Educause Security Discussion mailing list archives
Re: Physical Location Security of IT Staff
From: Donald J Westlight <westligh () OHSU EDU>
Date: Wed, 8 Feb 2006 09:13:25 -0800
smithd6 () OHIODOMINICAN EDU 02/08/06 5:59 AM >>>I am looking for information to support my position that our IT staff need to be physically located in a secured space (ie. no public access to area).
Hello Dena, Things to look for online include "Sarbanes-Oxley" and "Physical Security" (e.g. NIST 800 series documents, etc.) In general people don't like to talk about this publicly as nobody likes to admit that problems have occurred. The main reasons to object to sharing physical (unsecured) space are: * ensuring confidentiality of personal information * costs of stolen equipment, materials, and related productivity losses * in an insecure space, physical security requirements (desks and workbenches) prevent actual work from occurring * noise (groups with different workflow often irritate eachother in close quarters: that "noise" is actually work occuring) We had a problem with theft at my previous workplace and ended up putting our supplies in a cage and locking our office suites. The IT offices had been unlocked and at times we were pretty sparse as many of us worked in the field or the machine rooms. It was not uncommon to find people in our offices "borrowing" parts or equipment. Unattended desks are very tempting especially when one group feels entitled to the resources of the second group... Sound like anybody you know? IT people routinely leave data, software distribution materials, network switches, servers, desktop computers, laptops, PDAs, expensive cell phones, projectors, and all manner of cables and connectors sitting on workbenches, desks, and accessible shelves. Making the IT people keep everything under wraps is a productivity inhibitor. (It can help to have individually lockable offices and the dicipline to keep them closed even for five minute absenses, but in practice nobody likes to live this way...) The theft was measurable in terms of our overall operations budget: Minor Equipment - Theft: $XX,000 It is important to be accessible to the customers, but is essential that the customers and public not walk off with our materials. It isn't just about the money... "Hmmm... I was just working on that... I guess I'll have to order another one and have that for you in several weeks..." Here at ohsu.edu all of our IT staff are behind cardlock and it simplifies a great deal. In closing, if you can retain accountability, you'll be OK. This gets harder as things scale big. How do you really know who swiped the ten laptops if it could have been any one of 350 staff? If people can walk in off the street, you've got a problem. -Don Westlight Network Engineering Manager OHSU.EDU
Current thread:
- Physical Location Security of IT Staff Smith, Dena (Feb 08)
- <Possible follow-ups>
- Re: Physical Location Security of IT Staff Donald J Westlight (Feb 08)
- Re: Physical Location Security of IT Staff Gary Flynn (Feb 08)
- Re: Physical Location Security of IT Staff Joel Rosenblatt (Feb 08)