Embed Size (px)
Citation preview
PHYSICAL SECURITY IN GOVERNMENT AGENCIES
DATA CENTRE
BY
BAZRULDILAH BIN BASOR
A dissertation submitted in fulfilment of the requirement for
the degree of Master of Protective Security Management
Kulliyyah of Information and Communication Technology
International Islamic University Malaysia
MARCH 2016
ii
ABSTRACT
Data centre is a central repository for the storage, management, and dissemination of
data supporting one or multiple organizations. Many studies have been carried out to
measure and quantified quality of physical security elements in data centres. Physical
security should also be incorporated by identifying the risks with comparison to the
value of the assets. It is based on the principle of defense-in-depth. In this study
physical security observation and assessment of the completed data centre were done
by visual observation in which photos were taken during the visual survey of all Data
Centres. Questionnaire survey and face to face interviews were conducted by
researcher. Analysis of the result showed that physical security implementation in data
centre did not comply to the specifications prescribed by the security standard of data
centre it could not prevent any intrusion and security threat. Result from observations
and face to face interviews and questionnaire survey concluded that the government
data centre did not follow the physical security procedure.
iii
البحث ملخصABSTRACT IN ARABIC
دعا مركزيا لتخزين، وإدارة، وتوزيع البيانات التي تنتمي إلى مؤسسة يعتبر مركز البيانات مستو أو عدة مؤسسات. لقد أجريت عدة دراسات لأجل قياس وتكميم نوعية الحماية الفيزيائية لأجزاء مراكز البيانات. في الحقيقة ينبغي أن تؤخذ قضية الأمن الفيزيائي بعين الإعتبار؛
رنة بقيمة الممتلكات، وهذا بناء على مبدأ الدفاع أو الحماية وذلك بحصر المخاطر المتوقعة مقاالمكثفة. لقد تم في هذه الدراسة إجراء ملاحظة بصرية لكل من ملاحظة وتقييم الحماية الفيزيائية لمركز البيانات الذي تم إنشاؤه، وذلك بواسطة التقاط صور خلال عملية المسح
نسبة للإستبيانات؛ فقد قام الباحث بذلك عن طريق البصري الشامل لمركز البيانات. أما بالعقد مقابلات مباشرة. وقد أثبت تحليل النتائج بأن العامل المؤثر على الحماية الفيزيائية في مركز البيانات هو التزام المميزات الموصوفة من طرف ضوابط الحماية لمركز البيانات، والتي
لقد أدت النتائج المتوخاة من الملاحظات، يمكن أن تمنع تهديدات التطفل والحماية. والمقابلات المباشرة، والإستبيانات إلى استنتاج أن مركز البيانات التابع للحكومة لم يتبع
إجراءات الحماية الفيزيائية.
iv
APPROVAL PAGE
I certify that I have supervised and read this study and that in my opinion, it conforms
to acceptable standards of scholarly presentation and is fully adequate, in scope and
quality, as a thesis for the degree of Master of Protective Security Management.
...............................................................
Maisarah Ali
Supervisor
I certify that I have read this study and that in my opinion, it conforms to acceptable
standards of scholarly presentation and is fully adequate, in scope and quality, as a
thesis for the degree of Master of Protective Security Management.
...............................................................
Abdul Rahman Ahlan
Examiner
This dissertation was submitted to the Centre for IT Advancement and is accepted as a
fulfilment of the requirement for the degree of Master of Protective Security
Management.
...............................................................
Lili Marziana Abdullah
Head, Centre for IT Advancement
This dissertation was submitted to the Kulliyah of Information and Communication
Technology and is accepted as a fulfilment of the requirement for the degree of Master
of Protective Security Management.
...............................................................
Abdul Wahab Bin Abdul Rahman
Dean, Kulliyyah of Information and
Communication Technology
v
DECLARATION
I hereby declare that this dissertation is the result of my own investigations, except
where otherwise stated. I also declare that it has not been previously or concurrently
submitted as a whole for any other degrees at IIUM or other institutions.
