Safe at Home: CISOs on Security for Home PCs and Networks

CISOs are always pushing computer security policies. We asked three of them to forget the policies and show us how they handle security on their own home computer systems.

2. CISO, State of Michigan, Dan Lohrmann
More Systems, Kids, DefensesOur second example ratchets up the complexity of the setup involved, both in technical and human terms: CISO Dan Lohrmann has three computers and two teenage kids who live at home.

And so he has more safeguards in place, including an RSA Security SecurID token required (along with a password) for logging in to work. He's big on patches and down on cookies; he does not allow websites to put a cookie on his machine unless absolutely necessary. Users with any degree of complexity should take a gander at Lohrmann's precautions, and anyone with kids will appreciate his smart advice for helping make family members part of the solution.The SetupWhat he has: Three standalone PCs, running either Windows XP with Service Pack 2 or Windows ME. All have Internet Explorer.

How he connects: Dial-up, due to his fairly remote location. Connects to work using a VPN and two- factor authentication. No wireless.

About the family: In addition to basics such as the Web and e-mail, the Lohrmann family uses Microsoft Money and does some online banking and E-Trade transactions.

How he handles backups: Symantec's Norton SystemWorks 2005 software.Tech TalkRelies on Norton AntiVirus (part of SystemWorks) along with the free version of ZoneAlarm personal firewall software. The systems are set up to check for automatic updates on these products as well as Microsoft patches.

Uses the spam filter built into his ISP's e-mail.

Runs a spyware removal tool, Spybot Search & Destroy, every two to three weeks.

Doesn't usually use a pop-up blocker; says "they've caused more problems than they've solved."

Uses ISP-blocking software to control his teenagers' Internet use.PracticalsEncryption: He encrypts some information, including the family's Microsoft Money files, though not nearly as much as he does on his work computer.

Passwords: He encourages family members to use alphanumeric passwords with at least eight characters. This includes special characters for some sites and two-factor authentication for work-related sites.

Web hygiene: Clears out cookies and temporary Internet files every two to three weeks. In general, he turns off cookies, unless he specifically needs them in order to use a particular website. As needed, he customizes his privacy settings to not allow scripts to run.

The rules: "Things at my home are very similar to what we tell employees to do. We inform state employees of cyberrisks through awareness training, and we do block porn and spyware sites with SurfControl. However, we still see violations of our security policy, and we enforce our security policies through HR discipline."