Professional Documents
Culture Documents
Table of Contents
1. Context ................................................................................................................... 3
2 Training................................................................................................................... 4
3. Consulting............................................................................................................... 5
4. Commercial Model.................................................................................................. 6
5 Best Practices Model – Implementation Overview................................................. 8
5.1 Phase 1 - Device Encryption .................................................................................. 9
5.2 Phase 2 – Device Control ..................................................................................... 10
5.2.1 Installing McAfee Device Control (DLP)................................................................ 11
5.2.2 Upgrading Port Control to Device Control............................................................. 16
5.3 Phase 3 – Content Encryption .............................................................................. 17
2
NHS V6 31 July 08
www.mcafee.com
1 Context
Advanced McAfee encryption technology for protecting data and devices has been sold through Trustmarque to
NHS Connecting for Health on behalf of the English NHS. It is the NHS intention to deploy this technology across
the NHS Trusts over the course of 2008 and 20099, as a matter of priority.
McAfee and Trustmarque wish to assure the NHS Trusts of the highest quality rollout and deployment programme
to ensure a minimum of disruption to end users and maximise effective security protection. Many projects to
implement this technology will be simultaneously in progress across the Trusts. We believe the projects will be
implemented most effectively and smoothly through a carefully planned Best Practices model which places special
emphasis on practical training and implementation support to enable each Trust to plan and deploy with minimum
risk.
McAfee and Trustmarque have worked together to enable the best practices for implementation to be shared and
used by the highest level of accredited partners. Training modules and expert implementation services are
available to Trusts. We believe most Trusts will benefit from procuring accredited and qualified consulting
assistance to help them ensure a high quality on the project implementation. The programme also includes live
technical support, on site consulting services and quality assurance validation prior to going into production.
1. Minimise risk and ensure proof of concept 'pilot' project familiarity before going into production.
2. Minimise any end user 'down time' and maximise user familiarity with simple encryption principles.
McAfee has always advocated a phased approach for the deployment of encryption products. This has
proved successful - with fast results, lower technical overhead and much improved customer results.
4. Ensure online and onsite technical support and quality assurance, as required.
5. Enable simple point of contact and 'Helpdesk' support for first line resolution of technical issues.
3
NHS V6 31 July 08
www.mcafee.com
2 Training
McAfee has designed training courses for both the implementation and support of Endpoint Encryption.
There are four different training courses available.
4
NHS V6 31 July 08
www.mcafee.com
3. Consulting
Many qualified Partners will be assisting Trusts in planning and deploying their encryption project. Projects which
are delivered by these Partners will follow the Best Practices methodology and implementation model. At an
overview level, this methodology follows the steps below:-
It is expected that most Trusts will procure specific consulting help to assist them in (or take accountability for)
deploying McAfee encryption using the established Best Practices model.
Partner consulting resources are available for on-site project work on the priced day rate basis and are also
available to assist with appropriate training. These highly qualified resources may be ordered through Trustmarque
on a standard day rate.
Technical design support, deployment problem resolution, course scheduling and overall programme logistics will
be handled through a centralised Services Desk.
Following successful implementation and deployment into production, Trusts may choose to opt for ongoing
managed services to run the encryption implementation on a day-to-day basis against a declared and agreed
service level. These managed services will be made available through qualified partners and can be discussed
further on request.
5
NHS V6 31 July 08
www.mcafee.com
4. Commercial Model
Help Desk
All technical updates and communications
Technical Support for ongoing projects
Training information and scheduling
Technical Design Authority
Post production Healthcheck audits
Repository of Best Technical Practices
The following transaction chain will occur:-
When a Trust wishes to procure best practices implementation services, they may place an order through
Trustmarque. From this order, a specialist partner is selected through the Project Services Centre and work may
then be scheduled. All technical information regarding best practices and highest level of technical expertise
access is managed through the Project Services Centre. The Trust may be assured the partners selected are of
the highest accreditation and that they have centralised access to expertise to resolve any technical issues
encountered in the implementation project. McAfee/Trustmarque recommends using only the partners who are
accredited in this programme but respect the fact that this is an open commercial choice of the Trust.
Selection + Partner A
scheduling
of work MFE SB
T Delivery
R order
U placed
Order S
Processed T
NHS TRUSTS M Partner B
A
R
Q MFE SB
U
E
Partner C
- ORDER FLOW MFE SB
7/28/2008
Multiple, carefully selected Partners with existing McAfee Accreditation and experience are enrolled in the
programme and will be delivering on site consultancy. These Partners have been accredited and fully committed to
following the Best Practices program in order to deliver a complete implementation. McAfee and Trustmarque will
ensure quality assurance tests and validation exist prior to production 'go live' and will have a right of review on
Partner delivery work. The review of technical implementation work completed by accredited partners can occur
where a Trust wishes to assure that the highest standards of implementation best practices have been followed
6
NHS V6 31 July 08
www.mcafee.com
and that the final implementation can be certified for production.
