24
PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE BY BAZRULDILAH BIN BASOR A dissertation submitted in fulfilment of the requirement for the degree of Master of Protective Security Management Kulliyyah of Information and Communication Technology International Islamic University Malaysia MARCH 2016

PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

  • Upload
    others

  • View
    5

  • Download
    0

Embed Size (px)

Citation preview

Page 1: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

PHYSICAL SECURITY IN GOVERNMENT AGENCIES

DATA CENTRE

BY

BAZRULDILAH BIN BASOR

A dissertation submitted in fulfilment of the requirement for

the degree of Master of Protective Security Management

Kulliyyah of Information and Communication Technology

International Islamic University Malaysia

MARCH 2016

Page 2: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

ii

ABSTRACT

Data centre is a central repository for the storage, management, and dissemination of

data supporting one or multiple organizations. Many studies have been carried out to

measure and quantified quality of physical security elements in data centres. Physical

security should also be incorporated by identifying the risks with comparison to the

value of the assets. It is based on the principle of defense-in-depth. In this study

physical security observation and assessment of the completed data centre were done

by visual observation in which photos were taken during the visual survey of all Data

Centres. Questionnaire survey and face to face interviews were conducted by

researcher. Analysis of the result showed that physical security implementation in data

centre did not comply to the specifications prescribed by the security standard of data

centre it could not prevent any intrusion and security threat. Result from observations

and face to face interviews and questionnaire survey concluded that the government

data centre did not follow the physical security procedure.

Page 3: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

iii

البحث ملخصABSTRACT IN ARABIC

دعا مركزيا لتخزين، وإدارة، وتوزيع البيانات التي تنتمي إلى مؤسسة يعتبر مركز البيانات مستو أو عدة مؤسسات. لقد أجريت عدة دراسات لأجل قياس وتكميم نوعية الحماية الفيزيائية لأجزاء مراكز البيانات. في الحقيقة ينبغي أن تؤخذ قضية الأمن الفيزيائي بعين الإعتبار؛

رنة بقيمة الممتلكات، وهذا بناء على مبدأ الدفاع أو الحماية وذلك بحصر المخاطر المتوقعة مقاالمكثفة. لقد تم في هذه الدراسة إجراء ملاحظة بصرية لكل من ملاحظة وتقييم الحماية الفيزيائية لمركز البيانات الذي تم إنشاؤه، وذلك بواسطة التقاط صور خلال عملية المسح

نسبة للإستبيانات؛ فقد قام الباحث بذلك عن طريق البصري الشامل لمركز البيانات. أما بالعقد مقابلات مباشرة. وقد أثبت تحليل النتائج بأن العامل المؤثر على الحماية الفيزيائية في مركز البيانات هو التزام المميزات الموصوفة من طرف ضوابط الحماية لمركز البيانات، والتي

لقد أدت النتائج المتوخاة من الملاحظات، يمكن أن تمنع تهديدات التطفل والحماية. والمقابلات المباشرة، والإستبيانات إلى استنتاج أن مركز البيانات التابع للحكومة لم يتبع

إجراءات الحماية الفيزيائية.

Page 4: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

iv

APPROVAL PAGE

I certify that I have supervised and read this study and that in my opinion, it conforms

to acceptable standards of scholarly presentation and is fully adequate, in scope and

quality, as a thesis for the degree of Master of Protective Security Management.

...............................................................

Maisarah Ali

Supervisor

I certify that I have read this study and that in my opinion, it conforms to acceptable

standards of scholarly presentation and is fully adequate, in scope and quality, as a

thesis for the degree of Master of Protective Security Management.

...............................................................

Abdul Rahman Ahlan

Examiner

This dissertation was submitted to the Centre for IT Advancement and is accepted as a

fulfilment of the requirement for the degree of Master of Protective Security

Management.

...............................................................

Lili Marziana Abdullah

Head, Centre for IT Advancement

This dissertation was submitted to the Kulliyah of Information and Communication

Technology and is accepted as a fulfilment of the requirement for the degree of Master

of Protective Security Management.

...............................................................

Abdul Wahab Bin Abdul Rahman

Dean, Kulliyyah of Information and

Communication Technology

Page 5: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

v

DECLARATION

I hereby declare that this dissertation is the result of my own investigations, except

where otherwise stated. I also declare that it has not been previously or concurrently

submitted as a whole for any other degrees at IIUM or other institutions.

