7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3

1/8

CPIT Corporate Services Division: ICT

Christchurch Polytechnic

Institute of Technology

Physical and EnvironmentalSecurity Standard

Corporate Policies & Procedures

Section 1: General Administration Document CPP121f

Principles

Security Policy

Security Standards

Guidelines and Procedures

Information Communication

Technology Division

Security Standard, aligned with

AS/NZS ISO/IEC 27001: 2006

for Information Security

Management

Contents

7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3

2/8

CPIT Corporate Services Division: ICT

Physical and Environmental Security Standard Page 2 of 8

1

INTRODUCTION ............................................................................................... 4

2

PHYSICAL ICT SECURE FACILITIES STANDARDS ............................................. 5

2.1

Physical Access Standards ............................................................................ 5

2.2

Visitor Access Standards .............................................................................. 5

2.3

ICT Secure Facilities Standards ..................................................................... 5

3

ENVIRONMENTAL SECURE ICT FACILITY STANDARDS ..................................... 7

3.1

Power Supply ............................................................................................. 7

3.2

Fire, flood and Cooling Protection .................................................................. 7

7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3

3/8

CPIT Corporate Services Division: ICT

Physical and Environmental Security Standard Page 3 of 8

Physical and Environmental Security Standard

Purpose: This Standard defines the recommended security practices to protect, monitor

and maintain the ICT operational environment and ICT Secure Facilities.

This standard applies to all CPIT ICT Secure Facilities, regardless of size and

location.

Authorised By: ICT Director

Document

Owner

Technology Manager

Date of Issue: 15 March 2012

Review date: November 2014

Version: 2.3

References: This document should be read in conjunction with the ICT Security Policy.

In addition it should be read in conjunction with the following ICT Security

Standards:

1. ICT Asset and Media Management Standard

2. Human Resources ICT Security Standard

3. Communications and Operations Management Security Standard

4.

Access Control Security Standard

5. Information Systems Acquisition, Development and Maintenance Security

Standard

7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3

4/8

CPIT Corporate Services Division: ICT

Physical and Environmental Security Standard Page 4 of 8

1

INTRODUCTION

Physical and Environmental Security refers to the protection of ICT Secure Facilities and equipment

from theft, natural disaster, accidental damage and environmental changes like power or cooling.

ICT Secure Facilities typically house computer equipment and communication equipment that arecritical for delivering the ICT service; it is therefore important that these facilities have reliable power

supply, appropriate climate control and preventative monitoring in place.

Access to ICT Secure Facilities needs to be restricted and monitored to ensure that only authorised

personnel access the facilities. Finally, ICT staff should follow best practices to monitor and maintain

the ICT services within an ICT facility.

These Security Standards recommend the security measures that the Institution need to consider to

protect the physical ICT Secure Facilities and maintain the environmental conditions to support an

ICT operation.

The following topics are covered:

Physical Access Standards to control access to ICT Secure Facilities and particularly

record visitor access to ICT Secure Facilities.

ICT Secure Facilities Standards to maintain the security of the secure ICT facility and

mitigate the risk of unauthorised access.

Environmental

Standards

Standards to protect ICT Secure Facilities and equipment against

environmental changes in power, cooling or flooding. Without the right

level of protection, ICT services are at risk and the likelihood of a

service being unavailable, following a change in the environmental

conditions, increases.

7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3

5/8

CPIT Corporate Services Division: ICT

Physical and Environmental Security Standard Page 5 of 8

2

PHYSICAL ICT SECURE FACILITIES STANDARDS

The purpose of this section is to ensure that CPIT ICT Secure Facilities are appropriately protected

and secured through access control.

2.1 Physical Access Standards

Physical access to ICT Secure Facilities should be restricted to authorised individuals, backed with

suitable mechanisms to record and monitor visitors to the facility.

Access to ICT Secure Facilities should include the following controls:

Access to ICT Secure Facilities should be granted only to those ICT staff or contractors whose job

responsibilities require access to the facility.

The process for authorising card and/or key access to

ICT Secure Facilities must include approval by the

Infrastructure Manager or ICT Director.

Access cards or keys to the secure ICT facility should

not be shared or loaned to others.

All access must be notified to and authorised by the

Infrastructure Manager or ICT Director.

Access to hosted services is controlled via the hosting

companys access policies and procedures which will

be periodically audited by the ICT Director.

2.2 Visitor Access Standards

Visitors to the ICT Secure Facilities should follow the

following security controls:

All access must be authorised by the Infrastructure Manager or ICT Director and allocated

appropriate 'visitor' identification.

Visitors are only permitted access for defined and authorised purposes.

