Personal Computer Security Guidelines

March 1993


Introduction

This booklet, developed by the Information Security Working Group, describes important personal computer security procedures and policies. Because the number and types of functions personal computers perform is increasing rapidly, in many cases they now require the same security measures as large computer systems in University computation centers. Many of the security practices formerly performed only by computation centers are now the responsibility of personal computer users. It is important that people who use computers be responsible for the way resources are accessed and used. The degree of security appropriate will depend on whether the computer is owned and used by an individual or is part of a local area network managed by a department. In all decisions about security, control and costs should be balanced by the risk and security exposure.


Hardware Security

1. Lock offices. Office keys should be registered and monitored to ensure they are returned when the owner leaves the University.

2. Secure personal computers in public areas. Equipment located in publicly accessible areas or rooms that cannot be locked should be fastened down by a cable lock system or enclosed in a lockable computer equipment unit or case.

3. Secure hard disks. External hard disks should be secured against access, tampering, or removal.

4. Secure data and software. Systems containing ensitive data need extra protection. For example, some systems:

5. Mark personal computers clearly with the name of the owner.

6. Register personal computers and related equipment with the Harvard University Police.

7. Locate away from environmental hazards.

8. Store critical media in fireproof vaults (where appropriate).


Access Security

1. Install software security packages that use passwords to ensure only authorized users have access.

2. Password guidelines:

3. Use password control capabilities that are part of many data base management packages.

4. Periodically review overall access controls to determine weaknesses.

Important Note: Take special care when choosing passwords for applications with access to extraordinary system capabilities (for example, the ability to read personal or restricted data or the ability to modify system software).


Ensure Data and Software Availability

1. Back up and store important records and programs on a regular schedule.

2. Check data and software integrity by using techniques such as checksums on files, or compare current files against backup files. (Checksum is a calculated value that is generated based on the contents of a field, record, or file. The value can be regenerated at any time to determine if the contents of the field, record, or file has been changed).

3. Fix software problems immediately.


Confidential Information

1. Encrypt sensitive and confidential information where appropriate.

2. Monitor printers used to produce sensitive and confidential information.

3. Overwrite sensitive files on fixed disks, floppy disks, or cartridges. People who use confidential materials should have a utility program that overwrites files. Deleting sensitive files from fixed disks does not write over the files; it only reallocates the space to the available storage pool. Reformatting floppy diskettes does not provide security since there are utilities that can undo a reformat.

4. Information mandated by law or University policy to remain confidential requires special care to prevent illegal access.


Ethical and Legal Use

Software is protected by copyright law. Unauthorized copying is a violation of this law, and may result in legal liabilities for the University. Individuals responsible for such actions may be subject to disciplinary measures. Anyone who uses software should understand and comply with the license requirements of the software. For areas using several copies of the same package, the possibilities for group site licenses, shareware, and public domain software that allow authorized copying should be examined.


Viruses, Worms and Trojan Horses

Computer viruses and worms are self-propagating programs that infect other programs. Trojan horses insert damaging instructions in programs, which cause viruses/worms to spread to other programs when they are executed. Viruses and worms may destroy programs and data as well as using the computer's memory and processing power. Viruses, worms, and trojan horses are a particular concern in networked and shared resource environments because the possible damage they can cause is greatly increased. Some of these cause damage by exploiting holes in system software. Fixes to infected software should be made as soon as a problem is found. To decrease the risk of viruses and limit their spread:

1. Check all software before installing it.

2. Use software tools to detect and remove viruses.

3. Isolate immediately any contaminated system.

4. Secure master diskettes.


Personal Computers/Local Area Networks

Networked personal computers may require more stringent security than stand alone computers because they are access points to computer networks. While the department LAN manager has responsibility for setting up and maintaining appropriate security procedures on the network, each individual is responsible for operating thier own personal computer with ethical regard for others in the shared environment. The following considerations and procedures must be emphasized in a LAN environment:

1. Check all files transferred from bulletin board and external systems for problems.

2. Test software before it is installed to make sure it doesn't contain a virus/worm that could have serious consequences for other personal computers and servers on the network.

3. Choose passwords with great care to prevent unauthorized use of files on LAN servers or other personal computers.

4. Coordinate data and software back up between individuals performing back ups of their local files and automatic central back ups of LAN servers.

5. Use (where appropriate) encrypting/decrypting and authentication services to send confidential information over a network.

6. Follow program copying, sharing, and licensing requirements to save space and license fees.

Important Note: LANs that access the High Speed Data Network (HSDN) can cause damage to national and international networks.


More Information

The Information Security Handbook is available on-line by accessing the campus information system (VINE), or the local anonymous FTP site (nic.harvard.edu). For questions about security: call the Network Information Center (496-2001).