire media or just the data. Encrypting the entire media is a better choice because application software often leaves plain-text remnants of crypto-text in unprotected areas. An attacker using a bit-level analysis tool could extract the plain-text remnants.