Bazruldilah Basor

Signature …………………………………… Date ……………………..

Page 6: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

vi

COPYRIGHT

INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA

DECLARATION OF COPYRIGHT AND AFFIRMATION OF

FAIR USE OF UNPUBLISHED RESEARCH

PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA

CENTRE

I declare that the copyright holder of this dissertation is Bazruldilah Basor

Copyright © 2016 Bazruldilah Basor All rights reserved.

No part of this unpublished research may be reproduced, stored in a retrieval system,

or transmitted, in any form or by any means, electronic, mechanical, photocopying,

recording or otherwise without prior written permission of the copyright holder

except as provided below

1. Any material contained in or derived from this unpublished research may

be used by others in their writing with due acknowledgement.

2. IIUM or its library will have the right to make and transmit copies (print

or electronic) for institutional and academic purposes.

3. The IIUM library will have the right to make, store in a retrieved system

and supply copies of this unpublished research if requested by other

universities and research libraries.

By signing this form, I acknowledged that I have read and understand the IIUM

Intellectual Property Right and Commercialization policy.

Affirmed by Bazruldilah Basor

……..…………………….. ………………………..

Signature Date

Page 7: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

vii

ACKNOWLEDGEMENTS

All praises to Allah the Almighty God for the successful completion of my

dissertation at International Islamic University Malaysia. My sincere gratitude and

appreciation to my parent, my lovely wife and everyone who has given me

motivation, guidance, support and advice throughout this dissertation exercise.

My special thanks to my supervisor Prof.Ir.Dr. Maisarah Ali for her advise,

guidance and mentorship during the project period. Her comments and review on the

subjects are fruitful for the success of this dissertation.

I am also grateful for the support and encouragement from the Head of Centre

for IT Advancement (CITA), Kulliyah of Information and Communication

Technology, Ass. Prof Dr. Lili Marziana binti Abdullah who gave me courage and

strength to complete this dissertation.

Thanks all of the officers from Chief Government Security Office (CGSO),

Prime Ministers Department especially Dato’ Aloyah binti Mamat, General Director

of CGSO and Madam Julaila binti Engan, Head of ICT Security and Official Secret

Department, CGSO who gave me motivation. Special thanks also to those people who

are involved in the preparation and collection of the data.

Page 8: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

viii

TABLE OF CONTENTS

Abstract ........................................................................................................................ ii Abstract in Arabic ........................................................................................................ iii Approval Page .............................................................................................................. iv

Declaration ................................................................................................................... v Copyright ..................................................................................................................... vi Acknowledgements ...................................................................................................... vii List of Tables ............................................................................................................... xi List of Figures .............................................................................................................. xii

List of Abbreviations ................................................................................................... xiii

CHAPTER ONE: INTRODUCTION ..................................................................... 1 1.1 Background ................................................................................................. 1

1.1.1 Data Centre Physical Security Environment Protection ................... 3 1.1.2 Leaking of Government Classified Information ............................... 4

1.2 Physical Security ........................................................................................ 5

1.3 Physical and Logical Security in Data Centre ............................................ 7 1.4 Problem Statement ...................................................................................... 8

1.5 Research Aims and Objectives ................................................................... 9 1.6 Outline of Research Methodology ............................................................. 10

CHAPTER TWO: LITERATURE REVIEW ........................................................ 12 2.1 Introduction................................................................................................. 12

2.1.1 Guiding Principles for Development Data Centre ............................ 13

2.1.2 Main Components of Data Centre .................................................... 13

2.2 Security Threat............................................................................................ 13 2.2.1 Anonymous Hackers ......................................................................... 14

2.2.2 Malware and Advanced Persistent Threats (APTs) .......................... 15 2.2.3 Denial of Service ............................................................................... 15

2.2.4 Data Leaks, Data Loss and Data Breaches ....................................... 17 2.2.5 Physical Threats ................................................................................ 17

2.3 Roles and Responsibilities .......................................................................... 20

2.3.1 Head of Department .......................................................................... 20 2.3.2 Chief Information Officer ................................................................. 20

2.3.3 ICT Security Officer ......................................................................... 21 2.4 Security-in-Depth ....................................................................................... 21 2.5 Elements of Physical Security Planning ..................................................... 21

