Texas Security and Risk Management

11.0 Personal Computers and Word Processors

Copyright(c), 1995 - Management Analytics - All Rights Reserved

Nowhere in the field of automation has the explosion in information technology manifested itself more than in microprocessor based systems. A personal computer sits on the desk of virtually every individual having anything to do with the collection, analysis or processing of information. And, more often than not, each individual controls the personal computer data files, spreadsheets, or databases. In many cases, the individual is the only person who knows what data is available or how to run most of the applications. In more and more cases, these systems have a link into some sort of telecommunication network which allows the interchange of data with other systems in the network. These "other systems" may range from mainframes and LAN servers in a hard wired network to public bulletin board systems through the use of dial-up telephone circuits.

11.1 Security Risks

Personal computers and word processors lack many of the controls ordinarily found in larger processing environments. These include strict and regular backup procedures, access restrictions and individual accountability for changes to data. This absence of control, along with personnel changes, disk drive failure and lack of audit trails, tend to make end user computing workstations and word processors highly vulnerable to risks associated with data integrity, disclosure and loss.

STANDARD. Personal computer systems and word processors used to store, process and/or access confidential or sensitive data, shall undergo risk analysis as required by the information security function. Risk analysis results shall be presented to the owner of the information resources for risk management. The degree of risk acceptance (i.e., the exposure remaining after implementation of the recommended protective measures) must be identified. The Information Security Function must be prepared to demonstrate that security precautions have been established to ensure data confidentiality and the maintenance of information integrity.

GUIDELINES. Unless extraordinary steps are taken to ensure control, the use of end user computing workstations for sensitive or critical tasks should be avoided. The use of end user computing workstations for sensitive or critical tasks should be strictly reviewed and only permitted where adequate controls are in place to provide continued data confidentiality, integrity, and availability. Particular emphasis should be placed on training and awareness of end users responsible for data integrity and availability for sensitive or critical systems. Physical access to workstations should be limited to the degree necessary to provide data confidentiality, integrity, and availability, particularly where meaningful logical controls are not available or not used. Agency management must recognize that the use of end user computing workstations for sensitive or critical tasks implies a lack of centralized control and administration over information resources.

GUIDELINES. Program managers should thoroughly review the possible risks associated with storing information or accessing applications on personal computers or word processors.

11.2 Personnel Practices and Data Maintenance Procedures


11.3 System and File Backup Procedures

Provisions should be made to ensure against the loss of data and programs stored in personal computers or word processors as a result of machine or power failures. Backup copies of all data files and software should be stored in a safe location. A regular schedule for making backup copies of all data files should be established.

Establish procedures for backing-up files stored on a hard disk to either floppy diskettes, another hard disk drive, or to magnetic tape. Ensure that the backup files are stored in a separate location.

Make arrangements for the availability of a backup system in case of an equipment failure or other emergency.

11.4 Security Features

Word processing systems vary greatly in terms of the security controls or features they offer. Program managers utilizing these systems for storage of confidential or sensitive information or critical applications should become thoroughly familiar with those systems' security features. They should then determine which features should be utilized, taking into consideration the risks that exist within their operating environment. Most of the following security features are available to word processing systems. It is strongly suggested that they be investigated and used.

Passwords are also an effective means of preventing unauthorized individuals from gaining access to information stored in a personal computer system. Systems that allow the use of passwords on personal computers are available and can be utilized to prevent the use of the system, protect files, and assign information access authorities. For additional information, refer to the applicable sections within this guideline which address passwords and information access authorities.

11.5 Physical Security

Word processing systems should be located in environments that have been designed with information technology security considerations in mind. For specific facility related considerations see the section on Physical Security in this document. At a minimum the following list provides the physical security features that should be considered for offices employing these systems:

To protect personal computer systems from theft and unauthorized use, desktop systems should be located in secure areas within the agency or should be physically attached to a desk or table. If the computer has a lock, it should be locked whenever the system is unattended and the key should be kept in a secure location. There are a variety of devices that can be used to secure a personal computer to a desk, including cables, adhesives, and bolt on brackets. If the personal computer is located in a private office, the office should be locked when it is unoccupied.

Personal computers having access to local or wide area networks as clients or terminals to the server should never be left unattended while logged on to the network.

11.6 Magnetic Recording Media

Most personal computers and word processors permit the operator to place information on magnetic diskettes, commonly called "floppy disks." Floppy disks are extremely portable. Confidential information can be copied to floppy disks and easily removed from the premises. To ensure that information is properly handled, office policy and procedures should address the storage and handling of confidential and sensitive information that has been copied to floppy disks.

Floppy disks are easily destroyed by heat, magnetic fields, or other improper handling such as touching the recording surface. To avoid loss of information, personnel should be trained in the proper handling of floppy disks. Personnel should be advised of the following:

11.7 Encryption

Encryption, or the coding of data to make it unintelligible to anyone not having the security key, is a method for protecting information. For additional information refer to the applicable sections within this document which address encryption.

11.8 Software License Agreements

Software license agreements must be strictly adhered to. Proprietary software cannot be duplicated, modified, or used on more than one personal computer except as expressly provided for in the manufacturer's license agreement.

11.9 Documentation

A minimum set of standard documentation should be maintained by the individual or organization responsible for a personal computer or word processor. Standard documentation can be categorized into four basic areas and includes the following:

11.10 Training

Program managers are responsible for ensuring that staff members possess the knowledge and skills necessary for effective use of the personal computers and word processors that are available to the organization. Program managers are also responsible for ensuring that there is sufficient depth of training to prevent disruption of key activities in the event of unexpected staff changes.

11.11 Virus Protection

Personal computers and word processors are susceptible to becoming infected by viruses which can cause system malfunction and data loss. Strict adherence to the procedures and guidelines outlined above will minimize this risk. However, further steps can be taken which are specifically directed toward virus prevention.