Bazruldilah Basor
Signature …………………………………… Date ……………………..
vi
COPYRIGHT
INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA
DECLARATION OF COPYRIGHT AND AFFIRMATION OF
FAIR USE OF UNPUBLISHED RESEARCH
PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA
CENTRE
I declare that the copyright holder of this dissertation is Bazruldilah Basor
Copyright © 2016 Bazruldilah Basor All rights reserved.
No part of this unpublished research may be reproduced, stored in a retrieval system,
or transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording or otherwise without prior written permission of the copyright holder
except as provided below
1. Any material contained in or derived from this unpublished research may
be used by others in their writing with due acknowledgement.
2. IIUM or its library will have the right to make and transmit copies (print
or electronic) for institutional and academic purposes.
3. The IIUM library will have the right to make, store in a retrieved system
and supply copies of this unpublished research if requested by other
universities and research libraries.
By signing this form, I acknowledged that I have read and understand the IIUM
Intellectual Property Right and Commercialization policy.
Affirmed by Bazruldilah Basor
……..…………………….. ………………………..
Signature Date
vii
ACKNOWLEDGEMENTS
All praises to Allah the Almighty God for the successful completion of my
dissertation at International Islamic University Malaysia. My sincere gratitude and
appreciation to my parent, my lovely wife and everyone who has given me
motivation, guidance, support and advice throughout this dissertation exercise.
My special thanks to my supervisor Prof.Ir.Dr. Maisarah Ali for her advise,
guidance and mentorship during the project period. Her comments and review on the
subjects are fruitful for the success of this dissertation.
I am also grateful for the support and encouragement from the Head of Centre
for IT Advancement (CITA), Kulliyah of Information and Communication
Technology, Ass. Prof Dr. Lili Marziana binti Abdullah who gave me courage and
strength to complete this dissertation.
Thanks all of the officers from Chief Government Security Office (CGSO),
Prime Ministers Department especially Dato’ Aloyah binti Mamat, General Director
of CGSO and Madam Julaila binti Engan, Head of ICT Security and Official Secret
Department, CGSO who gave me motivation. Special thanks also to those people who
are involved in the preparation and collection of the data.
viii
TABLE OF CONTENTS
Abstract ........................................................................................................................ ii Abstract in Arabic ........................................................................................................ iii Approval Page .............................................................................................................. iv
Declaration ................................................................................................................... v Copyright ..................................................................................................................... vi Acknowledgements ...................................................................................................... vii List of Tables ............................................................................................................... xi List of Figures .............................................................................................................. xii
List of Abbreviations ................................................................................................... xiii
CHAPTER ONE: INTRODUCTION ..................................................................... 1 1.1 Background ................................................................................................. 1
1.1.1 Data Centre Physical Security Environment Protection ................... 3 1.1.2 Leaking of Government Classified Information ............................... 4
1.2 Physical Security ........................................................................................ 5
1.3 Physical and Logical Security in Data Centre ............................................ 7 1.4 Problem Statement ...................................................................................... 8
1.5 Research Aims and Objectives ................................................................... 9 1.6 Outline of Research Methodology ............................................................. 10
CHAPTER TWO: LITERATURE REVIEW ........................................................ 12 2.1 Introduction................................................................................................. 12
2.1.1 Guiding Principles for Development Data Centre ............................ 13
2.1.2 Main Components of Data Centre .................................................... 13
2.2 Security Threat............................................................................................ 13 2.2.1 Anonymous Hackers ......................................................................... 14
2.2.2 Malware and Advanced Persistent Threats (APTs) .......................... 15 2.2.3 Denial of Service ............................................................................... 15
2.2.4 Data Leaks, Data Loss and Data Breaches ....................................... 17 2.2.5 Physical Threats ................................................................................ 17
2.3 Roles and Responsibilities .......................................................................... 20