2.6 Physical Security in Data Centre ................................................................ 22 2.6.1 Design and Layout Physical Data Centre ......................................... 23 2.6.2 External Aspects in Physical Security Data Centre .......................... 27 2.6.3 Internal Aspects Physical Security in Data Centre

Environment ..................................................................................... 28 2.6.4 Detection System and Fire Fighting.................................................. 37 2.6.5 Environmental Monitoring System for Data Centre ......................... 43 2.6.6 Network cabling system .................................................................... 44

2.7 Data Security and Media Storage ............................................................... 46

Page 9: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

ix

2.8 Disaster Recovery Centre (DRC) ............................................................... 46

2.8.1 Process Involved in Disaster Recovery Plan..................................... 47 2.8.2 Disaster Recovery Center (DRC) ...................................................... 48

2.9 Physical Security Data Centre Related Laws ............................................. 49 2.9.1 Malaysian Communications and Multimedia Commission Act

1998 .................................................................................................. 50 2.9.2 Official Secrets Act 1972 .................................................................. 50 2.9.3 Protected Areas and Protected Places Act 1959 ............................... 51

2.9.4 Fire Services Act 1988 ...................................................................... 51 2.9.5 Cyber Laws ....................................................................................... 52

2.10 Summary ................................................................................................... 54

CHAPTER THREE: RESEARCH METHODOLOGY ....................................... 55 3.1 Introduction................................................................................................. 55

3.2 Research Design ......................................................................................... 56

3.2.1 Research Approached ....................................................................... 56 3.2.2 Research Process ............................................................................... 56

3.3 Sampling ..................................................................................................... 58 3.3.1 Sampling Technique ......................................................................... 58

3.3.2 Calculating the sample size ............................................................... 58 3.4 Questionnaire .............................................................................................. 59

3.4.1 Designing Questionnaire ................................................................... 60 3.5 Pilot Survey ................................................................................................ 62 3.6 Physical Security of Data Centre Survey Work ......................................... 63

3.6.1 Observation ....................................................................................... 64 3.6.2 Planning for Question Process .......................................................... 64

3.7 Data Analysis .............................................................................................. 65 3.8 Summary ..................................................................................................... 65

CHAPTER FOUR: RESULT AND FINDINGS .................................................... 67 4.1 Introduction................................................................................................. 67

4.2 Data Analysis and Discussion .................................................................... 67

4.3 Observation Result...................................................................................... 67 4.4 Demographics ............................................................................................. 73 4.5 Security Awareness of the Data Centre Personnel ..................................... 75 4.6 Fire Drill Training....................................................................................... 76 4.7 Respondents Feedback for Physical Security in Data Centre ..................... 77

4.7.1 Location of Data Centre .................................................................... 77 4.7.2 Access Control .................................................................................. 78 4.7.3 Fire Hazard ........................................................................................ 80 4.7.4 Surveillance ....................................................................................... 81

4.7.5 Temperature and Relative Humidity ................................................. 83 4.7.6 Procedures ......................................................................................... 84 4.7.7 Security Committee ........................................................................... 86

4.7.8 Security Incident ............................................................................... 89 4.8 Summary ..................................................................................................... 90

CHAPTER FIVE: CONCLUSION AND RECOMMENDATION ...................... 92 5.1 Introduction................................................................................................. 92

Page 10: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

x

5.2 Conclusion .................................................................................................. 92

5.3 Limitations and Implications of the Study.................................................. 95 5.4 Recommendation for Further Research ...................................................... 96

REFERENCES ........................................................................................................... 97

APPENDIX A: PHOTOS OF PHYSICAL SECURITY IN DATA

CENTRE ...................................................................................... 100 APPENDIX B: QUESTIONNAIRE ..................................................................... 105

