The Texas Department of Information Resources (DIR) in section Ref: TAC 202.70 of the Texas Administrative Code (TAC) lists rules that are applicable to Texas state universities. One such requirement is that any data essential to critical state functions must be protected from loss, contamination, or destruction ( Ref: TAC 202.70 ).
Each PC or server accessed using this application software should be physically secured in a locked office. The office should be locked at all times that authorized personnel are not present.
Each person should determine a password for the application software, write it down on a piece of paper, put the paper in a sealed envelope, and deliver this to a supervisor. The supervisor should place the envelope in a secure location such as a locked vault, filing cabinet, or desk. It is the supervisors responsibility to secure the envelope, and to provide it to the authorized employee when appropriate. It is the authorized employees responsibility to change the password on a regular and reasonably frequent basis, and to provide the password to a supervisor in a sealed envelope each time the password is changed.
Software development staff should not normally have access to sensitive or confidential production data.
Use of virus protection software is recommended. CIS offers inexpensive site licensed virus protection software through the Software Evaluation & Loan Library (SELL). For more information, contact SELL at (979) 862-4104.
Network and dial in access should be properly secured before use. Network server access should be limited to authorized personnel. Network server permissions should be set as appropriate to limit use of the network resources to authorized personnel. Consult the network system administrator for the server used.
CIS can provide LAN support services at a separate cost.
The two top threats to computer systems are natural events (such as the weather) and electrical power problems. Power surges, brownouts, and outages are often responsible for computer problems. Roof leaks, lightning, strong winds, and floods also are hazardous natural events that cause computer malfunction. While a direct lightning strike, unexpected wind damage caused by a tornado, or flash flood waters from a hurricane, are very difficult or impossible to protect against, it is possible to provide some reasonable protection for certain kinds of power related problems.
CIS recommends that workstations should be protected with at least a power strip surge protector. A surge protector is designed to remove small current/voltage spikes that might damage computer electronics. In the event of a large and sustained power surge, a surge protector is designed to burn itself out rather than transfer the power to the computer. This can result in a sudden loss of power to the computer that can still result in data loss, but the risk of loss is lessened compared to the alternative of having all the computers electronics destroyed with a power surge.
Disaster can strike a single PC, a network server that services multiple users, or the building where computing machinery is housed. However it may happen, a disaster can render a computer system ineffective or even destroyed. A disaster recovery plan is a blueprint to reassemble a needed system from scratch. It explains what hardware is needed, the software and data that are required, necessary personnel resources, and the procedures that would have to be performed to restore the system to a functioning state.
CIS recommends that a disaster recovery plan be created for each server or computer system involved in a project, even if backups are performed regularly. A good backup system does not replace the need for a disaster recovery plan. Good backup systems may fail. Although the occurrence of a disaster may appear an unlikely risk for which to prepare, the consequences of not being able to quickly restore a system after a disaster can be grave. A little time spent to prepare a disaster recovery plan now could make the difference between being able to recover quickly and not being able to recover at all. It is negligent to allow important computing to become jeopardized by a disaster when steps could have been easily taken to prevent the effects of the catastrophe.
Like files of any other type, database files can become corrupted (damaged). The cause of the damage can range from hardware or media failure to errant software programs, malicious viruses, power outages, or other factors.
By far, the most common cause of file damage is an unexpected application termination. Always exit the application software properly by using the facilities in the application software for this purpose. Never shut off the power to the computer while still running an application.
Protection or transaction logging updates a data base system's files after data corruption has occurred. Protection logging is a backup / recovery method used by more robust database systems like SQL Server 7.0. With protection logging, when changes are made to the database, the changes are logged in a transaction file. Using protection logging, a damaged database can be restored from the previous backup, and then the changes that have occurred to the database since the last backup can be applied to the database up to the moment in time that the database became corrupted (this process is called rollforward). Thus, with protection logging, the data changes since the last backup are not lost. The key to being able to make transaction logging work is to have good backups of the data before it was damaged; timely backups are the only guarantee of database integrity.
The following section presents general backup information.
A backup prevents loss of data. This requires three things:
A mechanism of backup (i.e., backup software, tape drive, tapes, etc.).
A procedure for making sure that the backup is done properly on a regular basis.
Following through with the procedure by using personnel charged with performing the backup function.
The data needs to be physically secure even in the form of backup media.
CIS recommends that backups be performed daily for both servers and individual PCs.
When using a separate backup utility, it is important to make sure that no one uses the applications software while the backup is being performed.
Off-site storage of backup media is strongly recommended and may be required by audit requirements.
The hardware and software mechanism of backup is beyond the scope of this document.
Depending on the nature of the data, other controls to further safeguard the data may apply. For further information, see Texas Administrative Code 202.7(b) (available on the Web at Texas Administrative Code ).
It would be ideal if a backup system could allow going back to any prior date in the past, but this may not be practical. Backup strategies differ based on need. One scenario might be to keep a weeks worth of daily backups. Once a week has been completed, take the most recent backup for the week and add it to the weekly backups. Once a month of weekly backups has been completed, take the latest weekly backup and add it to the monthly backups. Once a year of monthly backups has been completed, take the last monthly backups and add it to the yearly backups. The following diagram shows how this is done:
Good password selection and use practices should be part of any computer security plan. Here are some guidelines for selecting and using passwords.
(1) make and maintain records documenting the organization, functions, policies, decisions, procedures, and essential transactions of the agency or institution;
(2) establish and maintain an active, continuing program for the economical and efficient management of the records of the agency or institution;
(3) submit to the Director, SLRMD of the State Library, schedules proposing the length of time each State record series should be retained for administrative, legal, historical or fiscal purposes; and
(4) appoint an employee performing other administrative duties to act as records management officer, and, in that role, to comply with the rules, standards, and procedures issued by the SLRMD.
Texas A&M University System and Texas A&M University Records schedule can be obtained at http://library.tamu.edu./records or email rmdesk@lib-gw.tamu.edu or by calling 979-458-1470.
Back to Guidelines and Procedures