General and Physical Security

Alec Strauss (no kin to Levi, unfortunately) looked around the room. He felt a sick emptiness spread through his stomach, matching the bare desktops all around the lab. Every workstation was gone. The thieves had even taken the power cords and surge suppressors. They were thorough. He'd give them that.

Wondering where it would all lead, he went back to his office and dialed the city manager's office, according to the city's policy. He wondered how many training classes he'd have to cancel before any new equipment arrived.

This section recommends the development of various planning documents that help a library understand the fiscal and service requirements of maintaining network infrastructure and network-based services. For tiny libraries, the cost of maintaining and eventually replacing system components is very high. Having a written plan indicates the library is aware of the financial challenges that threaten to wreck its network-based services. The planning documents also include backing up data and making staff and patrons aware of their responsibilities in using network resources.

This section also suggests areas of staff training to prevent a process formally called social engineering. This phrase describes a ploy where an unauthorized person contacts a library staff member (usually over the phone) and pretends to be someone official: a technician with a company that provides technical support of the network, someone from the phone company, or a representative of another vendor. The attacker tries to gain sensitive information, such as usernames or passwords, to be used later to break into the network.

General Security

Budget plan and budget line items for equipment replacement

Computer equipment (servers, workstations, network devices) must be replaced or upgraded within reasonable timeframes to keep the network functional. So the library must address the issue of equipment replacement. In many cases, upgrading memory or adding a hard drive can prolong a computer's life. However, once a workstation gets to be four to five years old, its processing power diminishes in relation to the requirements of newer software. At some point upgrades are no longer practical. In a tiny library with four to six public access workstations and a staff workstation or two, replacing workstations even just every five years may place a severe burden on resources. To illustrate the costs involved, I have included sample budgets in Part III.

Proper forecasting of future equipment costs is imperative. A budget plan is a document in which the library director and board have made an effort to identify (through a three-to-five-year budget) all of the cost factors associated with computer and network technology in the library. The budget plans will take into consideration these costs:

  • Annual maintenance and repair of computer equipment

  • Annual maintenance of network configuration, administration, and maintenance and repair of network devices

  • Annual operational costs for the network

  • Periodic replacement of computer equipment

The budget plan may also include specific levels of funding from various potential sources of funding, such as the local budget, local and regional fundraising, grants, donations, and others. A well-developed budget plan will help the library forecast current fiscal year costs and prepare budgets for future grant applications.

Data Backup Plan

To properly protect the data created, used, and transmitted over a computer network, a backup plan is needed. (Note: I use the word backup here in a general sense, so it can include the process of creating a disk image and copying it to an alternative location-also known as "ghosting"- as well as the traditional procedure using a tape drive.) A backup plan is simply a document describing how data created and used in the library will be protected. The plan describes these concepts:

  • How often each workstation hard drive (staff and/or public) needs to be backed up

  • How often each server hard drive needs to be backed up

  • The backup process: medium used (tape, CD-RW, network hard drive), schedule, and person responsible for management

  • Rotation of backup media

  • Security of backup media

  • Response process in the event of equipment failure, damage, data loss-how data will be restored

Securing Use of Network Services

There are three main aspects of network services that need to be secured in a public environment:

  • Data (integrity and availability)

  • Privacy (patron transactions and use)

  • Equipment (physical availability)

In order to review and analyze the library's need to implement specific measures to protect these aspects of network services, additional administrative documents need to be developed. The Network Security Checklist specifies the following required documents as part of securing network-based services in our libraries:

  • Security Policy; as described in Chapter 2, an overarching document describing the various rights and responsibilities of all users of the network: staff, patrons, and contracted vendor reps.

  • Acceptable Use Policy (AUP); developed for patrons and staff; includes consequences of misuse of equipment or services

  • Security Plan; describing the decisions made by administrative staff related to security configurations of all network equipment and software. The security plan should document the decisions made in determining which security measures are appropriate for implementation in the library.

Securing Sensitive Information

One of the most important components of network security is having staff that is knowledgeable in proper procedure. Staff should be told when maintenance personnel or contract technicians will be onsite to work on the network. Staff should be trained in the proper formation and use of passwords. Staff should be trained to be suspicious of callers requesting information over the phone about the network. Here are several training items necessary for good network security:

  • Train staff not to reveal system passwords to anyone other than specified contracted technicians having prior authorization

  • Train staff not to allow anyone access to systems and network equipment without prior authorization

  • Require companies performing maintenance/configuration to sign a disclosure agreement: to disclose all configuration parameters (especially passwords) to designated library staff and not to disclose library network configuration information to any third-party without prior authorization.

