5.0 Hardware Security

  1. Procurement and Installation
  2. Security Features
  3. Hardware Maintenance and Support
  4. Support Facilities

5.1 Procurement and Installation

  1. To detect and prevent systems from being infected by computer viruses, all newly acquired hardware, or hardware returned from maintenance, should be scanned for the existence of viruses before installation.

  2. All hardware should be installed in strict accordance with the manufacturer's specifications.

5.2 Security Features

  1. Systems should be capable of inhibiting or overprinting the authentication information on the local display (ie. passwords are not displayed).

  2. All essential university information system equipment left powered up and unattended should have an automatic power-down capability, which will respond to environmental conditions outside the specifications detailed by the supplier, eg. over-temperature, over and under voltage, humidity.

  3. Where control keys/buttons are exposed, they should be protected from inadvertent operation, eg. disk drive start/load buttons, write lock buttons, boot buttons.

  4. Systems processing university data using authorised remote terminals, workstations, personal computers or other input/output (I/O) units should:

    a) be capable of uniquely identifying each user or unit by hardware means (eg. smart card); or
    b) use dedicated communications, if the I/O units are contained within secure zones; or
    c) use encryption methods; or
    d) use manual intervention.

  5. Systems should be capable of recognising active communication links with users, so that links can be disconnected in response to recognised incidents or in order to re-configure systems.

  6. The system's protective mechanisms should be checked periodically to ensure they are functioning properly. This could include checking the capability of the system to prevent unauthorised:

    a) access to the system,
    b) access to data resources,
    c) access to residual data,
    d) use of privileged capabilities, and
    e) read/write capability outside allocated memory bounds.

  7. Displays and associated buffers should be cleared when the user is not physically present.

  8. The system should be capable of producing hardware error logs. As a minimum, these logs should contain records of:

    a) machine checks,
    b) instruction or command retries,
    c) data transfer retries,
    d) abnormal environmental conditions,
    e) power fluctuations/failures, and
    f) any other error conditions.

  9. Systems should have the capability of providing an accurate indication of date and time.

  10. The Security and Privacy Officer should be informed whenever a security feature normally used on the system cannot or will not be utilised. Action resulting from this notification should result in explicit instructions respecting the continuance of processing.

5.3 Hardware Maintenance and Support

  1. Hardware equipment should be maintained in a manner consistent with the manufacturer's recommendations.

  2. All hardware equipment maintenance activities should be reviewed annually in order to ensure that the maintenance performed is consistent with that recommended by the manufacturer.

  3. Hardware maintenance personnel working on equipment processing university data, or working in areas where access to such data is possible, should be supervised by a knowledgable employee or other person who is responsible to the university and understands the implications of the actions taken.

  4. Where equipment maintenance requires the exchange or release of components (tapes, disks, diskettes, memory, EPROMS) which may contain university data, those components should not be released to the vendor unless the data has been rendered unintelligible by means of erasure or encryption techniques. Where these methods cannot be used, the equipment should be disposed of in a secure manner.

    Note: Data must be completely obliterated (eg. reformatting of diskettes or hard drives). Simple erasure techniques that can be recovered using software utilities are not adequate.

  5. The university should take all reasonable precautions to ensure that university data maintained on the system is not compromised through the use of a remote diagnostic access.

  6. Where equipment is to be removed from the premises on a temporary basis, control procedures should be established and include:

    a) the approval authority,
    b) the identity of the borrower,
    c) the equipment identification including a listing of all hardware, software, and other devices (eg. modems, PCMCIA cards, etc.),
    d) a signed acknowledgment of acceptance and return of equipment,
    e) a requirement to sanitise the equipment before and after the loan period, and
    f) virus checking.

  7. A contact list identifying support personnel, field service personnel, software services personnel, data communications vendors and telecom carriers should be maintained.

5.4 Support Facilities

  1. Alternate power sources should be available for hardware and other equipment deemed essential for operations.

  2. System input power should be checked at least annually to ensure it meets the manufacturer's specifications.

  3. System grounding should be checked at least annually to ensure it meets the manufacturer's specifications.

  4. Where an uninterruptible power supply (UPS) is used, all hardware devices required for continued operation should be powered through the UPS, eg. remote terminal servers, remote printers, air conditioning for hardware operation, heating for cooling tower, lights. Emergency environmental facilities in the support and user areas should also be considered.

    The UPS should shut off power to the system (file server, workstation, PC or minicomputer) in the event of fire or conditions exceeding specified environmental requirements.

  5. A power surge suppressor should be installed in areas that have a history of frequent significant power fluctuations.

  6. Where static electricity may affect the integrity and reliability of the data and programs processed and stored on the equipment, anti-static devices should be installed.

  7. All hardware should be scanned for viruses on a routine basis (ie. each time the system/PC is powered on).

Contents
Background: [1] [2] [3] _Section: [1] [2] [3] [4] [5] [6] [7] [8] [9] _Annex: [1] [2] [3] [4] [Index]
Guidelines for Computer Security at CQU, A C Lynn Zelmer, PhD; Editor/Adaptor
Copyright © 1996 CQU Computer Security Committee

Central Queensland University Home Page