ISO 27001:2022 A 7.8 Equipment siting and protection

Uncategorized 5 Minutes

Equipment needs to be sited and protected to reduce the risks from environmental threats and hazards, and against unauthorized access. The siting of equipment will be determined by a number of factors including the size and nature of the equipment, it’s proposed use and accessibility and environmental requirements. Those responsible for siting equipment must conduct a risk assessment and apply the following wherever possible in line with the risk levels.It addresses how organisations can eliminate and mitigate risks arising out of physical and environmental threats to equipment hosting information assets. Physical and environmental threats to IT equipment such as servers, computers, hard drives, and removable storage media may also compromise the availability, confidentiality, and integrity of information assets. For example, spillage of a drink onto a server, a shutdown of a computer system due to high temperature, and unauthorized access to a computer system not located in a secure area are all examples of physical threats to equipment housing information assets. The equipment should be located in a safe location where conditions are met for proper operation (humidity, temperature, etc.). Therefore, it is important to set humidity and temperature sensors, and to control conditions in order to allow the equipment to operate properly. When talking about working conditions – remember that the equipment is prepared to work under certain conditions, and many computers (especially servers) are prepared to shut down automatically at the moment that these conditions are not met (for example, high temperatures). They do this mainly to prevent damage to the equipment, which consequently, implies an interruption to your business. Here it is also important that the equipment be sited in a safe location to minimize unnecessary access, and for this, you can use different work areas, protecting them with physical access control. And, it is also important that the information processing facilities handling sensitive data be positioned carefully. When it comes to the protection of physical equipment, on the other hand, to maintain an adequate environment, it also tends to be a good practice to establish a norm that employees do not eat, smoke, or drink in the vicinity of the equipment.

Control

Equipment should be sited securely and protected.

Purpose

To reduce the risks from physical and environmental threats, and from unauthorized access and damage.

ISO 27002 Implementation Guidance

The following guidelines should be considered to protect equipment:

  • siting equipment to minimize unnecessary access into work areas and to avoid unauthorized access;
  • carefully positioning information processing facilities handling sensitive data to reduce the risk of information being viewed by unauthorized persons during their use;
  • adopting controls to minimize the risk of potential physical and environmental threats [e.g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation and vandalism];
  • establishing guidelines for eating, drinking and smoking in proximity to information processing facilities;
  • monitoring environmental conditions, such as temperature and humidity, for conditions which can adversely affect the operation of information processing facilities;
  • applying lightning protection to all buildings and fitting lightning protection filters to all incoming power and communications lines;
  • considering the use of special protection methods, such as keyboard membranes, for equipment in industrial environments;
  • protecting equipment processing confidential information to minimize the risk of information leakage due to electromagnetic emanation;
  • physically separating information processing facilities managed by the organization from those not managed by the organization.

Specific requirements that should be taken into account for compliance:

  • Equipment should be sited in secure areas so that unauthorised persons cannot gain access to equipment.
  • Tools used for processing sensitive information such as computers, monitors, and printers should be positioned in a way that unauthorised persons cannot see information displayed on screens without permission.
  • Appropriate measures should be put in place to eliminate and/or mitigate risks arising out of physical and environmental threats such as explosives, communications interferences, fire, dust, and electromagnetic radiation.
  • For example, a Lightning rod can be an effective control against lightning strikes.
  • Guidelines on eating and drinking around equipment should be established and communicated to all relevant parties.
  • Environmental conditions that may disrupt the information processing operations should be continuously monitored. These may include temperature and humidity levels.
  • Lightning protection mechanisms should be implemented in all buildings and offices. Furthermore, lightning protection filters should be built into all incoming power lines, including communication lines.
  • If equipment is located in an industrial environment, special protection controls such as keyboard membranes should be used if needed.
  • Electromagnetic emanation may result in the leakage of sensitive information. Therefore, equipment housing sensitive or critical information assets should be secured to prevent such risk.
  • IT equipment owned and controlled by an organisation should be clearly segregated from those not owned and controlled by the organisation.

Physical security must be in place to control physical access to restricted areas and facilities containing covered devices. Covered devices such as server hardware, desktop computers and storage media should be locked behind cabinets or tied down to physical restraints that prevent unauthorized removal from restricted area. Access to areas containing covered device should be granted to personnel with a need-to-know based on job function. Restricted areas should display signs to give clear indication that access is for authorized personnel only. Facilities containing covered device should give minimum indication of their purpose, with no obvious signs identifying the presence of covered data or related functions. Physical access control devices such as key card reader, doors and cabinet locks, should be tested prior to use and on a periodic basis (e.g. annually). Resource proprietors and custodians should produce physical or electronic audit trails to record all personnel’s physical access to restricted area for the purpose of security incident investigation. Inventory of who has access to physical access control devices should be regularly reviewed and any inappropriate access identified during the review should be removed promptly.

Advice to protect your Equipment

  • Keep doors and windows locked.
  • Keep sensitive hard copy records locked away if possible.
  • Fit an intruder alarm, with unique codes for each employee.
  • Fit bars or shutters to vulnerable windows.
  • Use CCTV to deter intruders and record incidences of criminal activity.
  • Consider using computer locking cables on individual desktop machines and laptops.
  • Keep a fire extinguisher suitable for use with electrical equipment, near your computer.
  • Take care how you dispose of packaging that might advertise that you have new equipment.
  • Consult with your insurance company or local crime prevention officer for additional security advice.

Advice for Servers & IT infrastructure

  • Keep servers and network equipment in a locked room and control access to it.
  • Server and networking racks and cabinets can also be protected by individual locks.
  • Disable unused network ports.
  • Locate equipment to minimize risks from fire, flooding and theft.
  • Keep a fire extinguisher suitable for use with electrical equipment, near your IT equipment.

Advice on Visitors to your business:

  • Be vigilant about granting access to any visitors, and escort them where appropriate.
  • Vet contractors and support personnel.
  • Restrict access to sensitive areas, such as server rooms or HR records.
  • Encourage staff to challenge unescorted strangers in secure areas.

Limit the impact of a theft or loss

  • Make a note of all IT equipment serial numbers to enable reporting if stolen.
  • Security mark computers and other high-value items.
  • Keep printed photographic records of all equipment and lock them away safely.
  • Never store passwords on computers.
  • Ensure computer equipment is adequately insured.
  • Back up data (see Backups for more information).

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply