Our objectives were to evaluate:
Computers and associated wiring should be in areas where only authorized staff has access to them. If janitorial staff has access to the rooms then BIOS and/or screensaver passwords should be used.
Labs should have a well-defined policy on user rights and responsibilities that is communicated to and acknowledged (signed) by users. Research labs should either develop a standard statement of user rights and responsibilities or refer users to the UW's "Guidelines for Appropriate Use of University of Wisconsin-Madison Information Technology Resources" (http://wiscinfo.doit.wisc.edu/badgirt/policies/appro.html). Periodic reminders should also be made so the users keep their responsibilities in mind when using computer resources. This will remind users of their rights/responsibilities and hopefully promote better compliance.
All passwords should be changed on a periodic basis to reduce the risk of unauthorized users getting a password and accessing the system. In addition, users should not use common passwords because they are easy to crack.
Computer should have automatic log-offs after a predeteremined period of time or at a certain time of the day. This prevents open accounts from being left unattended for extended periods of time or being left open if the users forget to log-off. Users hould be advised of the risk and encouraged to set up their computers to have automatic log-oggs and/or password protected screensavers.
With the use of diskettes and the Internet, the possibilities are high that a virus or other malicious program could be introduced into a computer. It is important that all workstations, especially those with research data on them, be protected with a memory resident virus detection program. As a standard practice all computers should have updated memory resident virus detection programs. These programs and the associated def files should be updated on a regular basis.
Logical Security
User Rights/Responsibilities
Passwords
Automatic log-offs
Virus Detection Program
We have found that users are not fully aware of their responsibilities and potentially might not have adequate backups. It is important that users understand how backups are handled in their lab. In addition, some labs keep their backup media in the same room as the original data. This could lead to both the original and backup data being destroyed at the same time. Backup media must be stored off-site or in a secured area away from the computer station.
Software Copyright Monitoring and Compliance
Software inventories and licensing must be verified on a periodic basis to make sure the department has enough registered copies of the software being used. A department must maintain a record of all software purchases (requisition, original media, etc.). A usage monitoring program or resident memory monitoring program can be used to avoid copyright violations.
This plan should be in writing so that it is available in case of an emergency. In addition, training in the execution of the plan should be included in the plan and practiced. We recommend establishing a business continuation plan and training employees in its execution.
(Jerry Lange, Internal Audit, "Computerized Information Systems at Plant Genetics Research Labs", 10/21/00)
© 1999 The Board of Regents of the University of Wisconsin System
Best viewed with Netscape 4.x