2.3.1 Head of Department .......................................................................... 20 2.3.2 Chief Information Officer ................................................................. 20
2.3.3 ICT Security Officer ......................................................................... 21 2.4 Security-in-Depth ....................................................................................... 21 2.5 Elements of Physical Security Planning ..................................................... 21
2.6 Physical Security in Data Centre ................................................................ 22 2.6.1 Design and Layout Physical Data Centre ......................................... 23 2.6.2 External Aspects in Physical Security Data Centre .......................... 27 2.6.3 Internal Aspects Physical Security in Data Centre
Environment ..................................................................................... 28 2.6.4 Detection System and Fire Fighting.................................................. 37 2.6.5 Environmental Monitoring System for Data Centre ......................... 43 2.6.6 Network cabling system .................................................................... 44
2.7 Data Security and Media Storage ............................................................... 46
ix
2.8 Disaster Recovery Centre (DRC) ............................................................... 46
2.8.1 Process Involved in Disaster Recovery Plan..................................... 47 2.8.2 Disaster Recovery Center (DRC) ...................................................... 48
2.9 Physical Security Data Centre Related Laws ............................................. 49 2.9.1 Malaysian Communications and Multimedia Commission Act
1998 .................................................................................................. 50 2.9.2 Official Secrets Act 1972 .................................................................. 50 2.9.3 Protected Areas and Protected Places Act 1959 ............................... 51
2.9.4 Fire Services Act 1988 ...................................................................... 51 2.9.5 Cyber Laws ....................................................................................... 52
2.10 Summary ................................................................................................... 54
CHAPTER THREE: RESEARCH METHODOLOGY ....................................... 55 3.1 Introduction................................................................................................. 55
3.2 Research Design ......................................................................................... 56
3.2.1 Research Approached ....................................................................... 56 3.2.2 Research Process ............................................................................... 56
3.3 Sampling ..................................................................................................... 58 3.3.1 Sampling Technique ......................................................................... 58
3.3.2 Calculating the sample size ............................................................... 58 3.4 Questionnaire .............................................................................................. 59
3.4.1 Designing Questionnaire ................................................................... 60 3.5 Pilot Survey ................................................................................................ 62 3.6 Physical Security of Data Centre Survey Work ......................................... 63
3.6.1 Observation ....................................................................................... 64 3.6.2 Planning for Question Process .......................................................... 64
3.7 Data Analysis .............................................................................................. 65 3.8 Summary ..................................................................................................... 65
CHAPTER FOUR: RESULT AND FINDINGS .................................................... 67 4.1 Introduction................................................................................................. 67
4.2 Data Analysis and Discussion .................................................................... 67
4.3 Observation Result...................................................................................... 67 4.4 Demographics ............................................................................................. 73 4.5 Security Awareness of the Data Centre Personnel ..................................... 75 4.6 Fire Drill Training....................................................................................... 76 4.7 Respondents Feedback for Physical Security in Data Centre ..................... 77
4.7.1 Location of Data Centre .................................................................... 77 4.7.2 Access Control .................................................................................. 78 4.7.3 Fire Hazard ........................................................................................ 80 4.7.4 Surveillance ....................................................................................... 81
4.7.5 Temperature and Relative Humidity ................................................. 83 4.7.6 Procedures ......................................................................................... 84 4.7.7 Security Committee ........................................................................... 86
