4.1 General Physical
Security: Physical security is an essential part of a
security plan. It forms the basis for all other security efforts,
including data security.
| Physical security
refers to the protection of building sites and equipment
(and all other information and software contained therein)
from theft, vandalism, natural disaster, manmade catastrophes,
and accidental damage (e.g., from electrical surges, extreme
temperatures, and spilled coffee). It requires solid building
construction, suitable emergency preparedness, reliable
power supplies, adequate climate control, and appropriate
protection from intruders." [NCES,
p. 55] |
Providing
this security will require a balancing of what resources are needed
and what resources the institution can afford. First, use the
risk assessment process identified in Chapter
3 to identify the organization's vulnerabilities. Then use
the vulnerabilities list to set priorities on resources needed.
Every enhancement of an identified vulnerability in the current
system will generally provide more security than previously. Enhance
the system to the extent possible, and keep a list of improvements
still needed.
4.2.1 Don't arouse unnecessary interest in secure areas --
minimize use of location signs
4.2.2 Maximize structural protection. Secured rooms should
have full height walls and fireproof ceilings
4.2.3 Minimize external access. Secure rooms should only
have one or two solid, fireproof, and lockable doors. The doors
should be observable by security staff. Doors to secure
areas should never be left open. Windows should be small and have
locks.
4.2.4
Maintain appropriate locks. Keep doors locked when room is
not in use. Maintain secure system for keys and combinations.
If there is a breach, each compromised lock should be changed.
4.2.5
Alternative physical security strategies. When appropriate,
consider the use of window bars, anti-theft cabling (with alarm
when cable is disconnected from system), magnetic key cards, and
motion detectors.
4.2.6
Be prepared for fire emergencies with appropriate automatic
non water fire fighting equipment, and provide appropriate staff
training in its use.
4.2.7 Maintain reasonable climate control in secured rooms,
with temperature ranges between 50 and 80 degrees Fahrenheit,
with a humidity range of 20 - 80%.
4.2.8 Minimize nonessential materials that could jeopardize
a secure room. Examples of nonessential items include: coffee,
food, cigarettes, curtains, reams of paper, and other flammables.
4.2.9 Dispose of confidential waste carefully and adequately
to maintain confidentiality.
4.2.10 Label confidential information appropriately and
ensure suitable security procedures from common carriers when
shipping or receiving confidential information.
4.3 Equipment Security
4.3.1 Keep critical systems separate from general systems.
4.3.2 Store computer equipment in places that cannot be
seen or reached from windows and doors, and away from radiators,
heating vents, air conditioners, or other work. Workstations
that do not routinely display sensitive information should stored
in open, visible spaces to prevent covert use.
4.3.3 Protect cabling, plugs, and other wires from foot
traffic.
4.3.4 Keep a secure inventory of equipment and peripheral
equipment, with up-to-date logs of manufacturers, models,
and serial numbers. Consider videotaping the equipment for
insurance purposes.
4.3.5 Specific Laptop Security Procedures
4.3.5.1 Lock laptops in secure cabinet when not in
use.
4.3.5.2 Secure laptops to desks with cables when
unattended.
4.3.5.3 Provide and use laptop cover locks.
4.3.6 Log off and lock computers when the operator is not
in the vicinity of the computer.
4.3.7 Use a virus scanner on all computers at all times.
Establish a regular schedule for update of virus lists.
4.3.8 Assign printers to users with similar security clearance
levels.
4.4 Equipment Usage
4.4.1 Laptop Usage
4.4.1.1 The primary IASEP purpose for using the laptops
is for testing children and writing reports.
4.4.1.2 Establish a procedure for how peripherals and software
applications are to be used on the laptop.
4.4.1.3 Establish procedures for laptop sharing. Each user
should have a separate password.
4.4.1.4 Establish a procedure for the use of laptops at
home or other locations.
4.4.2 Other hardware will be accompanied by applicable
usage and access requirements.
4.4.3 Establish a system to limit and monitor access to
equipment areas.
4.4.4 Establish a procedure for storing laptops offsite.
They should not be placed in car trunks overnight, in cars
in extreme hot or cold, or in places where they can be damaged
by other moving equipment, such as car jacks.
4.5 Designated Anti-virus Programs will be used at all
times. Programs will be enabled at all times and virus lists will
be updated on a designated schedule.
4.6 Equipment Maintenance
4.6.1 Consider the use of maintenance contracts. Keep equipment
information, contact and tech support numbers readily available
at the computers.
4.6.2 When computers containing sensitive information are
being maintained or repaired, be sure that sensitive data is properly
passworded, encrypted, or removed from the computer before maintenance
or repair.
4.6.3 Laptop maintenance
4.6.3.1 Identify a method of problem detection
and reporting.
4.6.3.2 Establish a schedule for regular computer
maintenance and establish a mechanism to contact the Technology
department for maintenance.
4.6.3.3 Provide spare equipment for use when
laptops are being repaired or maintained.
4.7 Equipment labeling. Identify all equipment in overt and
covert ways to make unauthorized tampering or use difficult.
4.8
System Backup
4.8.1 Procedure to be used to backup system information and
applications.
4.8.1.1 Establish a procedure and schedule of system backup.
4.8.1.2 Establish overall system backup responsibilities
and assign them.
4.8.1.3 Individuals who use the computers should
also have backup responsibilities.
4.8.1.4 Use a rotation of media (using different disks
at each backup and rotating every X days or
weeks).
4.8.1.5 Both onsite and offsite backup storage should be
considered and used.
4.9 Regulate power supplies to the extent possible.
4.9.1 Prepare for electrical power fluctuations by using surge
suppressors or electrical power filters and using uninterruptible
power sources to serve as auxiliary electrical supplies as backup
to critical systems.
4.9.2 Design electrical systems to better withstand fires,
floods, and other disasters.
4.9.3 Ensure distributed use of outlets by all equipment.
4.9.4 Use anti-static carpeting and pads, and use anti-static
sprays whenever possible.
4.10 Addition of new users to the system.
When new users are added to the system, they will receive
and acknowledge receipt of policies related to the use of equipment
and accompanying software.
|
