I wanted to share with the readership some typical Information Technology/Physical Security deficiencies noted on surveys or inspections I?ve conducted. For obvious reasons, the locations and facilities are not identified. They are shared in the hope they will be of benefit to interested parties visiting infosecuritywatch. Reader comments are most welcome. Installment number one:
Combinations to cipher locks were not changed at least semi-annually or when workers departed the area. Observed at a right angle, you could observe cipher buttons used were slightly depressed. Working with these buttons, in a matter of minutes I was able to unlock doors and gain access to protected areas.
Operational personnel were not always present when I gained entrance to the area.
Operational and file passwords were taped to monitor faces, affixed to desktops, credenzas or cubical walls.
During daily breaks and lunch periods, HIPPA protected documents were not properly secured in that they were strewn about at workstations, credenzas or atop file cabinets. Operational personnel were not in attendance.
Emergency red colored mushroom switches were not installed at all exists.
Above ceiling area and below raised floor water sensors were not installed in all IT facilities visited.
Automatic fire suppression systems were not installed in all IT facilities visited.
Zoned duress switches were not installed in all IT facilities visited.
IT facilities employing programmers, organic or outsource, writing code were not governed by corporate or IT policies, verbal or written. Examination revealed programming and/or code writing was not always straightforward in that there were instances of individual flair in such coding and/or programming.
First and second echelon supervisors did not inspect product output for presence of unauthorized subroutines.
Written instructions or policies were not given to all employees concerning the use of the internet.
Neither management nor IT supervision established written policies concerning the downloading of software from the internet. Policies or procedures were not established concerning employees bringing software packages into the facility to be used in corporate operations.
Operational personnel interviewed determined they did not know what actions should be taken or to whom to report virus or hacker attacks. Written policies and procedures were silent on these aspects.
NIST approved anti-virus programs were not in-place at all facilities visited.
Written policies and procedures were not established for those employees working on corporate projects from their places of residence.
More in the next installment.
Enjoy the day,
Bill
Combinations to cipher locks were not changed at least semi-annually or when workers departed the area. Observed at a right angle, you could observe cipher buttons used were slightly depressed. Working with these buttons, in a matter of minutes I was able to unlock doors and gain access to protected areas.
Operational personnel were not always present when I gained entrance to the area.
Operational and file passwords were taped to monitor faces, affixed to desktops, credenzas or cubical walls.
During daily breaks and lunch periods, HIPPA protected documents were not properly secured in that they were strewn about at workstations, credenzas or atop file cabinets. Operational personnel were not in attendance.
Emergency red colored mushroom switches were not installed at all exists.
Above ceiling area and below raised floor water sensors were not installed in all IT facilities visited.
Automatic fire suppression systems were not installed in all IT facilities visited.
Zoned duress switches were not installed in all IT facilities visited.
IT facilities employing programmers, organic or outsource, writing code were not governed by corporate or IT policies, verbal or written. Examination revealed programming and/or code writing was not always straightforward in that there were instances of individual flair in such coding and/or programming.
First and second echelon supervisors did not inspect product output for presence of unauthorized subroutines.
Written instructions or policies were not given to all employees concerning the use of the internet.
Neither management nor IT supervision established written policies concerning the downloading of software from the internet. Policies or procedures were not established concerning employees bringing software packages into the facility to be used in corporate operations.
Operational personnel interviewed determined they did not know what actions should be taken or to whom to report virus or hacker attacks. Written policies and procedures were silent on these aspects.
NIST approved anti-virus programs were not in-place at all facilities visited.
Written policies and procedures were not established for those employees working on corporate projects from their places of residence.
More in the next installment.
Enjoy the day,
Bill
Comment