Facility security concerns the management of facility controls. Some of the important controls that need attention are auditing and emergency procedures.
Auditing is a process to check and validate the effectiveness of controls. The primary tool that assists in the audit is an audit trial. In physical and operational security domains, auditing is primarily done from the scope of physical access controls and operational procedures. The focus of the audit is to ascertain that the threats and vulnerabilities to physical access are identified, suitable mitigation to the risks is being implemented, and the effectiveness of physical access controls is ascertained.
While doing audits with the scope of physical security of information systems, the following points need to be considered:
- The physical location of the information systems is a primary factor. Environmental factors, such as proximity to toxic chemical installations and locations that are in the seismic zone and close to seashore, should be avoided at best.
- Adherence to HVAC specifications for server and network equipment, their proper functioning, and maintenance. It is better not to have windows in the data center, and the doors are designed to maintain positive air pressure.
- The usage of raised floors in data centers and all the cables and ducts are run under the raised floors.
- It is important to check the adequacy of access control mechanisms. The usage of smart cards, proximity cards, biometric sensors, and mantrap systems for data center access control should be encouraged. An audit trail has to be established for auditing the use of credentials.
- A periodic vetting of personnel working in critical installations such as data centers.
- Access controls to support infrastructure such as telecommunication rooms, power control rooms housing UPS, and batteries.
- Fire detection and suppression controls based on the recommended specifications.
- An adequacy of lighting and emergency lighting.
- An adequacy of water, temperature, and humidity sensors along with their alarm functions.
- Avoiding obvious sign boards and directions to critical installations.
- Insurance coverage.
An audit trail contains all the recorded events. The events may be security related or general activities. One of the most important audit trails in physical and operational security domains is the access details to the data center and other control rooms. The access details should contain the access attempts, the result such as success or failure, as well as the location accessed.
The record of access events is stored in a file called logs. An access log contains the events that are related to access attempts, and error logs contain the exceptions.
Generally, access logs contain event-related details, such as the date and time of the access attempt, the result of the access attempt in terms of success or failure, the location where the access was granted, the person who was authorized, and the modifications to the access privileges.
Physical security also deals with procedures that need to be followed during emergencies. An emergency is an undesired event that may disturb operations for a prolonged period of time. The impact of an emergency event could be devastating in terms of human loss, facility loss, connectivity disturbances, and equipment and data loss. Proper procedures need to be developed; personnel are trained on such procedures and are periodically tested for effectiveness and continued usability.
The upcoming sections deal with emergency procedures that an information security professional should be aware of.
During an emergency, the IT systems may be shutdown intentionally or automatically and may be required to be relocated to a different site. Similarly, data maybe moved to a different system at a remote site. System startup and shutdown procedures lay down guidelines and activities that need to be performed in a way that security could not be compromised during system/data migration or relocation. These procedures should include emergency procedures to address the requirements when a disaster strikes. Some of the startup and shutdown procedures include the following:
- Checking all the cables before startup to ensure that they are not loose
- Checking that the power strip is turned on and the power plug is tightly placed
- Checking that the peripheral devices are properly connected and powered on as per procedures
- Booting the systems to a single user or a multi-user mode as per security requirements
- Activating network connections in either manual or automatic mode based on security requirements
- Ensuring that the system shuts down completely during system halt
- Avoiding the physical reset of the operating system
- Ensuring that all the programs are closed before shutdown
- In case of unplanned or unexpected shutdown, ensuring that the system is restarted in diagnostic mode, so that any data corruption is checked before loading the operating system
Evacuation procedures address the priorities in terms of evacuating assets from the disaster site and properly handling such assets. The following points should be considered while developing and testing evacuation procedures.
Personnel are the first to be secured during an emergency or disaster. It is important that evacuation procedures should address a secure evacuation of personnel first:
- Emergency exits are clearly marked and should lead to an open space
- A floor plan with a clear marking of emergency locations and indicating the current location should be available in all the strategic locations
- Emergency lights should be installed at strategic locations throughout the facility
- A clearly marked assembly area has to be set up, and the personnel should be advised to assemble and remain in the assembly area during evacuation
- Automatic shutdown of equipment, such as air conditioners during a fire alarm, should be considered
- Equipment such as fire extinguishers should be available at strategic locations
- The maintenance of fire extinguishers must be up to date
- Trained personnel designated as a warden or a supervisor who should direct and control emergency procedures should be available
- The roles and responsibilities of building wardens or supervisors and other sub wardens should be clearly defined, and their action plans including coordination should be documented clearly
- Identification mechanisms such as different colored helmets or coats for identifying relevant support personnel should be used
Training and awareness plays an important role during emergencies. Most importantly, the personnel need to be aware of the emergency procedures. To achieve this, organizations should conduct periodical mock tests to ensure that the activities that need to be performed during an emergency or disaster are rehearsed and any kind of deviation is documented. These mock tests allow the security planners to fine-tune the emergency procedures and that percolates into the training activities. Periodical mock tests are also called evacuation drills.
The following points should be covered in training, awareness programs, and evacuation drills:
- Evacuation drills should be periodically conducted
- The success and failure of such drills should be properly documented, and the lessons learned from such exercises should be updated in the emergency procedures and training manuals
- An explanation of different alarm types should be given
- An explanation of different identification mechanisms for support personnel should be given
- Actions to be taken by personnel when the alarm signals
- The location of assembly points
- Security procedures to be followed if moving computer equipment