By Barbara L. Vergetis Lundin The scope of computer crime stretches far beyond
the security of a single credit card transaction over the World Wide Web. Potential
losses due to computer-based financial fraud are devastating, whether perpetrated
by intruders or dishonest employees. Theft of proprietary information, long blamed
on employee turnover, is increasingly performed via hacking. Information warfare
attacks on infrastructure targets – such as the power grid, the telecommunications
public switch networks, and the air traffic control system – may be only
a few keystrokes away, according to the Computer Security Institute (CSI), San
Francisco. Everyone throughout a facilities management organization needs to educate
themselves on the range of potential cyber attacks and how they can protect critical
corporate information.
Emergency
Preparedness for Computer Rooms and Data Centers
Facilities professionals should keep the following questions in mind when preparing emergency plans for facility computer rooms and data center operations: • Is a written policy and procedure guide available for contingencies, such as fires, bomb threats, and emergency shut down? • Are emergency equipment and procedures tested on a periodic basis with noted deficiencies corrected and the results recorded? • Are disaster preparedness and fire drills conducted periodically? • Do all security guards, system monitors, and main console operators have ready access to telephones and a current list of emergency numbers that include police, fire, medical, management, security, technical service, and public utility points of contact with instructions pertaining to emergency notification? • Do emergency plans consider procedures for cutting off water, fuel, and electricity, as appropriate, in addition to activation of fire extinguishing systems and shutting fire isolation doors and cabinets? • Are principal concepts and employee instructions for emergency and disaster plans posted in prominent places? • Does the organization have a coordinated, standardized, and effective fire/disaster preparedness program? • Does the organization have an effective fire detection and suppression program? • Does the location of the computer room, vault, storage, and utility rooms provide adequate fire protection in accordance with established criteria? • If the facility is located in an area remote from municipal services, is a suitable source of water available to augment firefighting? • Are there shut-off devices that abort automatic activation of the fire suppression system within or near the main exit of the computer area? • Is the data/communications center separated from adjacent areas laterally, as well as above and below, by fire- rated construction? • Is there sufficient drainage within the computer facility itself to handle the maximum in-flow of water during an emergency? • Are all construction, furnishing, and decor items in the data/communications equipment and media storage rooms made of noncombustible or fire- retardant material (including carpet, curtains, workstation furniture, etc.)? • Are adequate numbers of heat, smoke, and fire detectors installed in the ceiling, under raised floors, in storage areas, and elsewhere within the computer facility? • Is a smoking prohibition published, posted, and enforced for the data/ communications center, all storage areas, and other zones with concentra- tions of materials or components that are either combustible or susceptible to smoke damage? • Are there properly located annunciator and/or control panels to continuously monitor the status of heat, smoke, and fire detectors?• Do storage and utility areas and areas adjacent to the computer facility contain automatic fire suppression equipment?Access Control Procedures
• Is there an access control policy for entry and exit to the computer facility? • Is there a photo badge system or other positive access control for entry into computer facilities? • Are background checks performed on employees who hold sensitive positions? • Are dismissed IT employees removed from access immediately? • Do employees challenge improperly identified visitors? • Is an access list prepared, displayed, and up-to-date? • Is there a documented procedure for permitting entry to vendors and main- tenance personnel? • Do you have documented escort procedures for visitors and others? • Are all unescorted maintenance/janitorial personnel authorized or bonded in the computer system for the highest category of sensitive or critical information? • Are any contractor, security, mainte- nance, or janitorial personnel given master keys and/or access to utility rooms adjacent to the secure area? Is there a documented control process?Power Utilities • Is there back-up power or an uninterruptible power system (UPS) and is it tested regularly? • Does the UPS cover the following: computer center systems, computer center lighting, fire detection and suppression systems, intrusion detection systems, cardkey or cipher lock entry systems, air-conditioning systems, and emergency communica- tion systems? Doors and Door Locks • Are doors to computer facilities protected by access control locks? If so, what kind? Card key? Cipher lock? Proximity transponder? Biometrics? None? • When were they last changed? • Where is the control unit located? • Does it report (audit log) anyplace? • Is there a procedure for the issuance and retrieval of keys (or changing access control numbers)? • Are door hinges pinned and door frames secured or welded? Windows and Pass-Through Spaces • Can any windows to the computer facility be opened or are they secured and fixed closed? • Are window hinges fixed and window frames secured or welded with special glass or bars on windows? • Are there other voids or penetrations in the walls other than doors and windows, and are they secure?Suspended Ceilings and Interstitial Spaces • Does the computer facility have a suspended ceiling or interstitial space? • Are there other penetrations to the roof or through the ceiling, and are they secure? Raised Computer Flooring or Air Deck • Does the computer facility have a raised computer floor or air deck? Is the space large enough for a person to hide or secure himself from view? • Are raised floors inspected frequently for evidence of access and unauthorized equipment? • Are there other penetrations through the floor, and are they secure? SOURCE: SECURITY ANALYSIS DIV., SAIC’S CENTER FOR INFORMATION SECURITY TECHNOLOGY
