Evacuation Security Procedures
The following are ITS Divisional procedures for ensuring security in the event of an evacuation.
1) Before an Evacuation
BE PREPARED. The following standard protections that support evacuation security and breach detection are existing requirements and should already be in place.
- Be aware of emergency procedures for areas that you work in or support, including any responsibilities that you, personally, may have during an evacuation
- Enable screensaver/session timeouts and verify that a complex password is required to resume activity. Default session timeout is 20 minutes; 10 minutes for systems that contain or access electronic protected health information (ePHI/HIPAA data).
- Verify that logging is enabled for applications and devices that contain, access or transmit confidential or restricted data
- Install and regularly use lockdown cables - this is required for laptops and for all workstations that contain ePHI/HIPAA data
- Keep portable devices, media, and paper files containing restricted data locked up or with you when not in use. Also keep in mind ITS' policy on the storage and transmission of personal identity information (PII).
- Maintain physical security controls designed to protect sensitive areas/equipment -- don't bypass or disable them in an emergency unless there is a life safety need to do so.
- Building Safety Coordinators: Officially designated building Safety Coordinators are responsible for maintaining information about areas containing equipment that stores restricted data, and for communicating this information to the Incident Commander in the event of an evacuation.
- Where ITS manages devices that store restricted data in facilities with only non-ITS building Safety Coordinators, the person responsible for the equipment is also responsible for informing a building Safety Coordinator about it.
2) During an Evacuation
If it is safe to do so, do the following before leaving your area:
- Lock up portable equipment/media or take it with you
- Log out of systems that contain restricted data
- Terminate sessions that don't time out when not in use
- Secure sensitive paper files
- Physically secure your area
Building Safety Coordinators:
Inform the Incident Commander about areas containing equipment that stores restricted data.
3) After an Evacuation
When re-entering an evacuated area, each person is responsible for evaluating their area and computer for the possibility of a security breach.
- Indications of a possible breach are to be reported as a potential security incident.
- Follow ITS' Procedures for Compromised Computers for issues potentially involving compromised computers.