Significant expertise exists to help ensure enough resource to scale out and deliver the implementation of these
projects on time and to budget. Leveraging this partner resource effectively will enable NHS Trusts to meet their
targets on encryption and will ensure a quality standard is achieved. Our partners are committed to this model and
all understand it will enable:-
7
NHS V6 31 July 08
www.mcafee.com
8
NHS V6 31 July 08
www.mcafee.com
McAfee Device Encryption is a sector level encryption solution that can be deployed with limited impact to the
user and Microsoft Windows build. The Microsoft Windows machine is protected against authorised access as
it has a pre-boot authentication client which allows only authorised users access to the Microsoft Windows
environment. After the user has authenticated, the operating system will behave in the same fashion as before,
with decryption/encryption taking place on-the-fly and transparent to the end user.
The benefit of this solution is that it does not typically require any testing of applications and understanding of
business work processes in order to implement a full disk encryption solution. It also means that risk
compliance with policy guidelines managing encryption can be achieved quickly across the installed base
estate.
McAfee recommends the first phase of a complete encryption project should start with a focus on device
encryption. There are two specific points in the approach and delivery of successful device encryption across
the installed base of laptops and personal computers which should be considered:
Scoping and Assessment. Preliminary preparation and planning work must be done to understand risk
levels and appropriate encryption policy with the user community. This scoping exercise normally
involves approximately 1 day of consultations and also an assessment of the devices installed in the
estate to be encrypted.
Implementation of the McAfee Management Center and Deployment of McAfee Device Encryption.
The McAfee Management Center is designed to install, manage and deploy all McAfee products
including McAfee Device Encryption, McAfee Content Encryption and McAfee Port Control. The
McAfee Management Centre manages machine and user policies for the deployment of McAfee
Device Encryption. This is a full disk (sector level) encryption solution for Windows notebooks and
desktops.
Issues to be considered
The deployment of full disk encryption will satisfy most of the requirements regarding securing the movement
of data held on notebooks (laptops, tablets etc) for the NHS. McAfee considers that starting encryption
projects with device encryption is the most effective and simple introduction for encryption technology. The
following benefits can be achieved:-
NHS IT support staff become familiar with the administration of the McAfee Management Center
NHS IT staff becomes familiar with the deployment and methodology of McAfee install packages which
are the same for all of the McAfee products.
NHS users become familiar with the McAfee Pre-Boot client (PBOS)
The rollout of full disk encryption reduces the level of encryption project complexity in the NHS to ensure a
successful implementation with a minimal impact on the productivity of the end user. This then allows users to
become accustomed to basic encryption and prepares the way to move to a full file and folder content
encryption implementation. The main issues to be considered are similar to the introduction of any new
technology: education, training and new processes to be followed.
Testing of full disk encryption can be expedited relatively quickly by performing a pilot on a representative
selection of all PC platforms within the Trusts estate. This can be planned up front with the implementation
partner.
9
NHS V6 31 July 08
www.mcafee.com
Device Control (DLP) is tested for use on Windows Vista (32-bit only) operating systems, Port Control will not
install in a vista environment and there are no plans to develop Port Control to operate with windows vista or
beyond.
Device Control (DLP) works with everything Port Control did and more. With two device types, covering more
options than the port control product.
Plug and Play device — a device that can be added to the managed computer without any configuration
or manual installation of DLLs and drivers. Plug and play devices include most Windows devices. Plug
and play device definitions allow you to manage and control most available devices; for example,
Bluetooth, Wi-Fi, and PCMCIA.
Removable Storage device — Any external device containing a file system that appears on the managed
computer as a drive; for example, PDA’s, Flash disks, Cameras, Ipods/Phones and Sat Nav units.
In addition to white and black listings for device types and device type management both Port Control and Device
Control (DLP) can block specific device types using USB Vendor ID or Product ID. Device control can manage
devices using a range of unique device identifiers down to the serial number of a specific device.
10
NHS V6 31 July 08
www.mcafee.com
Device Control has rules that allow you to monitor and control external devices and their use in the distribution
of sensitive information. Devices attached to enterprise managed computers — such as smart phones,
removable storage devices, Bluetooth devices, MP3 players, or plug and play devices— can be monitored or
blocked. Use device definitions to control specific devices by fine-tuning the device properties such as the
device class, device PID/VID, or USB class code. Device properties serve as filter criteria for controlling
devices, providing the advantage of using portable devices while maintaining the company policy about
sensitive information. You can create different sets of rules for the enterprise workforce based on roles and
needs. For example while the majority of workers are not allowed to copy enterprise data to removable storage
devices, the IT team can use these devices, and are only monitored by the system. This kind of scenario can
be implemented by using the properties of the specific device with a suitable reaction rule.