4.7.8 Security Incident ............................................................................... 89 4.8 Summary ..................................................................................................... 90
CHAPTER FIVE: CONCLUSION AND RECOMMENDATION ...................... 92 5.1 Introduction................................................................................................. 92
x
5.2 Conclusion .................................................................................................. 92
5.3 Limitations and Implications of the Study.................................................. 95 5.4 Recommendation for Further Research ...................................................... 96
REFERENCES ........................................................................................................... 97
APPENDIX A: PHOTOS OF PHYSICAL SECURITY IN DATA
CENTRE ...................................................................................... 100 APPENDIX B: QUESTIONNAIRE ..................................................................... 105
xi
LIST OF TABLES
Table 3.1 Data Centre Observation and Interview 63
Table 4.1 Observation Finding From the Survey of Data Centre 68
Table 4.2 The Observation of Location 68
Table 4.3 The Observation of Fire Hazard 69
Table 4.4 The Observation of Access Control 70
Table 4.5 The Observation of CCTV 72
Table 4.6 The Respondents Gender 73
Table 4.7 The Respondents Job Level 74
Table 4.8 The Respondents Education Level 74
Table 4.9 The Respondents Working Experience 75
Table 4.10 The Respondents and Security Awareness 76
Table 4.11 The Relationship between Job Level and Number of Fire Drill
Training 76
Table 4.12 The Relationship between Aspects in Fire Hazard and Practice
Session and Drill 80
Table 4.13 The Implementation of Security Guard in the Data Centre 82
Table 4.14 The Percentage of Security Guard Implemented By the Data
Centre 82
Table 4.15 The Respondent Respond of Temperature and Humidity 83
Table 4.16 Temperature and Humidity Respondents Average 84
Table 4.17 The Respondent Respond of Security Incident 89
xii
LIST OF FIGURES
Figure 1.1 Flow Chart of Research Process 11
Figure 2.1 The Elements of Physical Security Planning 22
Figure 2.2 An Example of Optimum Height Data Centre 24
Figure 2.3 Tile Puller 25
Figure 2.4 The Size Ratio Ramp Construction 26
Figure 2.5 The Handrail Ramp 26
Figure 2.6 CCTV Device’s 29
Figure 2.7 Network Grounding System in a Data Centredi 32
Figure 2.8 Precision Air Conditioner 34
Figure 2.9 Comfort Air Conditioner 34
Figure 2.10 Meter Temperature and Relative Humidity 34
Figure 2.11 The Distance between the Air Handler and Rack Server 35
Figure 2.12 Distance between Server Rack and Rack Space in Use 36
Figure 2.13 Openings in Need Tiles Closed 36
Figure 2.14 Hot Aisle/ Cold Aisle Approach 37
Figure 2.15 Fire Extinguishing Halocarbon Types 40
Figure 2.16 Fire Extinguishing Inert Type 41
Figure 2.17 A Best Method of Cable Preparation 45
Figure 4.1 The Percentage of Suitability of Data Centre Location 77
Figure 4.2 Relationship between Access Control and Methods 78
Figure 4.3 Respondent Response to Implemented Of DRC 85
Figure 4.4 The Respondent Response On Security Committee 86
xiii
LIST OF ABBREVIATIONS
ACS Access Control System
APTs Access Control System
BYOD Bring Your Own Device
CA Certification Authorities
CCA Computer Crimes Act
CCTV Closed Camera Television
CGSO Chief Government Security Office
CIO Chief Information Officer
CMA Communications and Multimedia Act
CRAC Computer Room Air Conditioners
DOS Denial of Service
DRC Disaster Recovery Centre
DRP Disaster Recovery Plan
EMI Electromagnetic interference
ESD Electronic Discharge
Gbps Gigabits per second
GDP Government Development Program
HSC Higher School Certificate
ICT Information and Communication Technology
ICTSO Information and Communication Technology Security
Officer
ID Identification
IDS Intrusion Detection System
IPS Intrusion Prevention System
IT Information Technology
Kbps Kilo bits per second
MAMPU The Malaysian Administrative Modernization and
Management Planning Unit
Mbps Mega bits per second
MCE Malaysian Certificate Education
MCMC Malaysian Communications and Multimedia Commission
MHz Megahertz
NOC Network Operation Centre
NT Windows NT (Support multiple file system)
PCN Putrajaya Campus Network
RH Relative Humidity
SMB Small to midsize business
SOP Standard Operational Procedure
SPM Malaysian Certificate of Education
STP Shielded Twisted Pair
STPM Malaysian Higher Education School Certificate
UPS Uninterruptible Power Supply
UTP Unshielded Twisted Pair
1
CHAPTER ONE
INTRODUCTION
1.1 BACKGROUND
The data center is a special facility to locate and operate computer systems and other
equipment and is supported by major facilities such as cooling systems, electric
power, environmental control, fire prevention, security systems and so on. A well-
managed data centre that is well managed will increase the level of productivity of an
agency by providing efficient access to the data system and data is readily available
due to and high-speed processing.
Many public sector agencies already have data center facility to house their
ICT equipment and support the management information system. Based on a study
conducted by ICTSO on data centre, it appears that many of the data centers not meet
the minimum standards set by international standards in the aspects of physical space,
cooling system, power supply system security etc.
It is well known that an agency's service delivery system is highly dependent
on the efficiency and effectiveness of the agency's information management system.