Any written or verbal contract with a network services vendor must include a requirement that all passwords created for network resources be provided to the library director. Documentation, especially of router and firewall configurations, must also be provided in electronic or print form. Additionally, the contract should also restrict the vendor's disclosure of that information to any third party without prior approval of the library.

Physical Security

In businesses, most of the physical components of a network are housed in a separate room, which may be called a computer room, telecom closet, data center, or other descriptive term. The room is locked and accessible only by authorized personnel. This physical isolation protects much of the equipment from unintended access and from electrical anomaly. However, libraries seldom have the luxury of such accommodations. Therefore, special attention must be paid to the following areas of physical security.

Isolating access to equipment

Momentary access by an unauthorized person may result in lost data, altered data, altered equipment configurations (having a wide variety of negative results), physical damage or theft of equipment, or even the disclosure of private information. Here are some recommended physical security measures for public libraries:

  • Dead bolt locks installed on all building entrances/exits

  • All servers and network equipment housed in a staff-only area, preferably locked (alternatively, in a locked equipment cabinet)

  • Data cables/data jacks (public areas) secured from patron access, if possible

Installing dead bolt locks on all entrances/exits is essential in providing simple protection of expensive equipment. It creates one more small fence a thief has to climb. Putting the network equipment in a room locked during business hours will prevent casual access to the equipment by the public. In the event that network equipment must be housed in a publicly-accessible area of the library, putting the equipment in a locked equipment cabinet provides the same protection, along with protection against minor mischief (like unplugging network cables) and small component theft.

Isolating access to disks and tapes

Whereas items in the previous section protect access to equipment, these items are required to secure access to critical system data files.

  • Locked storage for backup media, system recovery disks/CDs, and Emergency Repair Disks

  • Rotate one backup set offsite regularly and store in a secure location

  • Store backup of router, firewall configuration file, if applicable, in a secure location

  • Keys used in securing equipment or media are stored in a controlled location

Backup tapes or other media need to be stored in locked cabinets or boxes. The same is true for any system recovery disks/CDs supplied by the manufacturer, Emergency Repair Disks created after a Windows NT/2000 system is installed or re-configured, and any configuration files for router and firewall equipment.

Both backup media and recovery disks usually contain data that, if accessed by a malicious person, could result in the compromise of your network. For example, backup tapes and recovery disks may contain a copy of a network server's password file, and if an attacker obtains a copy of this file, he may be able to crack the Administrator's password and break into the network at will. All he needs is to "borrow" the media overnight.

Access to the keys for the locked storage containers or cabinets obviously must be controlled as well. The library director and one assistant (usually the person specifically assigned to maintain network security) should know the location of the keys so that only authorized users have access to the media.

Protection from Electrical Problems

Besides theft and unauthorized physical access, damage or corruption of data due to electrical problems may be the second greatest danger to a library's computer and network equipment. The following checklist items provide a minimum level of protection against electrical surges, and even lightning strikes. The following items are required:

  • Electrical system inspection for adequate building power capacity, breaker box, and independently grounded electrical circuits (dedicated circuits suggested for PCs; ground suggested for equipment racks)

  • All workstation power cords connected to surge protectors meeting UL1449 330V standard

  • All server and network equipment power cords connected to UPS(es), with surge suppression meeting UL1449 330V standard

  • All modems physically connected to phone lines are surge protected

  • Outlets on dedicated circuits are colored fluorescent orange

Before adding more computer equipment to your library, it is important to have an electrical inspection performed. In the inspection, the electrician will ensure that the building's power infrastructure is adequate and appropriate for computer use. Installing different colored plugs for dedicated outlets provides an easy means of identification so library staff can be trained not to plug other electrical devices (copiers, vacuum cleaners, and others) into outlets designated for computers.

Miscellaneous Items

  • Serial numbers and physical asset numbers (if applicable) are recorded for all workstations, servers, and network equipment

  • Insurance coverage against damage or theft

These items just make good sense. Be sure to record the serial numbers for all computer and network equipment. Serial numbers may be needed when repairing equipment or to identify equipment in the unhappy event of a theft. Asset numbers are used by many governmental and business organizations as tracking numbers and ownership stamps. Make sure these are recorded as well.

If possible, protect your equipment against theft or damage, either electrical or physical, by insuring it. Any insurance policy for computer or network equipment should specify replacement value-rather than fair market value-in its terms and provide coverage for electrical or accidental damage. It is also a good idea for insurance purposes to make a digital photograph or video recording of the equipment, including the area where the serial number and asset tag are located.

 

Page last modified: March 2, 2011