Physical security is a set of security measures adopted to make sure that only authorized individuals are allowed access to resources, equipment, and other assets in a data center. Physical security procedures and measures can consist of a broad spectrum of methods to discourage intruders, which may also resort to methods based on technology. A well employed physical security policy protects the data center’s resources and equipment against theft, vandalism, natural disaster, sabotage, cyber-attack and other malicious acts. All personnel should make themselves aware of the contents of the security policy and adhere to those parts of the policy that cover their areas of work.
It is essential to state and enforce physical and environmental controls in order to protect information assets and systems from unauthorized access, and defense against environmental threats. This policy sets out the requirements for the protection of data centers from both physical and environmental threats to ensure the confidentiality, integrity, and availability of the data contained within.
This policy describes the physical security requirements for the (ORGANIZATION)’s Data Center, including Network Operating Center (NOC) offices and the data center, and all contents therein. It covers a wide variety of property and people requirements. All employees, contractors, service engineers, and agents of the (Organization) are covered by this policy and expected to comply with its requirements.
The location of the data center should be selected where the risk of natural disasters is at acceptable levels. Natural Disasters include but are not limited to lightning storms, heavy rain, sandstorms and floods.
The site should be within an area where the risk of man-made disaster is as low as possible. Man-made disasters include but are not limited to plane crashes, riots, explosions, armed conflicts, and fires. The Site should not be adjacent to airports, prisons, freeways, stadiums, and parade routes.
The reliability of the facilities providing electrical power to the site should be at 99.9% or better. Electricity must be received from two separate substations (or more) preferably attached to two separate power plants. There should be two sources of water available to the site. There must be connectivity to more than one access provider at the site.
Data center should not share same space with other offices, especially those not owned by the same entity. In case the data center must share space with other offices, it should not have walls adjacent to them.
Each entry point of the data center should be guarded, where the data center employees’ access to the facility should be controlled using a reliable method of automatic authentication. There should not be anything that could obstruct the surveillance via CCTV camera or by the patrolling guards in the surrounding areas. There should not be a sign advertising that the place is in fact a data center or what (Organization) owns it.
CCTV cameras should be installed outside the building to monitor places nearby properties. Guards should patrol the property’s perimeter regularly. All vehicles belonging to (Organization)’s staff, contractors, guards, and cleaning crew should be issued parking permits. Others should only be allowed to use the visitor parking areas. Vehicles not fitting either of these classifications should be towed.
The rooms containing the computers should not have windows to the outside. Those windows pose the risk of remote eavesdropping and the introduction of extra heat from casting sunlight inside the rooms. Those rooms should also be located in the interior of the data center. If they must have a wall at the edge of the data center, a physical barrier should be placed outside the wall preventing any direct access the room’s wall.
Automatic authentication technique should be placed at all entry points of the facility. Any equipment or items accompanying any individual entering the facility should be logged by security guards when entering and accounted for on exit detailing the time and person’s identity. Access to the authentication badges database should be available at the security kiosk, where the pictures of badge’s holder must be accessible. Badges must have a picture of the holder.
Signs designating the room as restricted access and prohibiting food, drink, and smoking in the servers’ room should be present. Its doors should be equipped with an automatic authentication method. Besides, the doors should be fireproof. Only two doors should be at each server room. Due to the lack of windows, one door is considered a poor design in most fire codes. Access to computer rooms should only be granted to those maintaining the servers or room’s infrastructure. During holidays, access should be restricted to emergencies.
Server rooms should be monitored by CCTV cameras. Redundant access to power, cooling, and connectivity should be present at each computer room. The server rooms should have a raised floor of around 46 centimeters in order to provide air flow and cable management. Besides, those rooms should be equipped with air filtration. Server room’s ceiling should be high to allow for heat dissipation.
The temperature at each server room should be maintained between 12 and 24 degrees Celsius. The humidity should be kept between 20% and 80%. Both the temperature and humidity should be monitored using sensors installed in the rooms and their readings needs to be logged and reported to the Network Operating Center.
A total flooding agent solution should be in place in each server room. Suitable fire extinguishers must be placed in each server room. Preferable Pipe sprinkler systems must not be used in server rooms.
There must be redundant cooling system in place. Outdoor Parts of the Cooling Systems must be secluded from the car park of the Data Center.
The server room must have at least battery based power source onsite with that can provide enough time of operation to switch over to fossil fuel power generation. In case there is no fossil fuel backup, the battery should last for at least 24 hours. The fuel should be enough for 24 hours and it should be stored onsite, while there should be a contract to obtain up to a week worth already in place.
While dumpsters should be monitored by CCTV cameras, all paper documents containing any sensitive information should be at least shredded onsite or destroyed beyond retrieval before discarding them.
The NOC must have fire, power, weather, temperature, and humidity monitoring systems in place. There must be redundant methods of communication between the NOC and the outside world. It must be manned 24/7. It is recommended that NOC staff need to monitor news outlets for events effecting the security of the data center.
The data center must have a disaster recovery plan. Ensure that the plan addresses the following questions: What constitutes a disaster? Who gets notified regarding a disaster and how? Who conducts damage assessment and decides what back-up resources are utilized? Where are backup sites located and what is done to maintain them on what schedule? How often and under what conditions is the plan updated? If the organization does not own the data center what downtime does the service level agreement with the center allow? A list of people within the organization to notify must be maintained by the NOC of the data center including office, home, and mobile phone numbers and Instant Message Names if available. How often are those people updated?
There must be regular offsite backups of sensitive data. A backup policy must be issued and implemented regarding the steps that should be followed to restore backup and containing a schedule of rehearsals for testing the readiness of the backup procedures.
All security guards should be submitted to criminal background checks prior to hiring and repeated regularly. They should be familiarized and trained on strictly enforcing the physical security policy.
All Cleaning staff should work in groups of at least two. Cleaning crew should be restricted to offices and the NOC. If cleaning staff must access a Computer Room for any reason they must be escorted by NOC personnel.
The times of entering and leaving the premises of the service engineers must be logged at the building entrance. The NOC staff should log the Service Engineers’ badge exchange to access a server room.
Visitors must be accompanied by the person whom they are visiting all the time during their visit. Visitors must not be permitted access to a server room without written consent from data center administration. All visitors who enter Computer Rooms must sign Non-Disclosure Agreements.
All users at the data center must sign Non-Disclosure Agreements. A Physical Security Policy should be signed by each user and enforced by security guards.
An organizational chart should be maintained detailing job function and responsibility. Ideally the organization chart would also have information on which functions the worker has been cross trained to perform.
It’s not enough to document only what current employees know at the moment about existing systems and hardware. All new work, all changes, must be documented as well.
Data Center employees should be cross trained in a number of other job functions. This allows for a higher chance of critical functions being performed in a crisis.
A contact database must be maintained with contact information for all Data Center employees.
Data Center employees should regularly practice telecommuting. If the data center is damaged or the ability to reach the data center is diminished then work can still be performed remotely.