SPECIAL REPORT - Secure Enough?

02/01/2001 | By Samuel Chiodo

Computer crime – a new paradigm

By Barbara L. Vergetis Lundin

The scope of computer crime stretches far beyond the security of a single credit card transaction over the World Wide Web. Potential losses due to computer-based financial fraud are devastating, whether perpetrated by intruders or dishonest employees. Theft of proprietary information, long blamed on employee turnover, is increasingly performed via hacking. Information warfare attacks on infrastructure targets – such as the power grid, the telecommunications public switch networks, and the air traffic control system – may be only a few keystrokes away, according to the Computer Security Institute (CSI), San Francisco. Everyone throughout a facilities management organization needs to educate themselves on the range of potential cyber attacks and how they can protect critical corporate information.

Emergency Preparedness for Computer Rooms and Data Centers

Facilities professionals should keep the following questions in mind when preparing emergency plans for facility computer rooms and data center operations:

• Is a written policy and procedure guide available for contingencies, such as fires, bomb threats, and emergency shut down?

• Are emergency equipment and procedures tested on a periodic basis with noted deficiencies corrected and the results recorded?

• Are disaster preparedness and fire drills conducted periodically?

• Do all security guards, system monitors, and main console operators have ready access to telephones and a current list of emergency numbers that include police, fire, medical, management, security, technical service, and public utility points of contact with instructions pertaining to emergency notification?

• Do emergency plans consider procedures for cutting off water, fuel, and electricity, as appropriate, in addition to activation of fire extinguishing systems and shutting fire isolation doors and cabinets?

• Are principal concepts and employee instructions for emergency and disaster plans posted in prominent places?

• Does the organization have a coordinated, standardized, and effective fire/disaster preparedness program?

• Does the organization have an effective fire detection and suppression

• Does the location of the computer room, vault, storage, and utility rooms provide adequate fire protection in accordance with established criteria?

• If the facility is located in an area remote from municipal services, is a suitable source of water available to augment firefighting?

• Are there shut-off devices that abort automatic activation of the fire
suppression system within or near the main exit of the computer area?

• Is the data/communications center separated from adjacent areas laterally, as well as above and below, by fire- rated construction?

• Is there sufficient drainage within the computer facility itself to handle the
maximum in-flow of water during an emergency?

• Are all construction, furnishing, and decor items in the data/communications equipment and media storage rooms made of noncombustible or fire-
retardant material (including carpet, curtains, workstation furniture, etc.)?

• Are adequate numbers of heat, smoke, and fire detectors installed in the
ceiling, under raised floors, in storage areas, and elsewhere within the
computer facility?

• Is a smoking prohibition published, posted, and enforced for the data/
communications center, all storage areas, and other zones with concentra- tions of materials or components that are either combustible or susceptible to smoke damage?

• Are there properly located annunciator and/or control panels to continuously monitor the status of heat, smoke, and fire detectors?

• Do storage and utility areas and areas adjacent to the computer facility
contain automatic fire suppression equipment?

Access Control Procedures
Is there an access control policy for entry and exit to the computer facility?

• Is there a photo badge system or other positive access control for entry into computer facilities?

• Are background checks performed on employees who hold sensitive positions?

• Are dismissed IT employees removed from access immediately?

• Do employees challenge improperly identified visitors?

• Is an access list prepared, displayed, and up-to-date?

• Is there a documented procedure for permitting entry to vendors and main- tenance personnel?

• Do you have documented escort procedures for visitors and others?

• Are all unescorted maintenance/janitorial personnel authorized or bonded in the computer system for the highest category of sensitive or critical information?

• Are any contractor, security, mainte- nance, or janitorial personnel given master keys and/or access to utility rooms adjacent to the secure area? Is there a documented control process?

Power Utilities
• Is there back-up power or an
uninterruptible power system (UPS) and is it tested regularly?

• Does the UPS cover the following: computer center systems, computer center lighting, fire detection and suppression systems, intrusion detection systems, cardkey or cipher lock entry systems, air-conditioning systems, and emergency communica- tion systems?

Doors and Door Locks
• Are doors to computer facilities protected by access control locks? If so, what kind? Card key? Cipher lock? Proximity transponder? Biometrics? None?

• When were they last changed?

• Where is the control unit located?

• Does it report (audit log) anyplace?

• Is there a procedure for the issuance and retrieval of keys (or changing access control numbers)?

• Are door hinges pinned and door frames secured or welded?

Windows and Pass-Through Spaces
• Can any windows to the computer facility be opened or are they secured and fixed closed?

• Are window hinges fixed and window frames secured or welded with special glass or bars on windows?

• Are there other voids or penetrations in the walls other than doors and windows, and are they secure?

Suspended Ceilings and Interstitial Spaces
• Does the computer facility have a suspended ceiling or interstitial space?

• Are there other penetrations to the roof or through the ceiling, and are they secure?

Raised Computer Flooring or Air Deck
• Does the computer facility have a raised computer floor or air deck? Is the space large enough for a person to hide or secure himself from view?

• Are raised floors inspected frequently for evidence of access and unauthorized equipment?

• Are there other penetrations through the floor, and are they secure?


Related Coverage