By Barbara L. Vergetis Lundin
The scope of computer crime stretches far beyond
the security of a single credit card transaction over the World Wide Web. Potential
losses due to computer-based financial fraud are devastating, whether perpetrated
by intruders or dishonest employees. Theft of proprietary information, long blamed
on employee turnover, is increasingly performed via hacking. Information warfare
attacks on infrastructure targets such as the power grid, the telecommunications
public switch networks, and the air traffic control system may be only
a few keystrokes away, according to the Computer Security Institute (CSI), San
Francisco. Everyone throughout a facilities management organization needs to educate
themselves on the range of potential cyber attacks and how they can protect critical
Preparedness for Computer Rooms and Data Centers
Facilities professionals should keep the following
questions in mind when preparing emergency plans for facility computer rooms
and data center operations:
Is a written policy and procedure guide available for contingencies,
such as fires, bomb threats, and emergency shut down?
Are emergency equipment and procedures tested on a periodic basis with
noted deficiencies corrected and the results recorded?
Are disaster preparedness and fire drills conducted periodically?
Do all security guards, system monitors, and main console operators have
ready access to telephones and a current list of emergency numbers that include
police, fire, medical, management, security, technical service, and public utility
points of contact with instructions pertaining to emergency notification?
Do emergency plans consider procedures for cutting off water, fuel, and
electricity, as appropriate, in addition to activation of fire extinguishing
systems and shutting fire isolation doors and cabinets?
Are principal concepts and employee instructions for emergency and disaster
plans posted in prominent places?
Does the organization have a coordinated, standardized, and effective
fire/disaster preparedness program?
Does the organization have an effective fire detection and suppression
Does the location of the computer room, vault, storage, and utility rooms
provide adequate fire protection in accordance with established criteria?
If the facility is located in an area remote from municipal services,
is a suitable source of water available to augment firefighting?
Are there shut-off devices that abort automatic activation of the fire
suppression system within or near the main exit of the computer area?
Is the data/communications center separated from adjacent areas laterally,
as well as above and below, by fire- rated construction?
Is there sufficient drainage within the computer facility itself to handle
maximum in-flow of water during an emergency?
Are all construction, furnishing, and decor items in the data/communications
equipment and media storage rooms made of noncombustible or fire-
retardant material (including carpet, curtains, workstation furniture, etc.)?
Are adequate numbers of heat, smoke, and fire detectors installed in
ceiling, under raised floors, in storage areas, and elsewhere within the
Is a smoking prohibition published, posted, and enforced for the data/
communications center, all storage areas, and other zones with concentra- tions
of materials or components that are either combustible or susceptible to smoke
Are there properly located annunciator and/or control panels to continuously
monitor the status of heat, smoke, and fire detectors?
storage and utility areas and areas adjacent to the computer facility
contain automatic fire suppression equipment?
Access Control Procedures
Is there an access control policy for entry and exit to the computer
Is there a photo badge system or other positive access control for entry
into computer facilities?
Are background checks performed on employees who hold sensitive positions?
Are dismissed IT employees removed from access immediately?
Do employees challenge improperly identified visitors?
Is an access list prepared, displayed, and up-to-date?
Is there a documented procedure for permitting entry to vendors and main-
Do you have documented escort procedures for visitors and others?
Are all unescorted maintenance/janitorial personnel authorized or bonded
in the computer system for the highest category of sensitive or critical information?
Are any contractor, security, mainte- nance, or janitorial personnel
given master keys and/or access to utility rooms adjacent to the secure area?
Is there a documented control process?
Is there back-up power or an
uninterruptible power system (UPS) and is it tested regularly?
Does the UPS cover the following: computer center systems, computer center
lighting, fire detection and suppression systems, intrusion detection systems,
cardkey or cipher lock entry systems, air-conditioning systems, and emergency
communica- tion systems?
Doors and Door Locks
Are doors to computer facilities protected by access control locks? If
so, what kind? Card key? Cipher lock? Proximity transponder? Biometrics? None?
When were they last changed?
Where is the control unit located?
Does it report (audit log) anyplace?
Is there a procedure for the issuance and retrieval of keys (or changing
access control numbers)?
Are door hinges pinned and door frames secured or welded?
Windows and Pass-Through Spaces
Can any windows to the computer facility be opened or are they secured
and fixed closed?
Are window hinges fixed and window frames secured or welded with special
glass or bars on windows?
Are there other voids or penetrations in the walls other than doors and
windows, and are they secure?
Suspended Ceilings and Interstitial Spaces
Does the computer facility have a suspended ceiling or interstitial space?
Are there other penetrations to the roof or through the ceiling, and
are they secure?
Raised Computer Flooring or Air Deck
Does the computer facility have a raised computer floor or air deck?
Is the space large enough for a person to hide or secure himself from view?
Are raised floors inspected frequently for evidence of access and unauthorized
Are there other penetrations through the floor, and are they secure?
SOURCE: SECURITY ANALYSIS DIV., SAICS CENTER FOR INFORMATION