The first time you open DLP Policy Manager, a wizard runs for first-time initialization.
11
NHS V6 31 July 08
www.mcafee.com
In ePolicy Orchestrator 4.0 — click Systems, and then click the DLP Policy tab.
The First Time Initialization wizard appears.
Configure the DLP Event Collector and the Evidence Storage Paths
Configure the Policy Manager web server path
Configure the Manual Tagging authorization list.
NOTE: McAfee recommends creating a role-based group in Active Directory, such as DLP
Manual Tagging Users and using the group when configuring Access Control.
Type the domain groups and/or users who have rights to use the Manual Tagging feature.
Validate Entries to confirm your settings.
Type and confirm a new password for the agent override key
Configure the White list
Customize the agent pop-up service if desired,
You are automatically prompted after the initialization to apply the default policy.
The Applying to ePO window appears.
All ePolicy Orchestrator and Device Control (DLP) Agents are deployed to the clients from the ePolicy
Orchestrator in addition components for Policy Auditor, Endpoint encryption for PC and Files and folders, NAC,
Virus Scan and other 3rd party applications can also be delivered and in most cases managed by ePolicy
Orchestrator.
Issues to be considered
Hardware should always meet or exceed the minimum specification for both servers and agents, Where newly
purchased servers have been utilised for the current Endpoint Encryption their specifications should meet the
minimum requirements. Where older or shared servers have been utilised McAfee can advise on their suitability
and scalability for you specific environment.
Hardware requirements
The following hardware is recommended for running McAfee ePolicy Orchestrator with Host Data Loss Prevention
software:
Servers
CPU: Intel Pentium IV 2.8GHz or higher.
12
NHS V6 31 July 08
www.mcafee.com
RAM: 1GB minimum (2GB recommended).
Hard Disk: 80GB minimum.
Agent Workstations
CPU: Pentium III 1GHz or higher.
RAM: 256MB minimum (512MB recommended).
Hard Disk: 200MB minimum free disk space.
100Mbit LAN serving all workstations and the DLP DB server.
Network
Agents must be able to access port 43000 on the server running the Event Collector Service.
Administrators running the Event Monitor must be able to access TCP port 43000 on the server running
the Event Collector Service.
Servers
Windows 2000 Server SP4
Windows 2003 Server Standard (SE) SP1or later
Windows 2003 Enterprise (EE) SP1 or later
SQL Server
One of the following:
Microsoft SQL Server 2005 Standard
Microsoft SQL Server 2005 Express with
Advanced Services (SQLEXPR_ADV.exe)
Microsoft MSXML 6 6.0.3883.0 or higher
Agent Workstations
• Windows 2000 Professional SP4 or higher
• Windows XP Professional SP1 or higher (32bit only)
• Windows Vista (32-bit only)
13
NHS V6 31 July 08
www.mcafee.com
Reporting Options
About Reporting
Port Control audits blocked and allowed events to the normal Windows event logs.
In the figure above, Event ID 1 indicates a blocked device where as Event ID 0 indicates the device was allowed.
You can view or export the audit log using the normal Event Viewer functions and commands. With Port control
there is are centralised reporting options.
McAfee Device control under EPO offers two reporting options to review events, DLP Reports
And RSS feeds. In addition, you can view information on product properties on the ePO
Dashboard.
DLP Reports
DLP Reports is a web-based application for generating online reports which can then be exported to standard
formats. The application provides the DLP administrator with time-based reports that can be used to summarize
information security events. These summaries can be used for executive-level reports, or can provide insight into
trends in user behavior.
DLP Reports uses Microsoft SQL Server Reporting Services (SSRS) to create reports. For this reason, McAfee
recommends using Microsoft Internet Explorer 6.0 SP1 or Internet Explorer 7.0, with scripting enabled, for viewing
reports, as the complete set of features for working with reports may not be available using other browsers.
RSS feeds
You can monitor DLP events without being logged in to ePolicy Orchestrator. You can set up any RSS reader that
supports authentication to get feeds from the DLP Monitor. You can use DLP Monitor filters to filter results. In
ePolicy Orchestrator 4, RSS feeds can be viewed using RSS Dashboard elements. When you add a new monitor
to a dashboard, a new category is available – DLP RSS Feeds. There are four monitor options:
For each option, you can configure the number of RSS events to display in the monitor. You must create a named
filter in DLP Monitor before using the “Filtered by...” option.
14
NHS V6 31 July 08
www.mcafee.com
With ePolicy Orchestrator all changes are managed centrally allowing updates to be received while on the
business network by the user without any intervention. From the Administrators perspective once the ePO server
is in place and the ePO agent has been deployed additional agents can be deployed directly from the ePO
management console. Future requirements and product version updates for McAfee Virus Scan, Full DLP, and
NAC, Policy Auditor or even 3rd party partner products can be deployed and managed in a fraction of the time
traditionally required for new software deployment.
