In this chapter we shall:
You will normally insure your office-based computer equipment under your standard office policies. You might choose to have cover for consequential loss (e.g. loss of revenue in the event of business interruption or high value data loss). Your insurance company is likely to have rules and exclusions for higher value items. Normally, insurance company stipulations are common-sense, minimum requirements, such as:
If you are using portable computers (laptops, palmtops, hand-held computers etc.) you will also need some form of “all risks” policy to ensure that the equipment is covered away from your premises. It often makes sense to have the all risks policy separate from your office policy, to ensure that your claims record on one does not taint your claims record on the other type. In any event, at the time of writing it is nigh on impossible to get any insurer to cover portable computing devices in certain circumstances. Our advice with regard to portable computers therefore is - do not leave portable computing devices unattended in:
It is part of your trustees' fiduciary duty to ensure that you properly protect the assets of your not-for-profit organisation. It is also a legal requirement under the Data Protection Act (see chapter 11) that you maintain reasonable levels of security for the data you hold.
Strangely, people sometimes put a great deal of effort into having high levels of data (or logical) security and forget about some of the basics for maintaining physical security. Many of the severest and most likely risks to your equipment and the information on it stem from physical security risks. The main categories of risk are:
In order to implement sound physical security procedures, you need to consider the following main questions:
As always with areas of risk, you need to assess the severity and likelihood of the risks in order to decide the extent to which you should protect yourselves. Especially with smaller not-for-profit organisations, these can be tricky decisions. You probably don't have enough time or money to implement all of the ideas in the checklist below, but similarly you might not have enough money to replace machines if they are stolen and not insured.
The following table sets out key risk factors for physical security in not-for-profit organisations, which you can use to help you assess the risks you face.
| Risk factor | Notes and comments for not-for-profits |
|---|---|
| Is the equipment spread across many different sites? | each site will have physical security risks of its own |
| To what extent do you use portable computers? | portables are especially high risk - see comments above on insurance |
| Does the public have easy access to areas where equipment is kept? | can be especially high risk for some not-for-profit organisations, e.g. a drop in centre for young people who are in trouble |
| Is some of the equipment located in places with particular propensities to natural disasters and/or malicious damage? | not-for-profit organisations often work in places with high risks of natural disasters, political or social upheaval |
| Is the information on the equipment especially sensitive and/or confidential? | some not-for-profit organisations handle very high risk information, e.g. a fostering and adoption placement charity. Although logical security should mitigate much of this risk, the existence of that sensitive data within the system increases the physical security risks also |
| Does the equipment potentially have the capability of authorising or making financial payments? | although logical security should mitigate much of this risk, the existence of that capability within the system increases the physical security risks also |
| Have you had an incident or circumstances that might lead you to believe that a disaffected person or organisation has malicious intent towards your organisation? | disaffected former staff members are a common example of this risk. In not-for-profit organisations, there are often additional risk factors. For example, equipment in a shelter for survivors of physical abuse might be at physical risk from physical abusers. Another example, a medical research charity's equipment might be at risk from militant animal rights campaigners. |
You can use the following checklist to help you to manage physical security risks. Check each risk area under the headings 'assessment, impact and mitigation', 'severity' and 'likelihood'. Larger not-for-profit organisations should develop more comprehensive and specific security checklists and procedures, but the following should form a good starting point even for larger not-for-profit organisations embarking on such an exercise.
| Risk area | Assessment, impact and mitigation | Severity | Likelihood |
|---|---|---|---|
| Do you have up to date inventory of all of your computer equipment? (see template 19.1) | |||
| Do you have up to date records on the locations of your system documentation? | |||
| Do you have up to date inventory of all of your software? (see template 19.2) | |||
| Do you have up to date records of your data backup locations? | |||
| Do you know the location of your disaster recovery plan? | |||
| How you are securing it |
| Risk area | Assessment, impact and mitigation | Severity | Likelihood |
|---|---|---|---|
| Do you keep the main computers (e.g. servers) in a secure room dedicated to computer equipment? | |||
| Is access to your main computer room securely restricted to relevant personnel? | |||
| Is the main computer room located in a relatively environmentally safe place? | |||
| Is the main computer room protected with fire detectors, smoke detectors and/or fire extinguishers? | |||
| Do your main computer(s) have a clean power supply, (e.g. special power line or spike removing devices)? | |||
| Do your main computer(s) have an uninteruptable power supply? | |||
| Are some computers located in places where the public might have access? | |||
| Do you security mark the computer equipment? | |||
| Do you use power-up passwords on the computers? | |||
| Is the equipment physically secured? (e.g. PC's bolted to the desk or housing) | |||
| Are portable computers locked away out of sight when unattended? | |||
| Are secure access devices (e.g. bank payment transition devices) kept locked away accessible only to authorised personnel? |
Table 9.2.3 Physical Security Checklist - Who is securing it
| Risk Area | Assessment, impact and mitigation | Severity | Likelihood |
|---|---|---|---|
| Do you have clear roles and responsibilities for IT security? | |||
| Are the IT security procedures sufficiently documented? | |||
| Is there a segregation of duties between those responsible for IT security and those responsible for processing? | |||
| Do you have adequate insurance cover for your IT equipment? | |||
| Does your insurance cover for "all risks"? | |||
| Does your insurance cover consequential losses? |
| Inventory reference number | Date bought | Make / model / spec | Maker's serial number | Cost | Location | Warranty / maintained by | Notes |
|---|---|---|---|---|---|---|---|
| Inventory reference number | Date bought | Vendor name | Author / package / version | Licence serial number | Cost | Location | Notes |
|---|---|---|---|---|---|---|---|
It's rather a shame, but this subject tends to make people's eyes glaze over. A shame, because actually backing up your data properly is one of the most basic and crucial things you can do to protect your investment in IT. Backing up is the process of making a secure copy of your data and/or programs as a contingency in the event that something goes wrong with the original data. Losing data is a significant risk in using IT, but one of the great benefits of using IT is the relative low cost and ease with which secure copies can be made to protect your investment. Consider the following two horror stories.