Page 11: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

xi

LIST OF TABLES

Table ‎3.1 Data Centre Observation and Interview 63

Table ‎4.1 Observation Finding From the Survey of Data Centre 68

Table ‎4.2 The Observation of Location 68

Table ‎4.3 The Observation of Fire Hazard 69

Table ‎4.4 The Observation of Access Control 70

Table ‎4.5 The Observation of CCTV 72

Table ‎4.6 The Respondents Gender 73

Table ‎4.7 The Respondents Job Level 74

Table ‎4.8 The Respondents Education Level 74

Table ‎4.9 The Respondents Working Experience 75

Table ‎4.10 The Respondents and Security Awareness 76

Table ‎4.11 The Relationship between Job Level and Number of Fire Drill

Training 76

Table ‎4.12 The Relationship between Aspects in Fire Hazard and Practice

Session and Drill 80

Table ‎4.13 The Implementation of Security Guard in the Data Centre 82

Table ‎4.14 The Percentage of Security Guard Implemented By the Data

Centre 82

Table ‎4.15 The Respondent Respond of Temperature and Humidity 83

Table ‎4.16 Temperature and Humidity Respondents Average 84

Table ‎4.17 The Respondent Respond of Security Incident 89

Page 12: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

xii

LIST OF FIGURES

Figure ‎1.1 Flow Chart of Research Process 11

Figure ‎2.1 The Elements of Physical Security Planning 22

Figure ‎2.2 An Example of Optimum Height Data Centre 24

Figure ‎2.3 Tile Puller 25

Figure ‎2.4 The Size Ratio Ramp Construction 26

Figure ‎2.5 The Handrail Ramp 26

Figure ‎2.6 CCTV Device’s 29

Figure ‎2.7 Network Grounding System in a Data Centredi 32

Figure ‎2.8 Precision Air Conditioner 34

Figure ‎2.9 Comfort Air Conditioner 34

Figure ‎2.10 Meter Temperature and Relative Humidity 34

Figure ‎2.11 The Distance between the Air Handler and Rack Server 35

Figure ‎2.12 Distance between Server Rack and Rack Space in Use 36

Figure ‎2.13 Openings in Need Tiles Closed 36

Figure ‎2.14 Hot Aisle/ Cold Aisle Approach 37

Figure ‎2.15 Fire Extinguishing Halocarbon Types 40

Figure ‎2.16 Fire Extinguishing Inert Type 41

Figure ‎2.17 A Best Method of Cable Preparation 45

Figure ‎4.1 The Percentage of Suitability of Data Centre Location 77

Figure ‎4.2 Relationship between Access Control and Methods 78

Figure ‎4.3 Respondent Response to Implemented Of DRC 85

Figure ‎4.4 The Respondent Response On Security Committee 86

Page 13: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

xiii

LIST OF ABBREVIATIONS

ACS Access Control System

APTs Access Control System

BYOD Bring Your Own Device

CA Certification Authorities

CCA Computer Crimes Act

CCTV Closed Camera Television

CGSO Chief Government Security Office

CIO Chief Information Officer

CMA Communications and Multimedia Act

CRAC Computer Room Air Conditioners

DOS Denial of Service

DRC Disaster Recovery Centre

DRP Disaster Recovery Plan

EMI Electromagnetic interference

ESD Electronic Discharge

Gbps Gigabits per second

GDP Government Development Program

HSC Higher School Certificate

ICT Information and Communication Technology

ICTSO Information and Communication Technology Security

Officer

ID Identification

IDS Intrusion Detection System

IPS Intrusion Prevention System

IT Information Technology

Kbps Kilo bits per second

MAMPU The Malaysian Administrative Modernization and

Management Planning Unit

Mbps Mega bits per second

MCE Malaysian Certificate Education

MCMC Malaysian Communications and Multimedia Commission

MHz Megahertz

NOC Network Operation Centre

NT Windows NT (Support multiple file system)

PCN Putrajaya Campus Network

RH Relative Humidity

SMB Small to midsize business

SOP Standard Operational Procedure

SPM Malaysian Certificate of Education

STP Shielded Twisted Pair

STPM Malaysian Higher Education School Certificate

UPS Uninterruptible Power Supply

UTP Unshielded Twisted Pair

Page 14: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

1

CHAPTER ONE

INTRODUCTION

1.1 BACKGROUND

The data center is a special facility to locate and operate computer systems and other

equipment and is supported by major facilities such as cooling systems, electric

power, environmental control, fire prevention, security systems and so on. A well-

managed data centre that is well managed will increase the level of productivity of an

agency by providing efficient access to the data system and data is readily available

due to and high-speed processing.

Many public sector agencies already have data center facility to house their

ICT equipment and support the management information system. Based on a study

conducted by ICTSO on data centre, it appears that many of the data centers not meet

the minimum standards set by international standards in the aspects of physical space,

cooling system, power supply system security etc.

