9.1. Physical Security
In the early days of computing, computersand the information they processedwere protected in the most fundamental way: they were locked up, with entry limited to a few authorized operators and users. Today, a few servers may remain behind bars, but personal computers are widely distributed, taking the place of terminals and having access to nearly all the information that once was locked away in secured areas. Using wireless access points, it is not even necessary to make a physical connection to the network to get a clear shot at almost any resource. Easy electronic access has logically led to an increased emphasis on electronic security.
However, despite advances in computer security and communications security, physical security remains a vitally important component of your total security plan. Physical security measures are tangible defenses that can protect your facility, equipment, and information from theft, tampering, careless misuse, and natural disasters. In some ways, physical security is the easiest and the most rewarding type of security. It's very visible and reassuring. It's a tangible signal to employees and visitors that you take security seriously. Building, server room, and telecommunications room locks provide an important outer, physical perimeter of security, within which electronic measures and other types of security provide finer-grained protection of information.
9.1.1. Natural Disasters
The discussion of information security risks throughout this book has focused on man-made disasters such as sabotage, hacking, and human error. But don't forget that computers and networks are affected by the same kinds of dangers that imperil all of your organization's equipmentfire, flood, lightning, earthquakes, and other natural disasters.
In fact, many natural threats are actually more of an issue for computers than for other types of equipment because computers and associated equipment are particularly sensitive to temperature changes, moisture, power loss, and surges in electricity. And while computers are easily replaceable, the information they contain may not be.
The suggestions provided in the following sections are very brief and basic ones. If you're in a high-risk area for any of these hazards, consider the importance of planning for redundancy, disaster recovery, and business continuance, as discussed in Chapter 5.
220.127.116.11. Fire and smoke
Install smoke detectors near your equipmentand check them periodically.
Keep fire extinguishers in and near your server rooms, telecommunications rooms, and work areas, and be sure that everyone knows they are there.
Make sure that fire extinguishers are inspected regularly and are of the correct type and rating (ABCD code).
Enforce no-smoking laws and policies; these are also important to controlling smoke, another hazard to computers.
Ensure that specialized gas systems for fire control, such as Halon and carbon dioxide, are operable, cannot be accidentally or carelessly discharged, and are in compliance with environmental laws.
Depending on local codes, it may be a good idea to have the air conditioning system interface with the fire alarm system, so the AC can be shut down if a fire in another part of the building threatens to inject smoke into the server room via the AC ductwork.
Keep all rooms containing computers at reasonable temperatures (approximately 50-80 degrees Farenheit or 10-26 degrees Celsius).
Keep telecommunications rooms and server rooms decidedly cool; if you need a sweater while working in them, that's about right.
Keep the humidity level at 20-80 percent.
Install gauges and alarms that warn you if the temperature or humidity is getting out of range.
Equip your heating and cooling systems with air filters to protect against dust (another peril to computers and especially to older tapes and disk packs, and to certain optical media).
18.104.22.168. Earthquakes and vibration
Keep computers and telecommunications equipment away from glass windows and high surfaces, particularly if you're in a high-risk area.
Rack-mount equipment where possible, remembering to secure the floor plates. Use the ANSI/TIA/EIA-569-A standard on telecommunications pathways and spaces, with local seismic variations as your guide.
Be sure that if strong vibration occurs (because of earthquakes, construction, or other sources), objects won't easily fall on your computers and network equipment.
There are various types of water damage. Flooding can result from rain or ice buildup outside, toilet or sink overflow inside, or the water from sprinklers used to fight a fire. Air conditioners and other cooling units may create water due to condensation. This is usually held in trays, but these can rust out or overflow. Be sure you've protected against all types of moisture.
If your computer does get wet, let it dry thoroughly before you attempt to turn it on again.
Install a water sensor where appropriate. Simple ones are available for the price of a smoke alarm.
Remember that the presence of water increases the likelihood of electrical shock. Use greater caution in the case of flooding emergencies in equipment areas.
Your computer will suffer if it gets too much or too little electricity.
For best results, install an uninterruptible power supply. It will absorb surges and provide extra voltage during brownouts, and if power fails completely, it will provide power until you're able to shut down the system. An unprotected power loss can result in serious damage. Note that surge protection won't work unless your electrical system is well-grounded.
Install a line filter on your computer's power supply; a voltage spike caused by lightning or a power fault can destroy your computer.
Verify that the protective grounding system is adequate. This may require an electrician or grounding specialist. Local applicable standards, such as ANSI standard 942 and J-STD 607-A should be your guide, along with the local electrical code.
If you can, install a special electrical circuit with a clearly labeled circuit breaker for each of your systems.
Install antistatic carpeting in your facility. This carpeting contains special filaments that dissipate static electricity.
Have a telecommunications specialist and an electrician verify the effectiveness of your equipment or signal grounding system. In most cases, the signal ground must be electrically bonded to the electrical or protective grounding system.
If a lightning storm hits, try to turn off your computer and unplug it. Lightning generates an enormous power surge that can damage your computer even if you have a surge protector on your computer.
If you use magnetic media as a back up, protect it from the magnetic field created if lightning strikes your building. Store the media as far away as possible from the building's steel supports. Even metal shelving may pose a hazard.
9.1.2. Risk Analysis and Disaster Planning
One of the most important things you can do to protect your organization from disaster is to plan for that disaster. Risk assessment and disaster planning are vital security activities, and they're rarely performed, except by the most informed organizations. For a description of what these activities are all about, see the section "Planning for Disaster" in Chapter 5.