The stability and efficiency of data center management also plays an important role as
the heart of the agency in information management system is readily available with
high speed. Therefore, the guidelines will provide the basis for improving the quality
of data center services in Public Sector agencies (MAMPU, 2014).
One Malaysia Government Transformation Programmed (GTP), New
Economic Model (NEM) and the Tenth Malaysia Plan (10MP) and a national strategic
plan laid a stronger foundation for national development in order to achieve the goals
of Vision 2020. ICT played an important role as a leader and facilitate an excellent
2
service where is impact for agency can as the site for foundation and the heart of ICT
services. Data centre and disaster recovery center or (Disaster Recovery Center -
DRC) play on important role. Data centre need to be well managed so that the level of
availability and high performance is visible from the upstream ICT services.
Malaysia has 113 Ministries/Department/Agencies in the Public Sector that in
total they own 117 data centre spanning 160,000 square feet of space, and house
almost 5,000 servers. Unfortunately, a large number of these facilities and the
technologies within them are already obsolete, while others have reached the
maximum limits of their electrical supply and floor space.(MAMPU, 2014).
500 of dedicated IT personnel and ICT Security Officer managed these data
centre on a 24/7 basis. More than half of these data centre are also being serviced by
private contractors with varying degrees of service levels. Despite of having such a
large number of data centre, the Public Sector is still very much lacking in disaster
recovery centre (DRC) facilities, with only 11 agencies having such capabilities. Most
of the DRC facilities are owned and managed by the private sector. Malaysian
Government IT applications are indeed in a state of severe vulnerability unless drastic
measures are taken to address them immediately, such as through consolidation of
data centre and DRC. Consolidation of all Government data centre into several large,
modern, state-of-the-art and energy-efficient and cost-efficient facilities called Pusat
Data Sektor Awam (PDSA) means migration of the IT resources housed in the
existing data centre into the consolidated facilities. Thus the released space can be
utilized for other purposes.
The consolidation data centre would also mean the ability to reap the full
benefits of IT procurement and deployment afforded by the scale of economics. There
will also be an increased opportunities for the use of ‘green’ technologies,
3
virtualization techniques and cloud computing to further maximize the capacities of
hardware, software and services on a shared basis for the whole community of users.
1.1.1 Data Centre Physical Security Environment Protection
Security measures for data centre environment protection are designed to protect
information process, stored and transmitted in electronic format. These measures
cover the protocol to establish and protect the password, use an anti - virus product,
control by minimizing security risk when sending e -mail or using the Internet and the
phone, the process prevents unauthorized access to a computer by a computer lock
when leaving the room and comply with security protocols when bringing a laptop or
other portable electronic devices tool for field assignments .Classified information the
development of ICT in the implementation of e-Government requires security
protection system to be developed to meet the needs of protecting official secrets
records electronically in accordance with the requirements of Act 88 and the Security
Directive . (Official Secret Act, 1972).
Classified information or official secrets should also be processed in electronic
form. Encryption technology should be integrated into the system. All computer
terminals used need to go through the process of sustainability as a way to give
confirmation that the information in the computer is not easily robbed out. All process
of official secret classified information should be recorded and any non-compliance
will be easily detected. This system allows the entire process of sending documents or
confidential or classified information officially recorded and any activity can be
investigated thoroughly discredited.
Data centre is like a file or vault that stores the official documents and official
secret government. Physical security at data centers is essential so that all forms of
4
security threats can be prevented. Each government agency must ensure that the
physical security comply with the specifications prescribed by the safety standards of
data centre where it can prevent intrusion and security threats.
1.1.2 Leaking of Government Classified Information
Cases where even small leaks cannot be underestimated and should be brought to
justice. This is because the leakage of government information could affect their
credibility, integrity and putting the government in a quandary and a factor for barrier
to progress. Leaks of official information, classified or official secrets most centered
on policy matters discussed during meeting which include the Cabinet, the State
Executive Council, tender meeting, budget information, exam questions, research
papers, examination results, policies matters, the budget and other important policy
matters, and disclosure of information that could harm national security.