It is well known that an agency's service delivery system is highly dependent

on the efficiency and effectiveness of the agency's information management system.

The stability and efficiency of data center management also plays an important role as

the heart of the agency in information management system is readily available with

high speed. Therefore, the guidelines will provide the basis for improving the quality

of data center services in Public Sector agencies (MAMPU, 2014).

One Malaysia Government Transformation Programmed (GTP), New

Economic Model (NEM) and the Tenth Malaysia Plan (10MP) and a national strategic

plan laid a stronger foundation for national development in order to achieve the goals

of Vision 2020. ICT played an important role as a leader and facilitate an excellent

Page 15: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

2

service where is impact for agency can as the site for foundation and the heart of ICT

services. Data centre and disaster recovery center or (Disaster Recovery Center -

DRC) play on important role. Data centre need to be well managed so that the level of

availability and high performance is visible from the upstream ICT services.

Malaysia has 113 Ministries/Department/Agencies in the Public Sector that in

total they own 117 data centre spanning 160,000 square feet of space, and house

almost 5,000 servers. Unfortunately, a large number of these facilities and the

technologies within them are already obsolete, while others have reached the

maximum limits of their electrical supply and floor space.(MAMPU, 2014).

500 of dedicated IT personnel and ICT Security Officer managed these data

centre on a 24/7 basis. More than half of these data centre are also being serviced by

private contractors with varying degrees of service levels. Despite of having such a

large number of data centre, the Public Sector is still very much lacking in disaster

recovery centre (DRC) facilities, with only 11 agencies having such capabilities. Most

of the DRC facilities are owned and managed by the private sector. Malaysian

Government IT applications are indeed in a state of severe vulnerability unless drastic

measures are taken to address them immediately, such as through consolidation of

data centre and DRC. Consolidation of all Government data centre into several large,

modern, state-of-the-art and energy-efficient and cost-efficient facilities called Pusat

Data Sektor Awam (PDSA) means migration of the IT resources housed in the

existing data centre into the consolidated facilities. Thus the released space can be

utilized for other purposes.

The consolidation data centre would also mean the ability to reap the full

benefits of IT procurement and deployment afforded by the scale of economics. There

will also be an increased opportunities for the use of ‘green’ technologies,

Page 16: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

3

virtualization techniques and cloud computing to further maximize the capacities of

hardware, software and services on a shared basis for the whole community of users.

1.1.1 Data Centre Physical Security Environment Protection

Security measures for data centre environment protection are designed to protect

information process, stored and transmitted in electronic format. These measures

cover the protocol to establish and protect the password, use an anti - virus product,

control by minimizing security risk when sending e -mail or using the Internet and the

phone, the process prevents unauthorized access to a computer by a computer lock

when leaving the room and comply with security protocols when bringing a laptop or

other portable electronic devices tool for field assignments .Classified information the

development of ICT in the implementation of e-Government requires security

protection system to be developed to meet the needs of protecting official secrets

records electronically in accordance with the requirements of Act 88 and the Security

Directive . (Official Secret Act, 1972).

Classified information or official secrets should also be processed in electronic

form. Encryption technology should be integrated into the system. All computer

terminals used need to go through the process of sustainability as a way to give

confirmation that the information in the computer is not easily robbed out. All process

of official secret classified information should be recorded and any non-compliance

will be easily detected. This system allows the entire process of sending documents or

confidential or classified information officially recorded and any activity can be

investigated thoroughly discredited.

Data centre is like a file or vault that stores the official documents and official

secret government. Physical security at data centers is essential so that all forms of

Page 17: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

4

security threats can be prevented. Each government agency must ensure that the

physical security comply with the specifications prescribed by the safety standards of

data centre where it can prevent intrusion and security threats.

1.1.2 Leaking of Government Classified Information

Cases where even small leaks cannot be underestimated and should be brought to

justice. This is because the leakage of government information could affect their

credibility, integrity and putting the government in a quandary and a factor for barrier

to progress. Leaks of official information, classified or official secrets most centered

on policy matters discussed during meeting which include the Cabinet, the State

Executive Council, tender meeting, budget information, exam questions, research

papers, examination results, policies matters, the budget and other important policy

matters, and disclosure of information that could harm national security.