All ePolicy Orchestrator and Device Control (DLP) Agents are deployed to the clients from the ePolicy
Orchestrator in addition components for Policy Auditor, Endpoint encryption for PC and Files and folders, NAC,
Virus Scan and other 3rd party applications can also be delivered and in most cases managed by ePolicy
Orchestrator.
15
NHS V6 31 July 08
www.mcafee.com
Migration from Port Control to Device control will be centrally managed by the Administrator and transparent to
the user. The user will notice differences in the communication of the agent software although the level of
interaction with the user can be set by the administrator. For example the Agent can be placed in several modes
of operation Monitor, Notify Admin, Notify User, Block or Read Only.
ePolicy Orchestrator allows for more flexible control of devices than Port control with the added advantage of
offline policy override using a challenge response method. In the event a policy has to be overridden a timed
override code can be provided to the user regardless of the machine location by the administrator or helpdesk.
Override codes require business justification forms that can be tracked for reporting purposes.
Although not absolutely necessary the removal of the Port Control Administration options from the Endpoint
Encryption Manager can be achieved by running the Endpoint Encryption Manager installer and deselecting the
port control components. The same result can be achieved for remote administration console installs if required
Removal of port control and deployment of Device Control (DLP) using ePolicy Orchestrator can be achieved
once the ePO agents are in place.
Define default policy for device control from within ePolicy Orchestrator.
Deploy the Port control removal Agent from ePolicy Orchestrator.
Deploy the Device Control Agent (DLP) from within ePolicy Orchestrator.
Update policies within ePolicy Orchestrator.
In the above example would be transparent to the user with the exception of a reboot requirement to
complete the installation.
16
NHS V6 31 July 08
www.mcafee.com
McAfee Content Encryption is a file and folder encryption product which requires a consultative approach in
order to define an encryption policy that does not disrupt the business workflow. The deployment of any file
and folder encryption solution requires an excellent understanding of the user workflow processes and in
particular, how data is shared within an organisation and distributed to third parties.
A typical client engagement for file and folder encryption would adhere to the following sequential pattern of
activities:
Introduction to the concepts of McAfee Content Encryption in a Microsoft Windows environment, this
could take the form of a workshop.
Discovery phase of how the adoption of file and folder encryption could secure confidential data
without disruption to user workflow processes. This activity is usually undertaken by the IT Security
department who may interview and should gather information from the internal business units about
how user data is created and shared in the organisation.
Creation of a McAfee encryption policy for files and folders based on the information gathered during
the "discovery" activity and is implemented as part of a pilot for selected profile of ’friendly users’.
Analysis of the pilot is undertaken to highlight policy gaps or revisions to the file and folder encryption
policy.
Pilot is expanded to include nominated representatives of all business units who will be impacted by
the adoption of the file and folder encryption policy.
Pilot for file and folder encryption becomes the design template for the production encryption policy.
Controlled deployment into production is phased in.
Issues to be considered
The implementation of any vendor file and folder encryption could be potentially very disruptive without proper
planning and consultation with end users in the business units identified as requiring file and folder encryption.
It is strongly recommended that consultation with identified business units should occur to ascertain the impact
of a file and folder encryption solution; not to do so could easily result in a poorly implemented solution which
could have serious business impacts. A poorly implemented solution can not only cause considerable user
disruption but will also undermine acceptance and understanding of the essential need for IT security.
A typical deployment of file and folder encryption tends to be of a specifically targeted nature; for example an
organisation may choose to encrypt removable devices only.
There are 2 critical factors which will be essential to a successful NHS deployment of file and folder encryption:
The pilot stage of the project will enable the identification of user workflow patterns and any
“unknowns” will become visible to NHS in-house IT support teams.
A phased deployment starting first with a pilot for selected profiles of ‘friendly users’ will facilitate a
more successful implementation when moving to a live production environment.
17
NHS V6 31 July 08
www.mcafee.com
© 2007 McAfee, Inc. No part of this document may be reproduced without the expressed written
permission of McAfee, Inc. The information in this document is provided only for educational purposes
and for the convenience of McAfee’s customers. The information contained herein is subject to change
McAfee, Inc. without notice, and is provided “as is” without guarantee or warranty as to the accuracy or applicability
3965 Freedom Circle of the information to any specific situation or circumstance. McAfee, Avert, and Avert Labs are
Santa Clara, CA 95054, trademarks or registered trademarks of McAfee, Inc. in the United States and other countries. All other
888.847.8766 names and brands may be the property of others.
www.mcafee.com
18
NHS V6 31 July 08