This is the report of the AuditSec Plc limited scope auditing of the CMS Lab located at the first floor of King William Building, University of Greenwich. The audit was conducted at the request of University of Greenwich CMS Support Manager, Mr. Frank Raz by letter dated February 1st, 2010. The focus of the audit was on the physical and environmental security of the physical assets in the lab and the level of student adherence to the official general usage policy of the CMS labs.
Title
Audit Report on physical and environmental security of the physical assets of first floor CMS Lab in King William building of University of Greenwich.
Recipients
The recipient of this report is CMS Support Manager, University of Greenwich, London.
Date
This report is dated April 19th, 2010.
Contents
A report based on the audit done at the premises of University of Greenwich, first floor of King William Building computer labs (KW 102, KW 103, KW 116) between 15th March and 25th March 2010.
Scope
Physical and environment security of the physical assets in the labs.
Assess student adherence to the official general usage policy of the CMS Labs.
Objectives
The main objectives are to
Identify and analyse vulnerabilities, threats and risks to the CMS lab assets and the controls placed to keep them in check.
Submit a detailed audit report containing findings, how the risks are being dealt with by the management and recommendations based on the findings.
Business Setting
"The School of Computing and Mathematical Sciences provides specialist computing facilities for students including video editing and multimedia (including MIDI sequencing) suites, Hardware Comms and Mobile Computing labs, as well as computers for general use." (CMS Computing and Administrative Support Guide et al., 2009-2010)
The School of Computing and Mathematical Sciences has the following computer labs available for student use in first floor of King William building:
King William 102 (KW102): Video Editing / Multimedia lab containing 30 iMac's running both Apple OS and Windows XP. This lab is primarily for the use of multimedia and film editing students.
King William 103 (KW103): Bookable lab containing 60 PC's. The lab is divided into 2 sections, each consisting of 30 PC's.
King William 116 (KW116): Hardware Comms lab containing 80 PC‟s. This lab is used by computer hardware and networking courses as well as being available for general use.
Practical Audit Method Employed
The auditing was done in three different stages.
Planning
This step required the clear understanding of the university's requirements, constraints and scope of the auditing to be done. As per the university's requirements a security audit was to be done in the CMS Labs in the first floor of King William building. The two constraints kept forward by the university are that auditors must not converse either verbally or in writing with the CMS staff of lab assistants and that the auditing should not be done at an advanced level involving investigation at the operating systems or network server level. It was also necessary not to cause alarm or disruption and not to alert the technical staff in any way.
A thorough study of the CMS Labs general usage rules and ISO27001 security series standards section was done. Also an audit plan was made on how to proceed with fieldwork and reporting for auditing.
Fieldwork
Fieldwork included selecting the standards and rules against which the audit was to be done. Section A9 in the ISO27001 series dealing with physical and environmental security and the CMS Lab rules was selected for this.
Documents like the CMS Lab rules, CMS Computing and administrative support guide for reference was downloaded from the University of Greenwich website. A set of check list and questionnaire was created for auditing using these references.
A physical observation was done personally during lab hours when student usage was high. The time period of the audit lasted two weeks, auditing the labs on random days, twice per week. Personal observation was done in accordance with the constraint given by the university.
Issue concerns and developing solutions
After auditing, the concerned issues where dealt with by analysing and developing solutions using different techniques (eg. Cost-Benefit Analysis). These solutions are highly recommended.
Student Adherence to General Usage Rules
Expected Behaviour as per Standard
Observed Behaviour
Students adhered to rule
General Use
Smoking is banned in labs
-Found no one smoking.
Yes
Do not eat or drink in labs
-Observed few students drinking inside the lab.
No
Mobile phones must be switched OFF at all times whilst in labs
-Many students were observed texting and making calls and this caused disturbances to students nearby as few mobile phones were not in silent mode.
No
Users are prohibited from the use of Peer2Peer file-sharing technologies, such as Kazaa or WinMX
-Observed few machines and found no evidence for the existence of Peer2Peer file sharing software but was able to access the Kazaa website from where it can be downloaded freely.
Yes
Users are prohibited from using chat programmes, such as Microsoft MSN Messenger or Yahoo Messenger
-Did not find any chat applications installed in machines.
-but students were using web chat sites like facebook.com, meebo.com where they were able to chat in the browser without installing any specific application.
No
Users are prohibited from placing notices or signs on any machine.
-Students adhered to this rule strictly.
Yes
Users are prohibited from logging into more than one machine at any time.
-Few machines where found logged in with no users using it. This caused difficulty to other students during afternoon peak usage hours.
-Was able to log into multiple machines at a time.
No
Users are prohibited from running programs on the machines outside of Lab opening hours, for example rendering or simulations.
-Students adhered to this rule strictly.
Yes
Games (web based or otherwise) are not permitted in the labs. (Except in supervised tutorial sessions in the games development lab.)
-Few students were observed playing web based games online which are easily available for free. There is no need for installing and downloading these kinds of games because their only system requirement is internet explorer with flash.
