Many information security breaches do not occur through the Internet but because the device containing information is misplaced, lost or stolen.

Building security

Areas that are accessible to anyone should not have personal, confidential or Protected Health Information or computers that can be easily carried away. Offices and cabinets should be locked when staff is not present. Alert your supervisor, a security officer or Campus Police if you see people who are not authorized to be in a secure or restricted area.

If circumstances require that computers be left in areas accessible to anyone, then other security measures can be used, including:

1. Desktop locking (MUST be enabled)
2. Computer restraints
3. Security personnel
4. Locking cabinets

Computer restraints (locking devices)

Restraining or locking a computer down to its location makes it very difficult for someone to take and easily stops crimes of opportunity. Several commercial solutions are available to secure laptops, projectors, desktops, servers, and other valuable items.

The most common type incorporates a strong metal cable that passes through the laptop security slot or K-Slot and locks. Another type uses adhesive plates that attach to a computer, through which a strong metal cable is threaded and then locked to a fixed or heavy object. Computers can also be locked inside cabinets or behind doors to prevent physical tampering.

One of these methods should be employed with all mobile devices, such as laptops, whenever they are left unattended in office buildings, dorm rooms, libraries, or any such location.

Who's looking at the monitor?  Who's watching what's typed on the keyboard?

"Shoulder surfing" is when someone gathers information by watching what is typed on a keyboard or what appears on a computer screen or by reading paperwork that's left out. By looking over a person's shoulder or using binoculars in crowded areas like mass transit, coffee shops or classrooms, unauthorized persons can gain access just as if they were sitting behind the computer themselves. If you can see it, so can they.

Use these tips to help prevent "shoulder surfing":

1. If possible, don't work in public places with restricted or personal, confidential or Protected Health Information.
2. Use a privacy screen filter. Only the person sitting directly behind the screen can read it.
3. DO NOT leave sensitive paperwork out where others can see it.
4. Log off, lock the desktop or set a screensaver to activate when the computer is not in use.
5. Do not put computer monitors near windows where passersby can see them.
6. Cup your hands when typing your password; this makes it more difficult for someone to see which keys are being pressed.

Mobile devices

Many highly publicized information security breaches are the result of the loss or theft of a mobile device.  Not only is this embarrassing, but it puts many people at risk of being victims of identity theft. Special care must be taken with mobile devices, since their size, cost and ease of portability make them attractive targets for thieves.

Storage devices and media

Storage media are among the weakest links in information security, because the formats can hold so much information and are small. The microSD flash media format is extremely small and has lots of storage space. Any storage device which contains personal, confidential or Protected Health Information must be encrypted.

Information is often backed up to CD-ROMs, tape drives, flash drives or other types of removable media.  These backups should be stored in secure locations on-site or off-site. If adequate physical security cannot be provided, then the information must be encrypted.

Special considerations must be made to prevent unauthorized access to information when disposing of storage devices or media. Contact your CSC or department for proper disposal.