I learnt how to audit IT facilities by doing it, initially under the wing of an experienced consultant, then with various professional colleagues but mostly under my own steam. I’ve done hundreds over the years, on many sizes of facility (ranging from SOHO and small office setups up to colocation and single-company data centres the size of football pitches) and many types of organization across a variety of industries.
The information risks and hence information security control requirements can vary markedly between facilities. A bank is in a rather different situation to, say, a power station, engineering company or hospital. Separate data centres within a given organization also vary e.g. HQ versus a branch or call centre. Data centres in different countries, cities/towns, even suburbs can vary e.g. compare Kinshasa to Kansas, Mogadishu to Manchester, Auckland North Shore to South Auckland. And they all vary over time, for example Brussels and Paris are different places today in terms of the terrorist threat than just a few years ago, and a data centre that was built last year is different to one put up when Turing was a lad. Despite all that, my approach is fundamentally the same, and I'm interested in similar types of concern.
Physically inspecting the facilities (usually with camera in hand) and talking to relevant people about what I see is the audit/review mechanism that works for me. I’ve yet to see a facility where a number of possible issues and concerns didn’t jump out at me just from a walkabout and chat. I simply keep my eyes and ears open, from the moment the facility comes into view, and ask plenty of dumb questions (“When was the last time you had a fire evacuation? Was it a real fire or a practice? Who was in charge? How did it go? What did you learn? What has changed as a result? What else are you planning to do? …”).
The aspects I normally check include:
- Environment/situation: any gross hazards such as earthquakes or volcanoes, tornados, flood plains & rivers nearby, slips and caves etc., neighboring facilities/areas, alternative facilities;
- Architecture: physical construction, age & state of repair, visibility/conspicuousness, internal layout (e.g. separation from public, reception and delivery areas);
- Physical access controls: policies & procedures (e.g. visitor authentication, tagging and baby-sitting, tailgating), locks (especially card access systems and skeleton keys), barriers, public and shared spaces, CCTV system (including camera quality, coverage, monitoring, recording and networking), guards (e.g. guard tours, contractors), PIR & other intruder alarms, turnstiles, layers with sterile areas/DMZs/moats, emergency egress, delivery areas, under-floor and over-ceiling voids, signage, rack security (including door locks and alarms);
- Electrical power : incoming mains, switchgear & distribution, metering and alarms (local and remote), UPS, generators (and fuel!), capacity/sizing, redundancy, age, maintenance (including proper battery and generator testing), Emergency Power Off buttons;
- Fire prevention: flammable materials and fire hazards nearby, smoke and heat detectors (including types and locations), alarms (local and remote), procedures, suppression systems and hand-held extinguishers, fire training, intumescent strips, maintenance & testing, suitability (e.g. high sensitivity aspirating systems), power and alarm interlocks, fire service or insurance company certification;
- Air conditioning: type/suitability, capacity, redundancy, age, maintenance & cleaning, temperature monitoring & alarms (local and remote), response procedures;
- Flood prevention: any signs of leaks, pipes in/near the facility, water detection & alarms, response procedures, emergency supplies of sheeting & buckets etc.;
- Systems management: a whole detailed area of review goes on here concerning the way the IT, network, phone, security, building and other systems and services are managed and secured - I might go into that another time but I'll skip it for now;
- Cabling: power and network cables and services – routes (e.g. ducts, conduit, separation), main and fallback routes (e.g. redundant ISPs, microwave plus fibre), protection, labeling & documentation, tidiness;
- Other stuff: health and safety plus welfare (e.g. comfortable working conditions), change control procedures, documentation, labelling and control of servers, racks, switches etc., testing and exercising the procedures, any incidents, improvement initiatives and opportunities.
‘Professionalism’ or 'quality' is a thread throughout every review. I’m looking for clear evidence that each aspect of the facility was properly considered, specified, designed, installed/built, used, managed, monitored and maintained, is fit for purpose (which takes into account the type and size of facility and the broader business situation), and is generally ‘impressive’. Based on my experience and the answers to those dumb questions, it is usually obvious whether the people I meet have a clue or not, and whether they appreciate their own limitations. It's usually obvious within the first few minutes whether the facility is approaching world-class or falling well short.
It’s always good, by the way, to find excellent controls and people on hand – not least because I learn new stuff and hone my skills by doing these reviews, talking to the experts and reading up on relevant standards, building codes, local regulations, manufacturers’ advisories etc., oh and by constantly watching the news for stories about actual physical security incidents of all kinds. A stock of genuine anecdotes goes a long way towards persuading people that the risks are real.
I am a generalist, not an expert/specialist in each of those areas above. I believe I know enough and have sufficient experience to spot some issues, but I don’t consider myself competent to fully diagnose or fix them, and quite likely there are deeper issues/concerns that I don’t even notice. Where I find issues that concern me, my stock recommendation on anything complex is to take professional advice from competent experts in the relevant area as to whether the risks are truly significant and how best to address them. I generally stop short of giving specific advice, unless it is both obvious and simple - something along the lines of "Store all that paint, cardboard and plastic somewhere else, almost anywhere else, just not in the computer suite!"
PS I tried but failed to persuade SC27 to beef-up ISO/IEC 27002's coverage of physical security. I still believe the controls listed above constitute 'baseline security controls', just common sense really but evidently not as common as I thought.