It is easier to capture the action of leaked information through ICT and mobile
communication equipment which can be disseminated via the Internet, alternative
media and social networking web sites. These can cause an embarrassing situation of
an individual, cause a quandary, exposing the shortcomings of a government agency
and so on . In addition, a rather alarming scenario includes the loss or theft of personal
computers, mobile phones and Ipad of civil servants. This incident must be controlled
so that not only the cost of the purchase and replacement of assets can be solved and
even stored information should not to fall into wrong parties.(MyMIS, 2002).
5
1.2 PHYSICAL SECURITY
Physical security is a combination of physical and procedural measures designed to
prevent or mitigate threats or attacks against people, information and physical assets.
A physical security aims are to:
i. Deter – these are measures implemented that adversaries perceive as too
difficult, or needing special tools and training to defeat;
ii. Detect – these are measures implemented to determine if an unauthorized
action is occurring or has occurred;
iii. Delay – these are measures implemented to impede an adversary during an
attack, or slow the progress of a detrimental event to allow a response
before agency information or physical assets are compromised;
iv Respond – These are measures taken once an agency is aware of an attack
or event to prevent, resist or mitigate the attack or event; and
v. Recover – these are measures taken to restore operations to normal (as
possible) following an incident. (Security Directive, 1985).
Physical security measures are capable of mitigating a range of risks.
However, given enough time and determination, an adversary can compromise almost
any physical security measure. Where measures fail to deter, they need to detect
unauthorized access. Therefore, agencies should evaluate protection on their ability to
detect, and delay for an acceptable designated minimum period of time. (Security
Directive, 1985).
An important measure for evaluating detection and response measures is the
time taken for an effective response. A response force should be capable of countering
the anticipated activity of the intruder and should attend within a time commensurate
with the delay measures. Physical security measures are to ensure a safe working
6
environment for civil servants and visitors, to prevent unauthorized access to official
matters, classified and official secrets, provide barriers to deter, detect, delay and
deploy cover measures hold restrictions, security alarms, CCTV, card access control,
security services, security locks and safes for asset security and classified documents.
Protection includes security measures to protect and preserve the assets, people
property, information and organizational activities which can cause threats. Security
protection is not merely account for the actions of the control and protection of
espionage activity, subversion, sabotage, extremist groups, 'cyber-terrorism', human
weaknesses or other threats in the affect of security, defense, economic and
functioning of government. It is an organized effort which includes aspects of
personal protection, documents, information, physical and environment need to be
based on Security-In-Depth strategy. Most ministries, departments an agency already
have and manage various official matters, classified and official secrets covering
policy, military, commercial, scientific and technical, and so on. Most of the above
article and information are required by foreign parties and criminals who always want
to raise an issue. If these information leaked or exposed either intentionally or
accidentally or negligence, it will be put to the operational implementation Ministries,
Departments and Agencies. Similarly, the weak protection security system will also
ultimately undermine security throughout the country.
The issue of information security protection technology is also closely linked
to the security system of physical protection, documents, information, personal and
asset. Current ICT sophistication of communications equipment also facilitates the
spread and complicates the control of document security management and government
classified information. Infrastructure facility has the potential to face any attack;
including cyber terrorism is a major challenge that must be addressed. Protecting the
7
organization's infrastructure from cyber attacks is very difficult and complex, not as
protecting the physical structure. In this context, if not preferred security protection
can bring impacts including damage to the organization, the economy and threaten the
well-being of the people, government and nation. The suffix will lead to bad
implications and is likely to affect and hinder the planning and management efforts to
Government.
1.3 PHYSICAL AND LOGICAL SECURITY IN DATA CENTRE
Prudence dictates that for physical threats, physical monitoring solutions be leveraged
to mitigate risk. If there are logical threats, then logical monitoring solutions should be
used. If the threats happen, then the security solutions must converge as well. This
sounds simple, but the disciplines of physical and logical security are highly disparate.
As such, getting the technology and the individuals to work synergistically can be
challenging.”(Amanda Andress, 2003).
Increasingly, as a means of reducing costs, increasing efficiencies or making
better use of technology investments, organizations are integrating physical security
devices for access control, monitoring and process control into the IT infrastructure.
