Muir Russell report on CRU's computer network and security during the SwiftHack cyber-attack
From Sir Muir Russell's report on the "Climategate" non-scandal, page 101, section 11.3.1:
This sort of confirms my earlier guess over at the Air Vent that there was a system for backing up e-mails from Windows machines in addition to a system to back up mail right at the (central) UEA gateways. Note that although the Windows backups are managed by CRU staff, they're said to go to the "Central IS machine room", i.e. the backups are kept somewhere in UEA's central computing facilities. This is interesting.
- IT Organisation. In common with other areas of the Science Faculty, CRU [the Climatic Research Unit of the University of East Anglia] operates largely independently of the central IS [information systems] functions of the UEA. [...] CRU has its own local [computer network] architecture based on a mix of individual PC based and server based processing. In common with many other research groups across the university, this is distinct from the UEA preferred model of client-server operation. Internet communications for CRU is however routed over the university network and through the university firewall. CRU has its own IT Manager for whom CRU is 40% of his workload. CRU originally had no central backup arrangements for the individual researchers' PCs however its IT Manager introduced automated backup (using open source software) to a simple server held securely within the Central IS machine room.
Unfortunately, there's not much detail beyond that. From the same section, on page 102:
And on page 103, section 11.3.3:
- Policy. A high level 'Information Systems Policy' and a related 'Information Security Policy'4 were agreed and put in place in 2005 under the aegis of UEA's Information Systems Strategy Committee (ISSC), which includes representatives of all four Faculties. Low level, detailed, security policies had been developed and put in place by 20075.4 These can be downloaded from: http://www.uea.ac.uk/is/itregs/ictpolic
5 A draft Security Manual (not available for public download) was received by the Review on 8th February.
- Information security. We found that the basic security processes had been appropriately specified and documented by the UEA's Information Systems Strategy Committee. We are constrained in our detailed findings by the fact that a police investigation into the unauthorised release of information is ongoing.
Update 2010-08-21: I wasn't entirely correct: the central UEA e-mail service did not store long-term backups of mails.