Re: Physical Location Security of IT Staff

[Donald J Westlight <westligh () OHSU EDU>]

> > > smithd6 () OHIODOMINICAN EDU 02/08/06 5:59 AM >>>
> I am looking for information to support my position that our IT staff need to be physically located in a secured space 
> (ie. no public access to area).  


Hello Dena,

Things to look for online include "Sarbanes-Oxley" and "Physical Security" (e.g. NIST 800 series documents, etc.)


In general people don't like to talk about this publicly as nobody likes to admit that problems have occurred.  

The main reasons to object to sharing physical (unsecured) space are:
* ensuring confidentiality of personal information 
* costs of stolen equipment, materials, and related productivity losses
* in an insecure space, physical security requirements (desks and workbenches) prevent actual work from occurring
* noise (groups with different workflow often irritate eachother in close quarters: that "noise" is actually work 
occuring)

We had a problem with theft at my previous workplace and ended up putting our supplies in a cage and locking our office 
suites.  The IT offices had been unlocked and at times we were pretty sparse as many of us worked in the field or the 
machine rooms.   It was not uncommon to find people in our offices "borrowing" parts or equipment.  Unattended desks 
are very tempting especially when one group feels entitled to the resources of the second group... Sound like anybody 
you know?

IT people routinely leave data, software distribution materials, network switches, servers, desktop computers, laptops, 
PDAs, expensive cell phones, projectors, and all manner of cables and connectors sitting on workbenches, desks, and 
accessible shelves.  Making the IT people keep everything under wraps is a productivity inhibitor.  (It can help to 
have individually lockable offices and the dicipline to keep them closed even for five minute absenses, but in practice 
nobody likes to live this way...)

The theft was measurable in terms of our overall operations budget:

Minor Equipment - Theft:  $XX,000

It is important to be accessible to the customers, but is essential that the customers and public not walk off with our 
materials.  It isn't just about the money... "Hmmm... I was just working on that... I guess I'll have to order another 
one and have that for you in several weeks..."

Here at ohsu.edu all of our IT staff are behind cardlock and it simplifies a great deal.


In closing, if you can retain accountability, you'll be OK.  This gets harder as things scale big.  How do you really 
know who swiped the ten laptops if it could have been any one of 350 staff?  If people can walk in off the street, 
you've got a problem.


-Don Westlight
Network Engineering Manager
OHSU.EDU