Visitors must be appropriately supervised at all times as defined by the Infrastructure Manager

or ICT Director.

Visitors must comply with the Institutions Health and Safety PolicyCPP501.

2.3

ICT Secure Facilities Standards

ICT Secure Facilities need to be constructed and monitored to maintain a high level of security. A

secure ICT facility typically contains CPIT sensitive information, financial information and user data

or provides services essential to the operations of the Institution. Hence, these facilities must be

protected well and have appropriate security standards followed.

The following measures need to be considered as best practiceto protect all current and future ICT

facilities at CPIT. These best practices also apply to any other location that is used to host CPITs

ICT equipment:

Physically secure all ICT Secure Facilities.

Why worry?

It is important to safeguard ICT Secure

Facilities and ensure you know who has

access to these facilities. It can be too

easy sometimes to walk into a secure ICT

facility without being challenged. The

standards recommend the following:

when in a restricted area challenge

those who you dont know

keep doors closed into restricted

areas

when a visitor arrives, check

identification, and make them sign inand out

7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3

6/8

CPIT Corporate Services Division: ICT

Physical and Environmental Security Standard Page 6 of 8

ICT Secure Facilities are to be located away from public thoroughfares when practicable.

Location signs are to be kept to a minimum.

No doors or windows should be externally accessible to

reduce the risk of unauthorised access. If windows

are present they should be blocked so it is not possibleto see in and ideally they should have security bars

fitted to prevent access.

ICT Secure Facilities are to be located as central as

possible within a building, to minimise the risk of

damage or break-ins.

Intruder alarms that are monitored (ideally 24 hours a

day, all year round) should be used to detect

unauthorised access.

A fire-proof safe should be available to locate sensitive information and backup media. This may

be off-site.

Today and the Future.

These security best practices aredesigned to protect against unauthorised

access to CPIT ICT facilities. They are

designed to provide guidance on how

current and future ICT facilities need to

be built, operated and controlled. A set

of best practices for today and in the

future.

7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3

7/8

CPIT Corporate Services Division: ICT

Physical and Environmental Security Standard Page 7 of 8

3 ENVIRONMENTAL SECURE ICT FACILITY STANDARDS

ICT Secure Facilities and equipment should be protected against environmental changes in power,

cooling or flooding. Without the right level of protection, ICT services are at risk and the likelihood

of a service being unavailable, following a change in the environmental conditions, increases.

Once an appropriate level of power and cooling protection has been established these systems

require regular review to ensure they function as expected and they meet the needs of CPIT.

3.1 Power Supply

The objective is to establish a reliable power supply for computer installations to prevent disruption

to services.

Measures to consider include:

Placement of Infrastructure within a tier 3 external data centre environment.

Segregating power cables away from communications cables to limit the potential of

interference.

Clearly mark power cables so they can be identified appropriately.

Locate power cables away from foot traffic to minimise ICT staff tripping or knocking power

cables out of ICT equipment.

Termination points or inspection points must be locked from general access.

Use uninterruptable power supplies (UPS) devices that are:

o Scaled to provide sufficient power to the ICT Secure Facilities for an agreed period of time

required to support the SLAs and deliver the services as determined by the Institution.

o Monitored to inform ICT staff when UPS power has been engaged.

Providing ICT support staff, including security staff, with UPS equipment supporting local desktop

computers and associated communications infrastructure; this is to allow support/security staff

access to servers when the power is out.

Installation of appropriate back up emergency lighting in case of a mains power failure.

3.2 Fire, flood and Cooling Protection

ICT Secure Facilities and equipment should be protected against fire, flooding, heat, earthquake and

other natural disasters. This is to reduce the risk of ICT services being disrupted and the potential

loss of data.

Measures to consider include:

Locate ICT Secure Facilities in a safe environment with a low risk of fire, flood, explosion or

damage from neighbouring activities.

Ensuring ICT Secure Facilities do not contain intrinsic fire hazards such as paper or chemicals.

Installation of a fire detection alarm and an approved fire suppression system.

Installation of fire resistant doors to limit the spread of fire.

Installation of water monitors to detect the presence of water within the server room; these are

to be suitably alarmed.

Hand-held fire extinguishers available within every server room.

7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3

8/8

CPIT Corporate Services Division: ICT

Physical and Environmental Security Standard Page 8 of 8

Locating servers and associated equipment above ground level to minimise risk from flooding.

Installation of devices and physical infrastructure to control the temperature and humidity of

server rooms in accordance with the equipment manufacturersrecommended levels.

This is the end of the Physical and Environmental Security Standard.

This standard is one of six standards that provide advice and guidance on the best practices to

follow when using and accessing ICT services. The other standards are available on the CPIT ICT

intranet.