Physical Security

Location, Location, Location 

Physical Site Selection

• Where are the nearest fault lines? Have earthquakes ever affected the site?
• Is the location in a flood zone. What about the 100 year flood zone.
• What about the frequency of severe weather? Any Tornadoes, frequent lightning or Hurricanes?
• Can other local business affect your operations, for example a near by stadium might impact your parking.
  Could an accident at one of these companies cause the evacuation of your business?
• Remember a single location is a single-point-of-failure. Are your critical assets backed up to a geographical separate location which would not affected if a large disaster occurred at the primary location?
• How far is the location from emergency services (Fire, Hospital, Police)?

Physical Access 

Who can get in and how? How do you know? Can you prove it.

• Does the access control provide an access tracking capability (PIN lock, smart card, biometrics)?
• Can the control be circumvented, for example one person enters code a second person follows the first person inside?
• Are all entrances controlled by the same mechanism? What methods could be used to bypass this device?
• If Master Key access exists, does the client know who all has access to the key?
• Is video surveillance in place? Without video surveillance, master key access will not be tracked. We need to know who accessed the facility if forensic evidence will be collected. Are all entrances monitored by video? Keys might provide a way to avoid video monitoring if all access points are not monitored.
• Is access by visitors logged? Are escorts required for access by visitors and maintenance?
• Is all access information controlled by a group external to those accessing the data center? Separation of Duties is a key security concept.
• Are any foreign nationals on staff? Are extensive background checks run on these employees? Knowing who has physical access is often necessary for government contracts.
• Are there windows within the Data Center that are accessible from non controlled areas? Is security glass used for windows? Are door handles within reach if a window is compromised? Are windows covered (blinds, curtains, etc.)? Learn what equipment exists. Window Surf.
• Can an intruder gain access to the data center from under the floor? Can an intruder gain access to the data center from the ceiling? Are there any gaps under the door. A DarkReading article noted that 1/4 inch copper tubing can be molded to fit under a door and used to move the handle from the inside.
• Are door hinges internal or external to the data center? Could the hinges be popped out and door removed?
• Is the data center a shared facility? Are locking cabinets used? Does the provider log all center access?
• How is off hours physical access tracked and does your security posture change during the day?

Equipment 

Inventory and configuration

• Are processes in place to track the addition and removal of equipment? Inventory management is crucial.
• Do systems contain ports (USB, Firewire) or devices which can be used to created media (USB, DVD/RW) and move data?
• Are drives wiped before equipment is excised? Is the same process used when drives fail and have to be replaced by vendors?
• Is backup media secured both on site and at an external location? Are backups encrypted? Are backups transported off site securely? Is access to backup media tracked?

Environmental Concerns 

• Are humidity and temperature controls in place? Is a fail over system in place? Are smoke detectors used? Are they on the ceiling? Are they under the floor?
• If the suppression system is a sprinkler system, are plastic sheets within the center that could be used to protect equipment if someone was in the data center when the system triggered?
• Are fire extinguishers available? Are they the appropriate type? Are they expired? Are fire extinguisher location indicators (signs) visible?
• What is the volume of combustibles within the data center? If a fire started these material might make the situation worse. Could a fire inspection be failed resulting in a order to shutdown the data center or building?
• Are water sensors in place to warn of flooding by high water levels or an overactive HVAC unit?
• Are uninterruptible Power Supplies used? How long can they provide support? Do they include alarms for when a battery fails? How often is the system tested and are records kept?
• Are backup power generators available? How long can the generators provide support? Are generators caged? There has been a string of thefts related to criminals stealing copper and other valuable metals.
• Are there any other ways for someone to remove power from critical devices (breaker boxes, etc.) that might be external to the data center?
• Is the data center raised floor of a sufficient height?
• Is cable management systems used in racks and under floor.

Safety 

Employees are an important company assets.

• Is a cable management system used and no cables are hanging low or run across the floor?
• Does emergency lighting exist in case of power loss?
• Are exits clear and properly marked?
• Are exits free from obstruction? Note the combustible issue mentioned above.
• What is the noise level within the data center? If it exceeds OSHA standard 1910.95, are signs posted at entrances?
• Does the center have emergency power cut off switches available? Are switches available at all exits? Are they clearly marked and of the type which prevents them from being accidental bumped?

Facilities Management 

Cobit 4.1 reminds us of this issue.

1. Manage HVAC/AC services. Know when the are coming, track their visits and ensure preventative maintenance is up to date.
2. All building work should be scheduled, logged and controlled.
3. All vendor access must be tracked and scheduled.
4. Does management require employee security and safety training?

External Considerations 

• Is the data center building anonymous? Are there signs indicating a data center is on site? Consider whether being anonymous adds security to the data center.
• Is the building shared with other businesses? How well do they manage risk?
• How far is the data center from emergency services? Is the building easy to access? what about the data center?
• What is the crime rate around the data center's location?
• Is there adequate exterior lighting and surveillance to deter crime?

Other Concerns 

• Is insurance in place to cover equipment losses? Does the policy require any of the above environmental controls?
• Is a call list of personel who need to respond to physical security issues maintained?