Project 394 Develop and document policies and procedures for physical security.

"Develop and document policies and procedures for physical security. This covers: scanning open area machines for key loggers; logging out from open area machines when leaving long period; screenlock hygiene; checking security/access exam prep machines; procedures for kit leaving control of School; using Dell “keep disk” option; wiping data before disposing of any kit; putting in place procedures for stolen/lost kit; quarantine and check returned kit; redundant machines decommissioned promptly; physically padlock machines in public areas."

Hardware security of open area desktops;

Desktops in the open areas in the Forum are now padlocked shut. The Front Line Support staff have been instructed to check each machine for any unusual devices attached to the machines every morning in the support area. The support staff have been instructed not to leave themselves logged in overnight.

Keylogging;

With the exception of the open area machines in 2.07 we do not actively look for physical keyloggers. I asked IS, Physics, and Engineering; IS don't do it. Physics do periodic visual inspections, Engineering no response so far.

Suggestions; Periodic visual inspection of all the labs, Message on login screen encouraging the students to check, posters in the labs.

Screenlocks;

Screenlocks are deemed trustworth on DICE machines.

For self-managed machines, the owners are pointed at https://computing.help.inf.ed.ac.uk/self-managed-policy

For MDP machines, the current settings used by the Windows 10 managed desktop vary according to function and type of machine.

For Staff desktop machines the Windows default setting is left as is - 15 minutes idle - but the requirement to re-enter the password is specifically set on, but the user can change the length of that timeout.

Laptops by default, blank the screen after 5 minutes on battery or 10 minutes on power, this also requires a re-entered password. The requirement to re-enter the password is not user overridable.

For lab machines it ranges from to screen locking for kiosks, labs and cafes default to 15 minutes but that can be customised by lab admin. Quick use machines autologout after 15 minutes so it's not relevant and training machines default to 45 minutes.

Exam prep machines;

There are 2 desktops in room AT-6.06. This room is locked when it is not occupied. Both machines are padlocked shut and are attached to the desk with Belkin cables.

Equipment leaving the school;

Policy required

Keep disk;

Change in procurement, only for DICE. Data Management Plans. Policy required.

Wiping data from kit to be disposed of/given to charity;

I propose the following policy;

For hardware going to charity (e.g. ReMade ) the disks are removed beforehand, put in a box and sent to CCL for destruction.

For hardware going to CCL; Dice/MDP - leave the disks in situ and trust CCL to destroy them.

Self-managed - instruct the users to wipe the data BEFORE they leave/return the kit. This should form part of the instructions that we send out to folk when we are told that they are leaving.

Servers - the disks should be wiped BEFORE the server is put into B.03 - this applies to all servers, DICE and self-managed.

Questions: Do we refuse to take back unwiped self-managed desktops/servers until they are wiped?

Should we allow users to have access to the disk wiping station - should this be moved to the Forum?

What do we do with wiped disks form servers - do we trust CCL or do we continue to take them there?

https://wiki.inf.ed.ac.uk/DICE/DecommissioningMachinesAndDrives

Stolen/Lost hardware;

This needs a policy written and cleared by management.

meta points: Identify data

Report? To HOS and ICO

Was data encrypted?

Returned working equipment;

I suggest the following policy with input from the links below.

When a desktop is returned to 2.09 it should be reinstalled before being reissued. This applies to all platforms.

https://wiki.inf.ed.ac.uk/DICE/DecommissioningMachines

https://wiki.inf.ed.ac.uk/DICE/DeletingLcfgProfiles

Sustainable IT policy - we need clear direction on how to manage this.

Management of returned laptops, in particular; where do we store them, who reinstalls them, who decides who should be given them. Policy needed.

WEEE recycling;

Procedure; https://www.ed.ac.uk/procurement/sustainableprocurement/weee

Encryption.

Procedure; https://computing.help.inf.ed.ac.uk/data-security

-- CarolDow - 19 Feb 2020

Topic revision: r8 - 20 Feb 2020 - 15:33:27 - CarolDow
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies