I proposed the following text to update the ISO/IEC 27012:2005 advice on physical security. Unusually for me, it specifically relates to protecting IT rather than information assets of all kinds. Various changes were made in that section, but virtually all that remains of my suggested control is 11.1.4's "Physical protection against natural disasters, malicious attacks or accidents should be designed and applied" so obtain specialist advice.
Protecting the IT environment and services
IT facilities should provide a suitable environment to protect the IT equipment and other information assets, and to maintain essential supplies and services.
IT facilities such as computer rooms, computer suites and computer centres commonly house significant quantities of highly valuable and somewhat fragile IT equipment and other information assets (including data storage media). Where possible, IT facilities should be located to avoid the risks associated with: fires, floods, earthquakes, volcanic eruptions and other natural disasters; vandalism, sabotage, arson and criminal damage; overheating, power interruption etc., for example not being sited in areas prone to:
- earthquakes, volcanoes, landslides and subsidence;
- flooding and tsunami e.g. coastal zones, valley floors and flood plains;
- wild fires e.g. bush and forested areas;
- climatic extremes e.g. tropical and polar regions, deserts;
- lightning, storms, tornadoes etc.;
- power cuts, brownouts, surges and spikes; or
- vandalism and sabotage e.g. lawless areas, dense urban areas, run-down industrial estates or socially-deprived/high-crime areas.
It is particularly important for business continuity purposes that primary (operational) and secondary (load-sharing, standby or disaster recovery) sites are not subject to common environmental risks (e.g. being located too close together or sharing the same fault line).
If it is impossible to avoid the risks entirely, mitigating controls should ideally be designed, implemented, operated, managed and maintained as a coherent and comprehensive set. The following guidelines are not intended to be comprehensive as specialist advice is recommended, particularly given compliance obligations imposed by relevant laws, local building codes and regulations. However, these are commonplace controls:
a) controls to mitigate fire and smoke risks include:
- semi-sealed positive-pressure arrangements to reduce the incursion of smoke, flames and dust from adjacent areas;
- the use of fire-proof, fire-resistant and low-smoke building materials, doors, walls, wallpapers and floor coverings etc.;
- avoiding the use or storage of unnecessary quantities of combustible materials (e.g. flammable fuel or solvents, wood, paper or plastics including computer tapes and packaging materials) and combustion sources (e.g. fires, ovens, furnaces, chemical laboratories, cigarettes) in or near IT facilities;
- cleaning and other measures to reduce the build up of dust, waste, stores etc. that may occlude air filters, cause electrical short-circuits, reduce the reliability of electronic equipment and may cause safety issues (e.g. by blocking emergency exits);
- suitable fire alarms having appropriate smoke and/or heat detectors (including high sensitivity units where high-flow air conditioning units are installed, and perhaps aspirating units inside equipment racks or cabinets), manual fire alarm triggers, alarm/annunciator panels that unambiguously identify the zones where fires are detected, fire-resistant cabling etc.;
- fail-safe power system interlocks to shut down air conditioners, IT equipment, Uninterruptible Power Supplies and generators in the appropriate sequence if a fire is detected (e.g. stopping air conditioners early to avoid fanning the flames and spreading smoke);
- provision of manual fire extinguishers and, where appropriate, automated fire suppression systems, in all cases suitable to protect the IT facilities and electrical equipment, and to protect the health and safety of everyone in the facility;
- properly protected, signed and alarmed emergency exits; and
- fire incident response and evacuation procedures;
b) controls to mitigate flood risks include:
- locating facilities well above water courses and anticipated flood levels;not running water supplies, sewage and drainage pipes through, over or in fact near the facilities (including drains that may block and back-up under false floors);
- properly installing and maintaining roofs, walls, windows and pipework (including air conditioner condensate drains) to minimize the possibility of leaks;
- sub-floor water detection with alarms; and
- provision of mops, buckets, plastic sheeting etc. plus flood response procedures to cope with floods;
c) controls to mitigate accidental or deliberate physical damage to IT facilities such as vandalism, sabotage and arson include:
- strong walls, gates, doors and other physical access barriers and controls (see 9.1.1 [physical security perimeter] and 9.1.2 [physical entry controls]);
- security guards and procedures such as regular and ad hoc facilities inspections or rounds;
- identification, authorization, access and logging/monitoring procedures covering everyone who enters the facilities e.g. employees (staff and managers); contractors and consultants; suppliers, partners and customers; installation and maintenance workers; visitors; cleaners; and security guards; and
- deterrent signs, CCTV monitoring (potentially using covert as well as overt cameras, protected cabling, encrypted wireless links, pan-tilt-zoom cameras, supplementary lighting etc.) and intruder alarms (potentially including ‘silent alarm’ facilities and interlocks with other controls such as CCTV and lighting systems and egress controls);
d) controls to mitigate lightning- and static-electricity related risks include:
- installing suitable lightning conductors on exposed building high points, all properly grounded through directly-routed heavy-duty copper straps etc.;
- safety grounding of all exposed metalwork, metal cabinets and racks housing electrical and IT equipment, raised floor panels etc.;
- using surge arrestors on all wires and cables entering the facility, and fibre-optic or radio instead of copper wires for high-availability data communications links;
- fitting low-static floor coverings, maintaining at least 50-60% relative humidity, and/or the use of static-dissipating conductive coatings or sprays; and
- using grounded static-dissipating mats and wrist bands while working on static-sensitive electronic equipment;
e) controls to mitigate the risks of excessive temperature variations include:
- installation, operation, management and maintenance of suitable heating, ventilating and air conditioning systems, ideally with sufficient excess capacity under normal circumstances to handle the load with ease, cope with extremes, and permit individual units to fail or be taken out of service for maintenance without unduly compromising the temperature control;
- monitoring temperatures locally and remotely (e.g. at security guard stations), with alarms and response procedures accordingly;
- maintaining power consumption and cooling demands within acceptable limits by systematically monitoring and controlling the installation and location of electrical equipment (e.g. high-density racks of blade servers may easily exceed default planning assumptions for both power and local cooling requirements); and
- provision of emergency cooling facilities such as windows or doors that can be left open without compromising physical access controls, fans and portable air conditioners;
f) controls to mitigate risks associated with electrical power include:
- professionally-designed, installed, operated, tested and maintained electrical power systems, covering the power sources, distribution, switching, monitoring and control systems, cabling, sockets, fuses, grounding, ducting etc.;
- power sources with more than adequate capacity to cope with current and projected peak loads, ideally supplied from diverse parts of the electrical grid (e.g. separate substations fed from separate high voltage transmission lines) with appropriate facilities to cross-link or change over supplies safely in an emergency;
- resilient power sources such as computer-grade Uninterruptible Power Supplies, electrical generators, power-conditioners etc., all adequately specified for the intended use;
- preferential use of low power/highly efficient equipment; and
- systematic monitoring of power loads, balancing the load across phases and circuits, and ensuring that capacities are never exceeded;
g) general-purpose controls for IT facilities include:
- adoption of international and national standards relevant to the risks and controls in this section;
- consulting subject-matter experts offering more specific and detailed/tailored guidance in these areas;
- awareness, training and management oversight activities to reinforce compliance with applicable laws, regulations, policies, procedures, guidelines etc.;
- regular inspections, surveys or tests of IT facilities and the associated controls for signs of inadequately mitigated risks (these may perhaps be fulfilled at least partly through security guards’ rounds, routine health and safety inspections, facilities audits etc.); and
- business continuity arrangements including resilience measures (such as hot sites), crisis and incident management procedures and contingency plans to mitigate the impacts of environmental or physical disasters despite the preventive controls (see also clause 14).
I deliberately structured the proposed control around the specific risks being addressed - an approach I favor throughout ISO27k: if we are advising people to identify, assess, treat and monitor their information-related risks, it makes sense to me for the standards themselves to be overtly risk-driven. I envisaged information security pro's systematically working through the text above, thinking about the relevance of the listed risks, and considering the advice on controls. However, 27002 is controls-driven, making little reference to the risks.
That final reference to clause 14 on business continuity should now read clause 17, although that is another section where my suggested changes were rejected, leaving us with a distinctly unimpressive result. More on that later.