Facilities Management is responsible for coordinating all routine maintenance activity within the building. This refers to both building maintenance as well as to the maintenance of equipment in the Data Centre.
The reason for including equipment maintenance is simply to prevent the building being exposed to too much unusual activity at any one time. Multiple teams working in different places in the Data Centre at the same time represents a security and safety risk.
It is important to note that the actual maintenance of IT equipment is carried out by the Technical Management staff, but under the coordination of Change Management and Facilities Management.
The Facilities Manager should maintain a master schedule of all planned maintenance activity to ensure that maintenance activity is properly coordinated. This schedule forms part of the overall Change ManagementChange Schedule and is used to ensure that there are no conflicts between routine maintenance activity and the deployment of changes.
Appendix F: Physical Access Control
Section 5.12 and Appendix E introduced the area of Physical Access Control as part of Facilities Management. This section provides a more detailed discussion of this area.
Information Security Management is responsible for defining and documenting all access control policies. These polices will identify all physical security measures that need to be taken and which groups of employee should have access to what type of facility. Facilities Management will ensure that these policies are properly enforced. Policies should include:
Which areas are restricted and to whom
What access controls will be put in place
Under what circumstances access will be allowed to specific restricted areas. For example, preventing all access to a Data Centre floor unless an authorized RFC number is typed into a keypad
How access control will be monitored
A statement of privacy policies and what information has to be known in order to permit access
Policies regarding the surveillance of personnel, e.g. what may be recorded, where and whether there are any exceptions.
Most organizations use multiple levels of access control, starting with access to the property, then moving to access to specific areas in the building and then to specific functions, equipment or rooms. Each level of security is enforced using different mechanisms and personnel, thus providing additional security.
All facilities should have a documented, current floor plan which indicates exactly which areas are restricted and which are not. This plan will also indicate which security measures are implemented and where. This will aid in security audits and also for the maintenance of access control equipment.
Access control devices need to be installed on all entrances and exits. The aim of these devices is to ensure that only authorized personnel have access to the restricted area. Although this appears at first glance to be a fairly straightforward subject, there are a number of items that need to be taken into account (see Table F.1).
Access control
Example
Advantages
Disadvantages
Mechanical
Lock and key
Stable and reliable Inexpensive
Requires key control Locks have to be replaced every time someone leaves the organization Can easily be compromised by anyone with knowledge of a few simple techniques
Code access
Mechanical (e.g. a pushbutton device mounted into the door) Electronic (e.g. a keypad used to arm or disarm a security alarm)
Stable Relatively inexpensive
Someone observing personnel using the device can obtain the code easily Code has to be changed every time someone leaves the organization People tend to write the code down ··
Electronic access
Key cards
Easy to use Can be used to track personnel’s access Can be cancelled or changed centrally to suit changed requirements Can be cancelled even where staff do not return their card
Relatively expensive, although costs have decreased, and often cheaper than using human resources to physically guard each access point Dependent on power availability Can be compromised by people using specialized copying equipment
Biometric
Retinal scanner or Voice analysis
Very reliable mechanism for identifying specific individuals Difficult to forge access More effective at countering social engineering ·
Dependent on the availability of power Requires more sophisticated access control systems Relatively expensive
Multiple access
Door with a key card. One person opens the door and permits access to any number of people accompanying them
Easy to move from one place to another, especially where groups are working together
Difficult to control ‘Tailgating’ Dependent on the security awareness of authorized personnel Extremely vulnerable to social engineering Should not be used in highly secured areas
Single access
Turnstile permits only one person to enter. The same key card can not be used to enter a second person
Easier to control access Prevents social engineering more effectively
Could become a bottleneck at peak hours Requires more intensive surveillance and staffing
Uni-directional access
Revolving door allowing only access or only exit. Typically used in airports where security personnel are only concerned about people entering the airport, but not about those exiting
Good for situations where there is no need to monitor what people take out, but where things they take in could cause significant damage
Requires more monitoring to ensure that people do not attempt to go through the wrong direction Typically uni-directional; also implies additional scanning equipment and surveillance
Bi-directional access
Access-controlled door
Good for general access to restricted areas ·
People exiting can provide access to unauthorized personnel moving in Could be a bottleneck (e.g. in bi-directional turnstiles people going out have to wait for people coming in)
Active
Requires action by personnel to gain access, e.g. swiping a key card or punching a code
Easier to control access More secure ·
Requires personnel to remember a code or to bring a key card
·
Passive
Passive detector unlocks an exit from inside whenever someone approaches
Provides safer exit in the event of a fire Does not require key cards for people moving to non-secure areas ·
Easy for unauthorized personnel to gain access simply by waiting outside the door Can be triggered from the outside by inserting something under the door and moving it within range of the sensor
Table F.1 Access control devices
As most physical access control mechanisms are not foolproof, it is important to ensure that access can be monitored and controlled. This is done by specialized security staff and by electronic surveillance equipment.
Since security is all about managing the access of people to a facility, it is fitting that people are used to enforce security measures. Larger organizations sometimes provide their own security staff, but most tend to outsource physical access control to specialized companies. This is usually for the following reasons:
Security guards require specialized training and are usually subject to a different (almost military) disciplinary code from most company employees. This is often in conflict with the more commercial type of disciplinary code and is best managed by a different set of managers using a different management culture.
External companies are less likely to be influenced by social engineering situations, as they have specialized training and are unlikely to understand some of the organization’s internal nuances that could be used by an experienced social engineer.
Surveillance equipment is used to extend the effectiveness of both the physical access control mechanisms and the security personnel. It is important to note that no surveillance equipment can replace the presence of a trained, aware security guard, merely extend their effectiveness. Examples of commonly used surveillance equipment include:
Video cameras to monitor key access points and also in less used access points, thus allowing a security guard to monitor several locations at once. These are usually taped and the videos stored for some time before being used again. This is to ensure that if any wrongdoing is discovered, the tapes can be used in the investigation. This means that the quality of images must be good enough to facilitate identification of people, but it also has to be in a format that makes it easy to store vast quantities of visual data.
Access Event Logs. These typically log every entrance and exit by personnel using electronic access mechanisms.
Passive detection units to detect the presence of personnel in an area that should not be staffed.
Alarms that will notify security staff of unauthorized access or exit, often linked to an audible alarm.
No matter how secure the environment, it is dependent on the security awareness of the employees and contractors who work in the facility. Social engineering is still one of the most common breaches of physical security. Social engineering refers to the practice of gaining entry to a facility by using interpersonal and communication skills to convince someone to allow unauthorized access to a building, restricted area, restricted equipment and data; or to cabinets containing confidential documents.
Examples of social engineering include:
Posing as a legitimate contractor or employee of the organization. The usual technique is to approach security personnel and state that they have forgotten their access card. An Access Log is signed and a visitor’s card produced. There is often no real checking of whether the person is a legitimate employee, especially in busy reception areas.
Posing as someone who has a reason to gain unauthorized access to the facility, e.g. a utilities worker or fire inspector.
An ex-employee or contractor approaching people with whom they are familiar to allow them access.
‘Tailgating’, where a person simply follows an authorized employee through an entrance that they have opened.
Social engineering is best countered by enforcing strict compliance with access control procedures, continuing education programmes, regular briefings of security personnel and stringent audits.
A growing number of companies offer services to test the rigour of access control with people who specialize in using social engineering techniques.