A good friend telephoned and asked me if we would do her a favour and help her sister who was going frantic. The sister ran a small community-based membership organisation with one full-time worker (our friend's sister herself). The organisation's computer had been stolen in a burglary overnight. Could we help? "We'll try," we said, and one of us phoned the sister. "Everything was on that machine, everything", she said, "the accounts, the membership records, our community contacts, correspondence going back 5 years….."
"We'll lend you a machine to get you up and running again pdq", we said. "Have they taken your back up device as well. What medium were you using for your backups?"
"I didn't take backups. I didn't have enough budget for a backup device when I first got the computer. In the early days I used to copy stuff on to floppy disks, but when the files all got too big for floppy's I stopped copying. Please help". The only help we could manage in those circumstances was to offer our condolences.
A large and well known campaigning organisation had an IT department with several people, comprehensive back up procedures and an air of confidence even after the new main server crashed and took all the data with it. They had back ups, everything would be OK. Most things were OK and were up and running again within a day. But one key system (used for the administration of a large proportion of the organisation's fundraising income) was not OK. This system had recently been moved on to the new server, probably in a hurry, and the back ups had not been set up correctly. Worse, even the back ups from the old server (several weeks old, but at least it would have been something) would not restore. No-one had ever tested whether the back ups on that old server could actually be restored and used. In fact, for this particular fundraising system, there was a flaw in the back up. Result: misery for many weeks
There are three big lessons from those two horror stories:
The following checklist should help you to get your back ups right. Again, check each risk area under the headings 'assessments, impact and mitigation', 'severity' and 'likelihood'. Larger not-for-profit organisations should develop more comprehensive and specific back up checklists and procedures, but the following should form a good starting point even for larger organisations.
| Risk area | Assessment, impact and mitigation | Severity | Likelihood |
|---|---|---|---|
| Do you have up to date inventory of all of your computer equipment? | |||
| Do you know where all the programs and data are stored? | |||
| Do you know which files you need to back up in order to avoid loss of records and/or to avoid losing the ability to function? |
| Risk area | Assessment, impact and mitigation | Severity | Likelihood |
|---|---|---|---|
| Are you backing up frequently enough? | |||
| Do you have appropriate back up devices and media for those devices? | |||
| Are you logging the back ups? | |||
| Is someone checking that you following proper procedures each time you back up? | |||
| Do you verify you back ups? | |||
| Are some or all of your back ups taken off site? | |||
| Are your back ups kept in secure and appropriate places? | |||
| Do you periodically test that you are able to recover from your back ups? |
| Risk area | Assessment, impact and mitigation | Severity | Likelihood |
|---|---|---|---|
| Do you have clear roles and responsibilities for back up and restore? | |||
| Are the back up and restore procedures sufficiently documented? |
It is often difficult to separate IT business continuity from general business continuity planning, as many of the catastrophic risks you are trying to mitigate would have an impact on your organisation beyond IT (e.g. a major flood, fire or failure of public services). However, there are catastrophic risks that are IT specific, the most pressing of which (data loss through hardware or software catastrophe) you try to mitigate in part through back ups.
Having back ups, however, is only part of the story, as you need to think through how you would get your show back on the road in the event of various catastrophes. If your office burns down taking all of your machines with it, you might be able to wave the back up tapes around with a smug grin on your face, but you will need some space and machines as well as those tapes to get up and running again.
You might choose to subscribe to a business continuity, disaster recovery or data recovery service, which is in effect an insurance policy of sorts, as you are paying for the ability to use space and/or equipment in the event of a catastrophe. The "Rolls Royce" form of the service is known as a 'hot site', which is basically a site with equipment of that fits your specification waiting for you to turn up with your back ups and can get you up and running again almost immediately. A 'cold site' is a suitable site with no equipment in it. A 'warm site' is somewhere between, where you would probably have the cabling and some equipment in place, with other equipment being procured or swapped in to the site in the event of the emergency.
Some organisations make formal or informal arrangements with other organisations to help each other out in the event of a catastrophe. A collective approach of this sort is welcome, especially in the impecunious not-for-profit sector, but it is important to realise the limitations of such an approach, especially if the arrangement is entirely informal.
Your decision on the extent to which you make prior arrangements will depend on many factors, including:
The important point is that you have a plan and you know how you would deal with the various catastrophic events. You need clear roles and responsibilities for dealing with the disaster and for ensuring IT business continuity after the event. The plan should also cover minimising the risks of catastrophe and (where possible) mitigating any losses arising. You should also test your plan, to satisfy yourselves that the plan would work if the worst did happen.
IT business continuity planning is not the best fun part of this book but it is important that you consider it. We hope you never have to implement your plan.