It is easier to capture the action of leaked information through ICT and mobile

communication equipment which can be disseminated via the Internet, alternative

media and social networking web sites. These can cause an embarrassing situation of

an individual, cause a quandary, exposing the shortcomings of a government agency

and so on . In addition, a rather alarming scenario includes the loss or theft of personal

computers, mobile phones and Ipad of civil servants. This incident must be controlled

so that not only the cost of the purchase and replacement of assets can be solved and

even stored information should not to fall into wrong parties.(MyMIS, 2002).

Page 18: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

5

1.2 PHYSICAL SECURITY

Physical security is a combination of physical and procedural measures designed to

prevent or mitigate threats or attacks against people, information and physical assets.

A physical security aims are to:

i. Deter – these are measures implemented that adversaries perceive as too

difficult, or needing special tools and training to defeat;

ii. Detect – these are measures implemented to determine if an unauthorized

action is occurring or has occurred;

iii. Delay – these are measures implemented to impede an adversary during an

attack, or slow the progress of a detrimental event to allow a response

before agency information or physical assets are compromised;

iv Respond – These are measures taken once an agency is aware of an attack

or event to prevent, resist or mitigate the attack or event; and

v. Recover – these are measures taken to restore operations to normal (as

possible) following an incident. (Security Directive, 1985).

Physical security measures are capable of mitigating a range of risks.

However, given enough time and determination, an adversary can compromise almost

any physical security measure. Where measures fail to deter, they need to detect

unauthorized access. Therefore, agencies should evaluate protection on their ability to

detect, and delay for an acceptable designated minimum period of time. (Security

Directive, 1985).

An important measure for evaluating detection and response measures is the

time taken for an effective response. A response force should be capable of countering

the anticipated activity of the intruder and should attend within a time commensurate

with the delay measures. Physical security measures are to ensure a safe working

Page 19: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

6

environment for civil servants and visitors, to prevent unauthorized access to official

matters, classified and official secrets, provide barriers to deter, detect, delay and

deploy cover measures hold restrictions, security alarms, CCTV, card access control,

security services, security locks and safes for asset security and classified documents.

Protection includes security measures to protect and preserve the assets, people

property, information and organizational activities which can cause threats. Security

protection is not merely account for the actions of the control and protection of

espionage activity, subversion, sabotage, extremist groups, 'cyber-terrorism', human

weaknesses or other threats in the affect of security, defense, economic and

functioning of government. It is an organized effort which includes aspects of

personal protection, documents, information, physical and environment need to be

based on Security-In-Depth strategy. Most ministries, departments an agency already

have and manage various official matters, classified and official secrets covering

policy, military, commercial, scientific and technical, and so on. Most of the above

article and information are required by foreign parties and criminals who always want

to raise an issue. If these information leaked or exposed either intentionally or

accidentally or negligence, it will be put to the operational implementation Ministries,

Departments and Agencies. Similarly, the weak protection security system will also

ultimately undermine security throughout the country.

The issue of information security protection technology is also closely linked

to the security system of physical protection, documents, information, personal and

asset. Current ICT sophistication of communications equipment also facilitates the

spread and complicates the control of document security management and government

classified information. Infrastructure facility has the potential to face any attack;

including cyber terrorism is a major challenge that must be addressed. Protecting the

Page 20: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

7

organization's infrastructure from cyber attacks is very difficult and complex, not as

protecting the physical structure. In this context, if not preferred security protection

can bring impacts including damage to the organization, the economy and threaten the

well-being of the people, government and nation. The suffix will lead to bad

implications and is likely to affect and hinder the planning and management efforts to

Government.

1.3 PHYSICAL AND LOGICAL SECURITY IN DATA CENTRE

Prudence dictates that for physical threats, physical monitoring solutions be leveraged

to mitigate risk. If there are logical threats, then logical monitoring solutions should be

used. If the threats happen, then the security solutions must converge as well. This

sounds simple, but the disciplines of physical and logical security are highly disparate.

As such, getting the technology and the individuals to work synergistically can be

challenging.”(Amanda Andress, 2003).

Increasingly, as a means of reducing costs, increasing efficiencies or making

better use of technology investments, organizations are integrating physical security

devices for access control, monitoring and process control into the IT infrastructure.