No
Users must not behave in a way which may disturb other users, for example causing excessive noise or sending messages to others user's desktops via the net send command.
-Most of the students did not adhere to this rule.
-Students were observed not using net send command but were talking to their friends loudly causing disturbance to others.
No
If you are using a computer which has been booked for class use, please leave it as soon as you are requested to do so by the technical support or teaching staff.
-Some students did not adhere to this rule.
-Few students continued to use the machines even after repeated requests by the lab assistants.
No
At busy times the technical support staff may logout unattended computers after 15 minutes to free them for other users.
- Students adhered to this rule strictly.
Yes
Users must produce a valid resource card at the request of any member of technical support, security or other university staff, failure to do so may result in students being asked to leave the premises
- Students adhered to this rule strictly.
Yes
Any verbal or physical abuse of any member of technical support, security or other University staff will not be tolerated.
- Students adhered to this rule strictly.
Yes
Users should not leave litter in the labs, this includes unwanted print outs, lecture notes, etc
-Students adhered to this rule strictly.
Yes
Hardware
Users must not alter the hardware on any CMS computers without the authorisation.
-It's very hard to remove the CPU cases. It's firmly enclosed.
-Will need specialised tools to remove the case.
Yes
Users are not permitted to add their own hardware to a CMS computer; with the exception of removable storage media e.g. USB sticks.
-Students adhered to this rule strictly.
Yes
Do not attempt to rewire any aspect of the lab machines (Unless authorised to do so and in supervised conditions within the hardware lab- QM440).
-Students adhered to this rule strictly.
-It's not easy to rewire some machines as they are assembled as a single unit. eg. RM One Desktop machine
Yes
Users may not connect personal laptops to CMS owned networks.
-Students adhered to this rule strictly.
-The Ethernet socket is easily accessible so it might tempt the students to try connecting to the CMS owned networks using a standard Ethernet (RJ-45 Category 5) cable.
Yes
Do not connect any electronic equipment to the University's power supply without prior permission and the use of a surge protector. You are responsible for the safety and security of your own equipment: The University will not be responsible for any damage caused to your equipment as a result of such connection.
-Found one student using his mobile charger plugged into university's power supply to charge his mobile.
-Few power supply sockets are left used which may be used by the students.
No
Printing
Do not print any materials which are obscene, defamatory, offensive etc
-Did not find any students printing offensive material.
Yes
Do not take or copy other people's printouts
-Printer is located in the centre of the lab. So it is at a viewable distance.
Yes
Do not use your own paper, acetates etc with the printers
-Students adhered to this rule strictly.
Yes
Do not attempt to change the setup of any printers in any way, e.g. paper size etc
-Students adhered to this rule strictly.
-Observed that it was not able to change the settings of the printer from the client machines.
Yes
Do not remove unused paper from the printers
-Did not find any one removing unused paper from the printers.
Yes
Viruses
Take care not to introduce viruses into the University.
-Discussion with some students in the lab revealed that they were not aware of how the virus gets downloaded and how it gets copied automatically.
No
Use the virus checking and removal facilities on the computer networks regularly to check your floppy disks, otherwise your work and that of others could be lost.
-Students adhered to this rule strictly.
-The virus removal tool used in the lab is a popular antivirus (McAfee).
-The virus removal tool is up to date and is scheduled to update automatically.
-All the desktops has Windows XP (with latest service pack) installed which is relatively an old operating system.
Yes
Contact the computing laboratory staff if your files are reported as having viruses and you are not sure what to do
-Students adhered to this rule strictly.
-Computing laboratory staff room is located in the lab so contacting them will be easy.
Yes
The computers will try to automatically detect viruses before they damage your work. If they find something suspicious your computer will start bleeping and a message will be displayed or your screen will go blank. Do not ignore this.
-McAfee boasts of having intrusion prevention and firewall technology with hacker proof protection in the version (McAfee VirusScan® Enterprise) installed in the CMS Lab.
Yes
Recommendations
Recommendations based on the findings of the audit of general usage rules are:
Place clear signs or warning boards showing that smoking is strictly prohibited inside the labs and that some who doing so is breaking the law (Health Act 2006).
If necessary mobile phone jammer should be used inside the labs. There are various types of mobile phone signal jammers available in the market today in different shapes and prices. Advantage of signal jammer is that it is portable and cheap.
Block all unwanted file sharing software (Peer2Peer) websites so that it cannot be downloaded from internet. Blocking the specific port numbers that is used by the software to transmit data is another way to control the use of this software.
Using filtering software (eg. SafeSquid Proxy Server) in the main servers can help block out site like facebook.com, meebo.com to prevent users from using web chat. This is also a way to control users from accessing websites providing free games online.
Provide users with sticking notes software (eg. Stick-It Notes) by which they can create notes in their desktops.
Lab assistants or support staffs should be present in the lab at all times in the lab during usage hours. This acts a deterrent control for students from causing disturbances to other students.
Users can be prevented from accessing the CMS owned networks by filtering machines using the Media Access Control (MAC) code of the Network Interface Controller (NIC) of the desktops.