This collision of two different technology worlds, each coming from a separate
management approach and protection philosophy, does not always come together
easily. The differences in design, functionality, implementation, maintenance and
management can present conflicts, possibly resulting in a security breach involving
the IT systems, the security systems or both. Logical Security consists of software
safeguards for an organization’s systems, including user ID and password access,
authentication, access rights and authority levels. These measures are to ensure that
8
only authorized users are able to perform actions or access information in a network or
a workstation. It is a subset of computer security.
1.4 PROBLEM STATEMENT
Security instructions of the same security degree in accordance with certain principles.
Ministries, Departments and Agencies observed and performed seemly instruction in
order to control the country's secrets effectively. Every Government Agencies
entrusted with classified matters and required to comply with this provision.
Many government departments are unlikely to give priority to data centre
location because are not properly identify the perimeter to be secured, not identify
physical vulnerabilities and weaknesses by conducting risk analysis and etc. Data
centre location is very important thus the site selection should be selected properly by
paying attention to the demographics of the area. For example, the chosen location
must be in an area with no issue of social problems in order to avoid the occurrence of
aggression. The location of data centre should be free from security threats away from
sources of water (such as water tank, suction, drain rainwater), away from areas at risk
of flooding, landslides, tremors, hurricanes, away from electromagnetic interference
(eg near the airport), easily accessible, close to public transportation, close to public
facilities such as fire stations, hospitals and police and can accommodate future
needs.
The head of department are owners of public sector ICT assets and are
accountable for their safe-keeping and protection. Unfortunately, the head of
department does not realize the importance of security procedure to be implemented
across the entire organization. Hence, they are responsible for and supportive of ICT
Security programme promote compliance to standards, procedures and guidelines to
9
be align with Public Sector ICT Security requirements to the department’s mission
and objective. Therefore, they should be ensure of adequate resources, both financial
and personnel available for the programmed.
Various public sector agencies already have a data center facility to house the
equipment that ICT that can support the management of information systems in the
relevant agencies. Based on a study conducted by MAMPU, it appears that many of
the data centre did not meet the minimum standards set by international standards
bodies in aspects such as physical space, cooling system, power supply, system
security and so on.
1.5 RESEARCH AIMS AND OBJECTIVES
In order to safe guard information facility it is necessary to deter potential intruders.
Multiple physical barriers that surround premises housing information facilities help
to deter, detect and delay intruders. Many government agencies did not identify the
perimeter to be secured, identify physical vulnerabilities and weaknesses by
conducting risk analysis, not use of real floor and real ceiling such that physical
threats is seen and not hidden and did not provide control access by means such as
registration counter, smart cards, camera etc.
Once areas are gazzetted as secure areas, these areas are accorded with suitable
protect so as to allow legitimate access. Many government agencies did not following
physical entry controls and, site design guidelines and controls for data
centre.Considering the above mentioned factors, it is the aim of the research is to
evaluate the quality of physical security in data centre. The objectives of the research
are as follows:
i. To identify problem in data centre in terms of physical security;
10
ii. To compliance Data Centre physical security management; and
iii. To access the management strength of government Data Centre.
1.6 OUTLINE OF RESEARCH METHODOLOGY
The study focuses the observation and questionnaire and interview with the end uses
of the Data Centre. The data centre selected for the study is government agencies
which are located in Putrajaya and in Kuala Lumpur. These data centre are gazette as
secure areas and have suitable protection so as to allow legitimate access. When
selecting data centre several factors are taken into consideration and they are follows:
i. The usage of capacity is the similar;
ii. The form of the Data Centre is similar;
iii. Physical Security Perimeter are similar; and
iv. Same locality and region.
The questionnaire surveys were carried with the ICT Security Officer (ICTSO)
who is managing the data centre. The sampling was done based on non-probability
basis which the respondents had the choice whether to answer the questionnaire or
not. Interviews were carried out with target respondents who were involved in
managing data centre.
Observation of data centre were carried out after the completion of the
interview. Observation and interview of the data centre are important so that
meaningful comparison could be made and conclusion could be drawn.
11
Figure 1.1 Flow Chart of Research Process
Choose Samples
Observation End-user Feedback
Data Site 1 Data Site 2
Analyze Data Site 1 Analyze Data Site 2
Overall
Comparison and Conclusion
Identify Samples
