Welcome » IT Booklets » Information Security » Security Controls Implementation » Physical And Environmental Protection » Data Center Security
When selecting a site for the most important information systems
components, one major objective is to limit the risk of exposure
from internal and external sources. The selection process should
include a review of the surrounding area to determine if it is
relatively safe from exposure to fire, flood, explosion, or similar
environmental hazards. Outside intruders can be deterred through
the use of guards, fences, barriers, surveillance equipment, or
other similar devices. Since access to key information system
hardware and software should be limited, doors and windows must be
secure. Additionally, the location should not be identified or
advertised by signage or other indicators.
Detection devices, where applicable, should be utilized to
prevent theft and safeguard the equipment. They should provide
continuous coverage. Detection devices have two purposes- to alarm
when a response is necessary and to support subsequent forensics.
The alarm capability is useful only when a response will occur.
Some intruder detection devices available include
Risks from environmental threats can be addressed through
devices such as halon gas and halon replacements, smoke alarms,
raised flooring, and heat sensors.
Physical security devices frequently need preventive maintenance
to function properly. Maintenance logs are one control the
institution can use to determine whether the devices are
appropriately maintained. Periodic testing of the devices provides
assurance that they are operating correctly.
Security guards should be properly instructed about their
duties. The employees who acces secured areas should have proper
identification and authorization to enter the area. All visitors
should sign in and wear proper IDs so that they can be identified
easily. Security guards should be trained to restrict the removal
of assets from the premises and to record the identity of anyone
removing assets. Consideration should be given to implementing a
specific and formal authorization process for the removal of
hardware and software from premises.
The following security zones should have access restricted to a