Facilities professionals should keep the following questions in mind when preparing emergency plans for facility computer rooms and data center operations: • Is a written policy and procedure guide available for contingencies, such as fires, bomb threats, and emergency shut down? • Are emergency equipment and procedures tested on a periodic basis with noted deficiencies corrected and the results recorded? • Are disaster preparedness and fire drills conducted periodically? • Do all security guards, system monitors, and main console operators have ready access to telephones and a current list of emergency numbers that include police, fire, medical, management, security, technical service, and public utility points of contact with instructions pertaining to emergency notification? • Do emergency plans consider procedures for cutting off water, fuel, and electricity, as appropriate, in addition to activation of fire extinguishing systems and shutting fire isolation doors and cabinets? • Are principal concepts and employee instructions for emergency and disaster plans posted in prominent places? • Does the organization have a coordinated, standardized, and effective fire/disaster preparedness program? • Does the organization have an effective fire detection and suppression program? • Does the location of the computer room, vault, storage, and utility rooms provide adequate fire protection in accordance with established criteria? • If the facility is located in an area remote from municipal services, is a suitable source of water available to augment firefighting? • Are there shut-off devices that abort automatic activation of the fire suppression system within or near the main exit of the computer area? • Is the data/communications center separated from adjacent areas laterally, as well as above and below, by fire- rated construction? • Is there sufficient drainage within the computer facility itself to handle the maximum in-flow of water during an emergency? • Are all construction, furnishing, and decor items in the data/communications equipment and media storage rooms made of noncombustible or fire- retardant material (including carpet, curtains, workstation furniture, etc.)? • Are adequate numbers of heat, smoke, and fire detectors installed in the ceiling, under raised floors, in storage areas, and elsewhere within the computer facility? • Is a smoking prohibition published, posted, and enforced for the data/ communications center, all storage areas, and other zones with concentra- tions of materials or components that are either combustible or susceptible to smoke damage? • Are there properly located annunciator and/or control panels to continuously monitor the status of heat, smoke, and fire detectors?• Do storage and utility areas and areas adjacent to the computer facility contain automatic fire suppression equipment?Access Control Procedures
• Is there an access control policy for entry and exit to the computer facility? • Is there a photo badge system or other positive access control for entry into computer facilities? • Are background checks performed on employees who hold sensitive positions? • Are dismissed IT employees removed from access immediately? • Do employees challenge improperly identified visitors? • Is an access list prepared, displayed, and up-to-date? • Is there a documented procedure for permitting entry to vendors and main- tenance personnel? • Do you have documented escort procedures for visitors and others? • Are all unescorted maintenance/janitorial personnel authorized or bonded in the computer system for the highest category of sensitive or critical information? • Are any contractor, security, mainte- nance, or janitorial personnel given master keys and/or access to utility rooms adjacent to the secure area? Is there a documented control process?Power Utilities • Is there back-up power or an uninterruptible power system (UPS) and is it tested regularly? • Does the UPS cover the following: computer center systems, computer center lighting, fire detection and suppression systems, intrusion detection systems, cardkey or cipher lock entry systems, air-conditioning systems, and emergency communica- tion systems? Doors and Door Locks • Are doors to computer facilities protected by access control locks? If so, what kind? Card key? Cipher lock? Proximity transponder? Biometrics? None? • When were they last changed? • Where is the control unit located? • Does it report (audit log) anyplace? • Is there a procedure for the issuance and retrieval of keys (or changing access control numbers)? • Are door hinges pinned and door frames secured or welded? Windows and Pass-Through Spaces • Can any windows to the computer facility be opened or are they secured and fixed closed? • Are window hinges fixed and window frames secured or welded with special glass or bars on windows? • Are there other voids or penetrations in the walls other than doors and windows, and are they secure?Suspended Ceilings and Interstitial Spaces • Does the computer facility have a suspended ceiling or interstitial space? • Are there other penetrations to the roof or through the ceiling, and are they secure? Raised Computer Flooring or Air Deck • Does the computer facility have a raised computer floor or air deck? Is the space large enough for a person to hide or secure himself from view? • Are raised floors inspected frequently for evidence of access and unauthorized equipment? • Are there other penetrations through the floor, and are they secure? SOURCE: SECURITY ANALYSIS DIV., SAIC’S CENTER FOR INFORMATION SECURITY TECHNOLOGY