This collision of two different technology worlds, each coming from a separate

management approach and protection philosophy, does not always come together

easily. The differences in design, functionality, implementation, maintenance and

management can present conflicts, possibly resulting in a security breach involving

the IT systems, the security systems or both. Logical Security consists of software

safeguards for an organization’s systems, including user ID and password access,

authentication, access rights and authority levels. These measures are to ensure that

Page 21: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

8

only authorized users are able to perform actions or access information in a network or

a workstation. It is a subset of computer security.

1.4 PROBLEM STATEMENT

Security instructions of the same security degree in accordance with certain principles.

Ministries, Departments and Agencies observed and performed seemly instruction in

order to control the country's secrets effectively. Every Government Agencies

entrusted with classified matters and required to comply with this provision.

Many government departments are unlikely to give priority to data centre

location because are not properly identify the perimeter to be secured, not identify

physical vulnerabilities and weaknesses by conducting risk analysis and etc. Data

centre location is very important thus the site selection should be selected properly by

paying attention to the demographics of the area. For example, the chosen location

must be in an area with no issue of social problems in order to avoid the occurrence of

aggression. The location of data centre should be free from security threats away from

sources of water (such as water tank, suction, drain rainwater), away from areas at risk

of flooding, landslides, tremors, hurricanes, away from electromagnetic interference

(eg near the airport), easily accessible, close to public transportation, close to public

facilities such as fire stations, hospitals and police and can accommodate future

needs.

The head of department are owners of public sector ICT assets and are

accountable for their safe-keeping and protection. Unfortunately, the head of

department does not realize the importance of security procedure to be implemented

across the entire organization. Hence, they are responsible for and supportive of ICT

Security programme promote compliance to standards, procedures and guidelines to

Page 22: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

9

be align with Public Sector ICT Security requirements to the department’s mission

and objective. Therefore, they should be ensure of adequate resources, both financial

and personnel available for the programmed.

Various public sector agencies already have a data center facility to house the

equipment that ICT that can support the management of information systems in the

relevant agencies. Based on a study conducted by MAMPU, it appears that many of

the data centre did not meet the minimum standards set by international standards

bodies in aspects such as physical space, cooling system, power supply, system

security and so on.

1.5 RESEARCH AIMS AND OBJECTIVES

In order to safe guard information facility it is necessary to deter potential intruders.

Multiple physical barriers that surround premises housing information facilities help

to deter, detect and delay intruders. Many government agencies did not identify the

perimeter to be secured, identify physical vulnerabilities and weaknesses by

conducting risk analysis, not use of real floor and real ceiling such that physical

threats is seen and not hidden and did not provide control access by means such as

registration counter, smart cards, camera etc.

Once areas are gazzetted as secure areas, these areas are accorded with suitable

protect so as to allow legitimate access. Many government agencies did not following

physical entry controls and, site design guidelines and controls for data

centre.Considering the above mentioned factors, it is the aim of the research is to

evaluate the quality of physical security in data centre. The objectives of the research

are as follows:

i. To identify problem in data centre in terms of physical security;

Page 23: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

10

ii. To compliance Data Centre physical security management; and

iii. To access the management strength of government Data Centre.

1.6 OUTLINE OF RESEARCH METHODOLOGY

The study focuses the observation and questionnaire and interview with the end uses

of the Data Centre. The data centre selected for the study is government agencies

which are located in Putrajaya and in Kuala Lumpur. These data centre are gazette as

secure areas and have suitable protection so as to allow legitimate access. When

selecting data centre several factors are taken into consideration and they are follows:

i. The usage of capacity is the similar;

ii. The form of the Data Centre is similar;

iii. Physical Security Perimeter are similar; and

iv. Same locality and region.

The questionnaire surveys were carried with the ICT Security Officer (ICTSO)

who is managing the data centre. The sampling was done based on non-probability

basis which the respondents had the choice whether to answer the questionnaire or

not. Interviews were carried out with target respondents who were involved in

managing data centre.

Observation of data centre were carried out after the completion of the

interview. Observation and interview of the data centre are important so that

meaningful comparison could be made and conclusion could be drawn.

Page 24: PHYSICAL SECURITY IN GOVERNMENT AGENCIES DATA CENTRE …

11

Figure 1.1 Flow Chart of Research Process

Choose Samples

Observation End-user Feedback

Data Site 1 Data Site 2

Analyze Data Site 1 Analyze Data Site 2

Overall

Comparison and Conclusion

Identify Samples