Sample NVA Report 239
Physical and Operational Security
Finding 1: Violations of Operations Security Procedures
Access to the CLIENT computer room is through a card key system. Visitors
are supposed to then log in on a sign-in sheet when entering and sign-out
when exiting. Employees are to swipe their cards when entering or leaving.
Your Company noticed employees following the procedure of swiping in and
out; however, visitors, such as PA, were not required to sign almost every
time the facility was visited. Of the entrances and exits from the computer
room, Your Company employees were required to sign out only once. Most
of the time, Your Company employees exited the room without someone
swiping them out. Also, even when Your Company signed in, the names were
never checked. A review of the log should show a recent visit to the CLIENT
computer room by Mickey Mouse.
Also, consoles in the computer room were routinely left unlocked with an
administrator account logged in. In almost a month of time in the CLIENT
computer room, the consoles to all of the NT servers were never locked, and
most of them had the XXX Administrative account logged in, an account which
has Administrator privileges on the NT system.
Urgency Rating*****
Risk
Control of the central computing facility is critical to the survival of CLIENT.
Unauthorized access to the computer facility and unrestricted access to admin-
istrative accounts would allow a user to do whatever he wished. Additional
investigation revealed that developers have access to the computer room,
thereby effectively giving them and anyone else in the computer room admin-
istrator access to the NT servers. With this access, anyone can do whatever
he wants to the system under his control. Additionally, physical access to the
computer room grants physical access to the Sun servers and the network
core. Physical access would allow someone to shut down these systems.
Recommendations
The following steps should be taken immediately:
Enforce strict sign-in and sign-out procedures.
Lock all NT server screens, thereby requiring a log-in.
Do not allow developers access to the computer room.
Additional steps should be taken as follows:
Physically isolate the Sun server room.