Information Systems Security Controls Guidance: Hardware/Downloadable Devices
Hardware/Downloadable Devices (Peripherals)/Data storage
The entity must ensure that proper protocols are in place to secure such devices (such as docking stations for laptops), re-emphasizing login/logout practices and safeguarding passwords. For example, if a PI uses a laptop between workstations or worksites which contain any elements of BSAT security information, the PI must follow proper laptop security procedures. Such protocols may include:
- Computers should be located within controlled space since the room will already have some level of physical security.
- Users should physically secure the device and password/encrypt the laptop if it contains BSAT security information of any kind. This practice should be extended to desktops if a PI has an office outside the BSAT registered space.
- An entity should be wary of the inherent insecurity of tablet devices that have information storage and Wi-Fi capabilities, especially if they cannot be encrypted.
The development of well-defined policies and procedures should be considered in the entity’s overall information systems security control program.
Peripheral devices
Entities should include peripheral devices as a part of the overall information systems security control if they are used to process information required by Section 17 of the select agent rule. These devices include, but are not limited to:
- Smartphones
- USB devices (e.g. flash drives)
- USB patch cords with mini/micro connectors
- Electronic notebooks
- BlackBerrys
- PDA’s
- Future technological development
Any device which can be hidden from sight or viewed as a non-threat (smartphones, flash drives, etc.) poses a security vulnerability to information systems security. The regulated community may want to include these types of devices in their information systems security protocols, or, at a minimum, include them in their information security systems training program. Risks involving peripheral devices could include but are not limited to:
- A flash drive to download BSAT security information.
- Uploaded malicious code designed to corrupt BSAT data or computer systems.
- If the network is isolated but the USB drive touches the internet, it can transmit a virus and that risk must be addressed.
Section 11(d)(7)(ii) of the select agent regulations requires procedures for reporting suspicious persons or activities. This provision is not limited to physical security and should be applied to information systems security as well.
Data storage
A data storage device is any device used for recording (storing) information (data). The entity should have written policies regarding the storage of BSAT information on media that can be removed and stored separately from the recording device such as:
- Computer disks
- CD-Rs
- Flash drives
- Memory cards
If the entity uses these means of archiving, even on a temporary basis, they should be handled and secured as if they were a paper hardcopy (i.e., stored in a secured cabinet and in a location with the appropriate physical security measures in place). Items such as these are easily concealed and could get past institution physical security.