Grand Bank Corporation (GBC)—Case B Management of GBC commissioned a security review task force to review compliance with corporate security policies and procedures at NCCC. The following observations were made during several on- site visits to NCCC and the off- site file backup storage location.
1. Frequent visitors, such as equipment technicians or important management personnel, often do not have to sign the visitor’s log.
2. The data center room door is often left unlocked by employees who are “running out for something and will be right back.”
3. The back door to the data center room is sometimes opened on very hot days to help reduce the load placed on the air conditioners.
4. Several holiday banners were noticed hanging from a fire detector and a halon gas register.
5. Several computer programmers were observed playing video games on the data terminals at their desks.
6. Several unlabeled data files were observed in the data center. Several files that should have been destroyed several days previous were found in the library.
7. Several persons have “extra” keys to the file storage vault.
8. An outside vendor provides cleaning services on Sundays during off- hours. Often no NCCC employees are at the center during this weekly cleaning.
9. The company that picks up and transports data files to the remote storage location is often late picking up the files for off- site storage.
10. Several programmers were observed walking directly into the file library and picking up removable media for usage.
11. The off- site file storage location, a very old warehouse building, lacks adequate temperature and humidity controls and also has inadequate fire detection and prevention systems.
12. Records maintained at the off- site storage location— which is used by several different companies as well as GBC— were inadequate and not up- to- date. The physical storage of the backup files was in locked closets labeled only by numbers.
13. Letters sent to confirm the backup support promised to NCCC in letters obtained before equipment was actually purchased received lukewarm and sometimes contradictory responses from vendors. In several cases, the claim was made that existing NCCC equipment is quite different and somewhat incompatible with the products now offered and supported by the vendor.
1. Discuss the security problems indicated by the items noted.
2. What do these data suggest about the evaluation of general security and recovery procedures such as those in effect at GBC’s NCCC?