cpp121f cpit ict security physical and environmental security standard v2 3
TRANSCRIPT
-
7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3
1/8
CPIT Corporate Services Division: ICT
Christchurch Polytechnic
Institute of Technology
Physical and EnvironmentalSecurity Standard
Corporate Policies & Procedures
Section 1: General Administration Document CPP121f
Principles
Security Policy
Security Standards
Guidelines and Procedures
Information Communication
Technology Division
Security Standard, aligned with
AS/NZS ISO/IEC 27001: 2006
for Information Security
Management
Contents
-
7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3
2/8
CPIT Corporate Services Division: ICT
Physical and Environmental Security Standard Page 2 of 8
1
INTRODUCTION ............................................................................................... 4
2
PHYSICAL ICT SECURE FACILITIES STANDARDS ............................................. 5
2.1
Physical Access Standards ............................................................................ 5
2.2
Visitor Access Standards .............................................................................. 5
2.3
ICT Secure Facilities Standards ..................................................................... 5
3
ENVIRONMENTAL SECURE ICT FACILITY STANDARDS ..................................... 7
3.1
Power Supply ............................................................................................. 7
3.2
Fire, flood and Cooling Protection .................................................................. 7
-
7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3
3/8
CPIT Corporate Services Division: ICT
Physical and Environmental Security Standard Page 3 of 8
Physical and Environmental Security Standard
Purpose: This Standard defines the recommended security practices to protect, monitor
and maintain the ICT operational environment and ICT Secure Facilities.
This standard applies to all CPIT ICT Secure Facilities, regardless of size and
location.
Authorised By: ICT Director
Document
Owner
Technology Manager
Date of Issue: 15 March 2012
Review date: November 2014
Version: 2.3
References: This document should be read in conjunction with the ICT Security Policy.
In addition it should be read in conjunction with the following ICT Security
Standards:
1. ICT Asset and Media Management Standard
2. Human Resources ICT Security Standard
3. Communications and Operations Management Security Standard
4.
Access Control Security Standard
5. Information Systems Acquisition, Development and Maintenance Security
Standard
-
7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3
4/8
CPIT Corporate Services Division: ICT
Physical and Environmental Security Standard Page 4 of 8
1
INTRODUCTION
Physical and Environmental Security refers to the protection of ICT Secure Facilities and equipment
from theft, natural disaster, accidental damage and environmental changes like power or cooling.
ICT Secure Facilities typically house computer equipment and communication equipment that arecritical for delivering the ICT service; it is therefore important that these facilities have reliable power
supply, appropriate climate control and preventative monitoring in place.
Access to ICT Secure Facilities needs to be restricted and monitored to ensure that only authorised
personnel access the facilities. Finally, ICT staff should follow best practices to monitor and maintain
the ICT services within an ICT facility.
These Security Standards recommend the security measures that the Institution need to consider to
protect the physical ICT Secure Facilities and maintain the environmental conditions to support an
ICT operation.
The following topics are covered:
Physical Access Standards to control access to ICT Secure Facilities and particularly
record visitor access to ICT Secure Facilities.
ICT Secure Facilities Standards to maintain the security of the secure ICT facility and
mitigate the risk of unauthorised access.
Environmental
Standards
Standards to protect ICT Secure Facilities and equipment against
environmental changes in power, cooling or flooding. Without the right
level of protection, ICT services are at risk and the likelihood of a
service being unavailable, following a change in the environmental
conditions, increases.
-
7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3
5/8
CPIT Corporate Services Division: ICT
Physical and Environmental Security Standard Page 5 of 8
2
PHYSICAL ICT SECURE FACILITIES STANDARDS
The purpose of this section is to ensure that CPIT ICT Secure Facilities are appropriately protected
and secured through access control.
2.1 Physical Access Standards
Physical access to ICT Secure Facilities should be restricted to authorised individuals, backed with
suitable mechanisms to record and monitor visitors to the facility.
Access to ICT Secure Facilities should include the following controls:
Access to ICT Secure Facilities should be granted only to those ICT staff or contractors whose job
responsibilities require access to the facility.
The process for authorising card and/or key access to
ICT Secure Facilities must include approval by the
Infrastructure Manager or ICT Director.
Access cards or keys to the secure ICT facility should
not be shared or loaned to others.
All access must be notified to and authorised by the
Infrastructure Manager or ICT Director.
Access to hosted services is controlled via the hosting
companys access policies and procedures which will
be periodically audited by the ICT Director.
2.2 Visitor Access Standards
Visitors to the ICT Secure Facilities should follow the
following security controls:
All access must be authorised by the Infrastructure Manager or ICT Director and allocated
appropriate 'visitor' identification.
Visitors are only permitted access for defined and authorised purposes.