Students should be given awareness on how the virus gets into the system and how to avoid downloading virus or spyware from internet.
Upgrading operating system to latest MS Windows Seven will help overcoming many shortcomings of Windows XP which is now relatively old. Microsoft has extended the support period for XP to April 2014 and will provide updates for critical security only.
Physical and Environmental Security
Expected Controls as per Standard
Observed Controls
Overall opinion
Secure Areas
Physical Entry
-Security guards are present at the entrance of ground floor of the King William building.
-Security guards check the ID cards on random days before allowing students access to the building.
-CCTV cameras are fixed at all required places including corridors, entrance and CMS labs.
-Observed the windows are weak and easily breakable with no iron grills.
-King William building entry doors are made of wood.
Yes
Securing Offices, rooms
-Observed that students have free access to all rooms once inside the building.
-There are no secondary methods to stop physical access to labs and rooms. Eg. ID Card Reader, Finger print scanner, RFID.
No
Protecting against external/environmental threats.
-The audited CMS lab is on the first floor of King William building so there is less fear of flooding.
-Fire alarms are installed in the CMS Labs.
-However no fire extinguishers were found in the labs.
-The CMS Labs has lot of wooden furniture which are easy to catch fire and also acts as a fuel.
-The lab rooms are fitted with heaters providing the correct room temperature for the working of desktop systems.
Yes
Public access security
-Public access is strictly checked. Guards ask for Ids is they see someone unfamiliar.
-Access to computers needs User Id and Password.
-Contacting the Lab Assistants for their support needs students to show their Id Cards.
Yes
Equipment Security
Sitting & Protection
-Students have unique username and password for accessing the system.
-Passwords are combination of numbers and alphabets
-Most of the systems are very difficult to carry out and others are locked safely.
-The plug points have inbuilt fuse or power surge protection.
Yes
Cabling
-Observed that all communication cables are sealed off securely. So cables are safe from eavesdropping by an attacker because it's difficult to connect to the cables.
-CMS Labs don't have any tangling cables.
Yes
Maintenance
-The hardware in the CMS Labs is maintained properly with maintenance works.
-The virus checker is updated regularly.
-The latest service pack (SP3) is used in Windows XP. SP3 have lot of new functionalities and fixes
Yes
Removal of Property
-Removing physical assets from the lab is very difficult because there are lot controls placed to stop this. Eg. CCTV cameras, security guards, lab assistants.
-Most of the systems are locked on securely.
Yes
Recommendations
Recommendations for the auditing done on the physical and environmental security are:
Checking the student resource cards daily.
Strong doors with burglar alarms to prevent someone from breaking in.
Make windows with iron grill that will act as secondary defence.
To prevent major disaster caused by fire use minimal wooden furniture. Usage of fire retardant materials will greatly reduce the risk of getting fire.
Using card readers to allow physical access to labs especially to CMS lab KW102 where expensive machines (iMac) are used.
Audit Conclusion
Overall conclusion of the audit and its findings
Auditing was done in the premises of University if Greenwich for the CMS Labs in King William labs on first floor and report is created showing the actual controls in place compared with the standards with recommendations for improvement
After auditing a conclusion was made that overall students adhered to the university lab rules is satisfactory and that the physical and environmental security to the physical assets in the lab is excellent. However there are few areas where university management needs to review their control measures. Some of them are making awareness programmes for students on the risks of downloading virus for the computer labs, providing quiet and ambient atmosphere for students in the lab and better physical access security to labs.
Gap Analysis Chart
The gap analysis reveals that student adherence is just satisfactory, so the control measures mentioned in the recommendation section should be implemented.
The analysis on physical and environmental security on the physical assets is good. The gap between standards and the actual control can be minimised by implementing the controls mentioned.
Recommendation for Immediate Management Action
Computer virus and spyware is a big treat to all organisations. Although everyone takes steps to control it, it is never 100% controllable. Removing virus from system connected through network (in our case the lab) is very time consuming and expensive process than preventing it from entering the system. The audit report reveals that most students are not aware of the issues caused by virus and the cost related to it. Almost all the systems are using Windows XP operating system which has many flaws and lacks the new Windows Defender firewall protection. So immediate actions for the management to be taken are:
Upgrade operating system to Windows 7.
Spread awareness among student about computer virus and spyware.
References and Appendices
Health Act 2006, http://www.statutelaw.gov.uk/content.aspx?activeTextDocId=2573453, [18/Apr/2010].
ISO27001, http://castleforce.co.uk/Compliance/ISO27001/, [24/Mar/2010].
University of Greenwich CMS Lab guide, http://labs.cms.gre.ac.uk/cmslabs/, [16/Apr/2010].
Windows XP support end dates, http://support.microsoft.com/lifecycle/?LN=en-gb&C2=1173 , [19/Apr/2010].
SafeSquid proxy server filtering, http://how2forge.org/control-download-of-files-and-mime-types-in-safesquid-proxy-server, [19/Apr/2010].
