Data Center Requirements IBK3IBV01 College 6 Paul J. Cornelisse

Data Center RequirementsIBK3IBV01 College 6

Paul J. Cornelisse

The nature of physical security for a data center should be one of concentric rings of defensewith requirements for entry getting more difficult the closer we get to the center of the rings

Data Center Requirements

The reason for this is obvious:if we take a number of precautions to protect information accessed at devices throughout the organization, then we must at least make sure that no damage or tampering can happen to the hardware on which the information is stored and processed


We should start by considering the data center itself

Is the building that houses the data center standing by itself or is the data center in a building that houses other functions?If the data center is in a dedicated building, what approaches are open to the building?How well-protected are staff as they enter and leave the building?


RememberThe cost of controls must be consistent with the value of the asset being protected The definition of “consistent” depends on what risks your organization’s management decides to accept




Everyone


EveryoneEmployees, Authorised

Visitors & Vendors


EveryoneEmployees, Authorised

Visitors & Vendors

Emps andAccompaniedVendors only


When considering the physical access controls that are appropriate for (and consistent with) your organization, we must take into account a number of variables—including:the assets to be protectedthe potential threat to those assetsand your organization’s attitude to risk


The amount of effort put into protecting physical assets being spent on different forms of protection depends on variables such as:

Centralisation (Serverfarms)DecentralisationAttitude of management


Assess Potential threatsAssess the companies attitude towards risk


Daily business activities involve constant risk assessmentEvery decision that is taken and will influence how an organization does business, involves a form of risk assessment in the act of making the decision.


It is no different with information security decisionsWhen facts and opinions have been made available to management and senior management, it is their function to decide on how risks will be managed


no “one-size-fits-all” solution exists


consider


Defined perimeters through strategically located barriers throughout the organization consistent with the value of the assets or services being protected Support functions and equipment are on sitePhysical barriers, where they are necessary, are extended from floor to ceiling Personnel other than those working in a secure area are not informed of the activities within the secure area


Working alone and unsupervised in sensitive areas must be prohibited Computer equipment managed by the organization is housed in dedicated areas separate from third party–managed computer equipmentSecure areas, when vacated, must be physically locked and periodically checkedPersonnel supplying or maintaining support services are granted access to secure areas only when required and authorized, their access restricted, and their activities monitored


Unauthorized photography, recording, or video equipment must be prohibited within the security perimetersEntry controls over secure areas must be established to ensure only authorized personnel can gain access and a rigorous auditable procedure for authorizing access must be put in place


Visitors to secure areas must be supervised and their date and time of entry and departure will be recordedVisitors to secure areas are granted access only for specific, authorized purposesAll personnel must be required to wear visible identification within the secure areaAccess rights to secure areas are to be revoked immediately for staff members who leave employment



“No smoking” is the first ruleAll flammable material—such as

printer paperplastic wrappingand tapes

should be stored in an area separated from the main server or computer room by a fire-rated wall


Flammable or highly combustible materials must also be kept out of the premisesVentilation and grounding are the keysKeep the temperature around 23 °C Put in appropriate fire detection systems


Fire fightingFire fighting can result in as much damage as the fire doesPassive systemsActive systems


Examples of passive systemsSprinklers

FloodedDry

GasHalon 1301FM200CO2

One shot!


Active systemsDetectorsPre flooding of dry system pipesWait until 2nd criteria is met


Disposal of documentsVerifiableunder policies and standards for the protection of data throughout the workplaceIt makes sense that if we are to spend any money or effort to protect information, then the “circle of protection” ought to surround the information all the way to its destruction


Avoid using large receptacles clearly marked “Confidential Documents Only.”Every single department in the organization must have easy access to the containers usedCollection at fixed points in receptacles lined with opaque bagsLocked bins? Attracts attention!


Ways of disposing:Certified recyclerShredders

Cheap ones are unsafeLabor intensive

Shredding service (Certified)


Everyone outside the organization involved in the destruction of the documents (waste haulers, recycling facilities, landfill, and incinerator owners) should sign an agreement stating they know they will be handling confidential information and agree to maintain the confidentiality of the information


ContractsSpecify the method of destruction/disposalSpecify the time that will elapse between acquisition and destruction/disposal of documents (or electronic media, if that is also to be disposed of)Establish safeguards against breaches in confidentialityIndemnify the organization from loss due to unauthorized disclosureRequire that the vendor maintain liability insurance in specified amounts at all times the contract is in effectProvide proof of destruction/disposal


Ensure that the loading dock is secure at all timesA container for the documents and the loading dock itself must be designed to minimize or eliminate the risk of documents blowing around in the wind before or while they are being collected for disposal


Duress AlarmsSilent alarms

Intrusion Detection SystemsThe simplest intrusion detection system is a guard patrol


Elements to be considered Video surveillanceIlluminationMotion detection sensorsHeat sensorsAlarm systems for windows and doors“Break-glass” sensors (these are noise sensors that can detect the sound made by broken glass)Pressure sensors for floors and stairs