Visitors must be appropriately supervised at all times as defined by the Infrastructure Manager
or ICT Director.
Visitors must comply with the Institutions Health and Safety PolicyCPP501.
2.3
ICT Secure Facilities Standards
ICT Secure Facilities need to be constructed and monitored to maintain a high level of security. A
secure ICT facility typically contains CPIT sensitive information, financial information and user data
or provides services essential to the operations of the Institution. Hence, these facilities must be
protected well and have appropriate security standards followed.
The following measures need to be considered as best practiceto protect all current and future ICT
facilities at CPIT. These best practices also apply to any other location that is used to host CPITs
ICT equipment:
Physically secure all ICT Secure Facilities.
Why worry?
It is important to safeguard ICT Secure
Facilities and ensure you know who has
access to these facilities. It can be too
easy sometimes to walk into a secure ICT
facility without being challenged. The
standards recommend the following:
when in a restricted area challenge
those who you dont know
keep doors closed into restricted
areas
when a visitor arrives, check
identification, and make them sign inand out
-
7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3
6/8
CPIT Corporate Services Division: ICT
Physical and Environmental Security Standard Page 6 of 8
ICT Secure Facilities are to be located away from public thoroughfares when practicable.
Location signs are to be kept to a minimum.
No doors or windows should be externally accessible to
reduce the risk of unauthorised access. If windows
are present they should be blocked so it is not possibleto see in and ideally they should have security bars
fitted to prevent access.
ICT Secure Facilities are to be located as central as
possible within a building, to minimise the risk of
damage or break-ins.
Intruder alarms that are monitored (ideally 24 hours a
day, all year round) should be used to detect
unauthorised access.
A fire-proof safe should be available to locate sensitive information and backup media. This may
be off-site.
Today and the Future.
These security best practices aredesigned to protect against unauthorised
access to CPIT ICT facilities. They are
designed to provide guidance on how
current and future ICT facilities need to
be built, operated and controlled. A set
of best practices for today and in the
future.
-
7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3
7/8
CPIT Corporate Services Division: ICT
Physical and Environmental Security Standard Page 7 of 8
3 ENVIRONMENTAL SECURE ICT FACILITY STANDARDS
ICT Secure Facilities and equipment should be protected against environmental changes in power,
cooling or flooding. Without the right level of protection, ICT services are at risk and the likelihood
of a service being unavailable, following a change in the environmental conditions, increases.
Once an appropriate level of power and cooling protection has been established these systems
require regular review to ensure they function as expected and they meet the needs of CPIT.
3.1 Power Supply
The objective is to establish a reliable power supply for computer installations to prevent disruption
to services.
Measures to consider include:
Placement of Infrastructure within a tier 3 external data centre environment.
Segregating power cables away from communications cables to limit the potential of
interference.
Clearly mark power cables so they can be identified appropriately.
Locate power cables away from foot traffic to minimise ICT staff tripping or knocking power
cables out of ICT equipment.
Termination points or inspection points must be locked from general access.
Use uninterruptable power supplies (UPS) devices that are:
o Scaled to provide sufficient power to the ICT Secure Facilities for an agreed period of time
required to support the SLAs and deliver the services as determined by the Institution.
o Monitored to inform ICT staff when UPS power has been engaged.
Providing ICT support staff, including security staff, with UPS equipment supporting local desktop
computers and associated communications infrastructure; this is to allow support/security staff
access to servers when the power is out.
Installation of appropriate back up emergency lighting in case of a mains power failure.
3.2 Fire, flood and Cooling Protection
ICT Secure Facilities and equipment should be protected against fire, flooding, heat, earthquake and
other natural disasters. This is to reduce the risk of ICT services being disrupted and the potential
loss of data.
Measures to consider include:
Locate ICT Secure Facilities in a safe environment with a low risk of fire, flood, explosion or
damage from neighbouring activities.
Ensuring ICT Secure Facilities do not contain intrinsic fire hazards such as paper or chemicals.
Installation of a fire detection alarm and an approved fire suppression system.
Installation of fire resistant doors to limit the spread of fire.
Installation of water monitors to detect the presence of water within the server room; these are
to be suitably alarmed.
Hand-held fire extinguishers available within every server room.
-
7/24/2019 CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3
8/8
CPIT Corporate Services Division: ICT
Physical and Environmental Security Standard Page 8 of 8
Locating servers and associated equipment above ground level to minimise risk from flooding.
Installation of devices and physical infrastructure to control the temperature and humidity of
server rooms in accordance with the equipment manufacturersrecommended levels.
This is the end of the Physical and Environmental Security Standard.
This standard is one of six standards that provide advice and guidance on the best practices to
follow when using and accessing ICT services. The other standards are available on the CPIT ICT
intranet.