Requirements and procedures are in support of governing Columbia University IT Policies and CUIMC Information Security Procedures.
Overview
Maintaining the physical security of electronic devices that store, access or transmit institutional data is as important as encryption and password protection, if not more so. Many systems temporarily store or "cache" of at least some information that was accessed, and most are set to save confidential information on the device itself including emails and their attachments. Files that were deleted from the device may still be retrieved if proper, thorough data wiping is not performed.
Equipment including computers, smartphones, USB keys and even a printers or faxes that are left open to physical access by unauthorized persons are at risk. This is true whether equipment was stolen, lost, thrown or given away or simply left unattended. Given enough time, any device can be broken into; securing it physically is the best way to prevent this from happening.
Requirements
- Equipment must be physically secured - see below for full information on this requirement.
- Devices and media including laptops, phones, tablets, USB keys, disks, portable drives and tapes with sensitive data must be properly encrypted.
- Sanitize all systems before reusing, disposing or donating.
- Report suspected or confirmed compromise of protected electronic data.
Equipment Must Be Physically Secured
The following requirements apply specifically to methods for physically securing IT equipment. Remember that Computer Use requirements such as implementing good passwords, logging out of programs/systems and encrypting data also apply and help with further securing information if someone is able to physically access the equipment.
- Never leave unsecured equipment unattended
This is particularly important for portable devices including laptops, smartphones, tablets, USB keys, and external drives. Do not leave these out where they are visible and appear to be easy targets for theft (i.e. a cafe, conference room, study area, parked car, etc.).
When equipment must be left unattended in a room, lock the door if possible or put any removable devices in a locked drawer or cabinet.
- Do not assume physical security in swipe access protected locations
Systems that are in a common, public or open area (i.e. conference rooms, reception areas, etc.) should be locked down with a cable or similar security device to prevent theft
Additional Guidelines
The following methods are strongly recommended for all owners and users of computing equipment.
Safeguarding Equipment
- Have portable equipment engraved by and registered with the Department of Public Safety, and install security software such as PhoneHome to assist with locating a lost or stolen device. Other services for crime prevention are available as well.
IMPORTANT: having a computer engraved may void its warranty. If so, request that a sticker is used instead of engraving when contacting Public Safety.
- Be suspicious of anyone you do not know attempting to use equipment in your area. Do not be too shy to ask for ID or other information to verify that they have approval for its use, though do use common sense and ask for assistance from a Security officer first if the person or situation appears unsafe.
- Report suspicious activity to a supervisor and/or the Department of Public Safety.
Preventing Unintentional Physical Damage
Events ranging from natural catastrophes to spilling liquid or dropping a device can cause costly, time consuming damage. Aside from making sure that your data is routinely backed up so that you can easily access or restore it when necessary, both the device and backup medium(s) should be adequately protected against accidents.
- Always use a surge protector with a circuit breaker, especially with component that store data.
- Portable devices including laptops, smartphones and tablets should be transported in a protective cover or sleeve. Check the manufacturer's recommendations for this type of physical protection.
- Make sure that data backups are stored in a secure, off campus location in the event that access to the campus is restricted. CUIMC IT managed network drives and OneDrive for Business meet this recommendation.