(Draft) Report of the Special Committee on Computer Loss Control

by David Heise

Director, Computing Services

Thursday, August 29, 1996

 

When            Monday, August 26, 1996, 8:00am

Where           Information Services 100

Attendees      Merle Bascom, Lorena Bidwell, Dan Cress, David Heise, Kevin Penrod,
      Dorothea Sarli (via conference phone)

Apologies      Ed Wines

Prayer           Merle Bascom

 

This group was called together following a rash of PC thefts totaling 11 machines worth over $20,000.

1. Details of Thefts

Initial evaluations suggest that the thefts are all the work of one person or group.  The machines that have been taken are all either new or have been recently upgraded to meet special needs.  There were signs of forced entry at 2 of the 7 seven locations.  All PCs were taken from secured areas, that is, from behind locked doors.

 

Kevin, list brief details of the thefts that have occurred: date, place, number of PCs, descriptions and values

2. Deterrent and Preventative Measures

A range of options was discussed, with pros and cons being given for each.

2.1 Physical Restraining Devices

These involve locking the monitors and PC cabinets to the desk via cables and padlocks.  They are the least expensive, and can be quite effective for the cost.  However, a number of concerns were raised.

·        Keying Issues

·          All machines can be separately keyed, or
all locks can have the same barrel, or
there can be a hierarchy of sub-masters and masters.

·          Storage of keys
Keys stored in the top drawer of the desk defeat the purpose of having locks.  Keys could be kept in a locked cabinet in AIS, but there could be user resistance issues to deal with.  AIS is anxious not to be branded as the “ogre” in this.

·          Control of who has keys, and dealing with lost keys is a management nightmare.

·        Method of attachment

Those that attach via adhesive pads or by drilling holes void the warranties on items still covered by replacement warranties.  A secure but non-defacing method is available that involves replacing one of the chassis screws.

·        Installation

Installation by AIS personnel would stretch resources to the limit.  If possible, devices with simple to follow installation instructions should be chosen so that users could install their own locks.  However, in many cases, users will not possess the necessary tools, so it is not likely that this will relieve the installation burden significantly. 

·        Inconvenience

This approach will cause inconvenience when departments want to rearrange office setups or seating and desk positions.  It will also cause frustration and bad reactions when a machine requires service in the AIS workshop, but no key can be found to release it from the desk.  Using bolt cutters to achieve that is a partial and unsatisfactory solution to that problem.

 

Implementation should be for high risk machines initially, such as new or recently upgraded machines.  Over a period of 3 to 5 years, with the current turnover rate, this would spread across the campus.  Other machines could be added at a faster rate if desired.

2.2 Motion Detectors

These are seen as having value if they are strategically placed in access hallways, etc.  They can be silent, giving an immediate alert on a panel that is manned full time or activating a pager.  They can also sound a loud alarm at the scene.  This would act as a deterrent, but could disrupt victims.  A large problem to overcome in the case of motion detectors is how to deal with unrestricted after hours access by staff.

2.3 Video Cameras

There are a whole range of devices (and costs) that could be considered in this category.  Cameras can be hidden or exposed or both.  They can record to a local circular memory or be capable of being viewed in real time at a monitoring station or both.  Visible cameras can have good deterrent effect, and some companies even offer dummy camera for the purpose.  However, since they offer no protection on their, they would need to be backed up by a hidden camera or something similar.

2.4 Identification

When equipment is stolen, a vital piece of information in locating the stolen goods and tracking them to the thief is the serial number.  All capital items are assigned an Andrews University ID , and serial numbers for all equipment purchased through AIS are recorded with their associated ID..  However, our ability to give positive and accurate serial numbers for stolen equipment is impaired by two things.  When equipment is moved from one office to another, there is no procedure for ensuring that the register of serial numbers and locations is updated.  Also, there is no functioning procedure for logging equipment bought independently of AIS.

 

Reference was made to the practice used in some places of stenciling the name of the organization in large bright indelible letters in easy to see places on the equipment.  However, while this may act as a deterrent, it defaces the equipment somewhat, and has the same implications for warranties as locking cables fixed with adhesive or drilled holes.

2.5 Key Control and Card Access

The costs of putting the whole campus on a centrally monitored alarm system, with card access to doors, may seem prohibitively expensive.  A very rough early estimate would be $8,000 to $10,000 per typical building.  However, this approach offers many benefits.  It allows monitoring of unauthorized and after hours access, and can control access hours.  It deals very well with the issues of lost keys and keys not being returned when staff or students leave or move.  Because of the risks posed by the unauthorized use of keys, the University ought to consider a long term plan for moving in the direction of card access to buildings.

3. Implementation Issues

The committee felt that if departments were told they could adopt the recommended measures on a voluntary basis, and were asked to cover the expense from their current budgets, the participation rate could be low, and the implementation of these measures may not be adequate.  If the departments were told the security measures were mandatory, there could be resistance and hardship in some departments.  The committee strongly believes that for high risk areas and machines, the security measures should be considered to be mandatory, and that funding from a central fund may be the best way to achieve this.

 

However, a lot more can and should be done than the mere installation of physical security equipment.  A comprehensive awareness campaign should be conducted as part of the implementation.  This would include an e-mail message to all staff (it is recognized that will not reach all people).  A brief once only voice-mail announcement may be warranted.  Notices can be placed in foyers, staff meeting areas and other appropriate places.  Articles can be published in Update and in IS News.  Perhaps a direct mail to staff should also be considered.  Copies of an appropriately worded statement could be placed on the counter in the AIS store front.  It is felt that the project will have a better chance of success if it is announced as an Andrews administrative imperative rather than as an Computing Center imposition.

4. Recommendations

1.      Research suitable restraining devices
* produce a list of devices and models with required features
* provide supplies via AIS, or from alternate suppliers if preferred
* prepare simple installation sheet, if necessary

2.      Identify high risk areas and machines

3.      Develop a phased implementation plan for installing restraining devices

4.      Install the restraining devices, as an immediate but partial measure

5.      Develop a long term plan for installing motion detectors, video surveillance cameras, and card access locks

6.      Devise workable procedures for maintaining accurate records for locations of equipment, with ready lookup access by Campus Safety

 

A Final Note - Proof of Identity

It is felt that the prevailing attitude of trust, which is good in itself, may work against us in this matter.  It is likely that when someone comes to remove a machine, people who notice would assume it was a technician from AIS.  Maybe genuine AIS staff should wear a photo ID or some form of identification.  The culture in terms of questioning and being questioned needs to change.  That is, staff should expect to see proof of identity from anyone moving equipment, and should be encouraged to ask for ID if it is not visible.  In the same way, staff who are moving equipment, or just moving about at abnormal hours, should expect to be asked for ID.  This should be taken as a sign of security, not as a personal affront.  Respecting a person for doing their job will assist them in doing it better.