it.ucsf.edu

Physical security

Policy Type

Best Practice

Stop the most common method of information theft

Overview

Many information security breaches do not occur through the Internet but because the device containing information is misplaced, lost, or stolen.

Building Security

Areas that are accessible to anyone should not have personal, confidential, or Protected Health Information, or computers that can be easily carried away. Offices and cabinets should be locked when staff is not present. Alert your supervisor, a security officer, or Campus Police if you see people who are not authorized to be in a secure or restricted area.

If circumstances require that computers be left in areas accessible to anyone, then other security measures can be used including:

  1. Desktop locking (MUST be enabled)
  2. Computer restraints
  3. Security personnel
  4. Locking cabinets

Computer Restraints (locking devices)

Restraining or locking a computer down to its location makes it very difficult for someone to take and easily stops crimes of opportunity. Several commercial solutions are available to secure laptops, projectors, desktops, servers, etc. The most common type incorporates a strong metal cable which passes through the laptop security slot or K-Slot and locks. Another type uses adhesive plates that attach to a computer through which a strong metal cable is threaded and then locked to a fixed or heavy object. Computers can also be locked inside of cabinets or behind doors to prevent physical tampering.

One of these methods should be employed with all mobile devices, like laptops, whenever they are left unattended in office buildings, dorm rooms, libraries, etc.

Who's looking at the monitor?  Who's watching what's typed on the keyboard?

"Shoulder Surfing" is when someone gathers information by watching what is typed on a keyboard, what appears on a computer screen, or by reading paperwork left out. By looking over a person's shoulder or using binoculars in crowded areas like mass transit, coffee shops, or classrooms, an unauthorized person can gain access just as if they were sitting behind the computer themselves. If you can see it, so can they.

Use these tips to help prevent "shoulder surfing":

  1. If possible don't work in public places with restricted or personal, confidential, or Protected Health Information.
  2. Use a privacy screen filter. Only the person sitting directly behind the screen can read it.
  3. DO NOT leave sensitive paperwork out where others can see it.
  4. Log off, lock the desktop, or set a screensaver to activate when the computer is not in use.
  5. Do not put computer monitors near windows where a passerby can see them.
  6. Cup your hands when typing your password; this makes it more difficult for someone to see which keys are being pressed.

Mobile devices

Many highly publicized information security breaches are the result of the loss or theft of a mobile device.  Not only is this embarrassing but many people are put at risk of being victims of identity theft. Special care must be taken with mobile devices as their size, cost, and ease of portability make them attractive targets for thieves.

Storage devices and media

Storage media is one of the weakest links in information security because they can hold so much information and are small. The microSD flash media format is extremely small and has lots of storage space. Any storage device which contains personal, confidential, or Protected Health Information must be encrypted.

Information is often backed-up to CD-ROMs, tape drives, flash drives, or other type of removable media.  These backups should be stored in secure locations on-site or off-site. If adequate physical security cannot be provided, then the information must be encrypted.

Special considerations must be made to prevent unauthorized access to information when disposing of storage devices or media. Contact your CSC or department for proper disposal.