Audio version of the article
Equipment needs to be sited and protected to reduce the risks from environmental threats and hazards, and against unauthorized access. The siting of equipment will be determined by a number of factors including the size and nature of the equipment, it’s proposed use and accessibility and environmental requirements. Those responsible for siting equipment must conduct a risk assessment and apply the following wherever possible in line with the risk levels.It addresses how organisations can eliminate and mitigate risks arising out of physical and environmental threats to equipment hosting information assets. Physical and environmental threats to IT equipment such as servers, computers, hard drives, and removable storage media may also compromise the availability, confidentiality, and integrity of information assets. For example, spillage of a drink onto a server, a shutdown of a computer system due to high temperature, and unauthorized access to a computer system not located in a secure area are all examples of physical threats to equipment housing information assets. The equipment should be located in a safe location where conditions are met for proper operation (humidity, temperature, etc.). Therefore, it is important to set humidity and temperature sensors, and to control conditions in order to allow the equipment to operate properly. When talking about working conditions – remember that the equipment is prepared to work under certain conditions, and many computers (especially servers) are prepared to shut down automatically at the moment that these conditions are not met (for example, high temperatures). They do this mainly to prevent damage to the equipment, which consequently, implies an interruption to your business. Here it is also important that the equipment be sited in a safe location to minimize unnecessary access, and for this, you can use different work areas, protecting them with physical access control. And, it is also important that the information processing facilities handling sensitive data be positioned carefully. When it comes to the protection of physical equipment, on the other hand, to maintain an adequate environment, it also tends to be a good practice to establish a norm that employees do not eat, smoke, or drink in the vicinity of the equipment.
Control
Equipment should be sited securely and protected.
Purpose
To reduce the risks from physical and environmental threats, and from unauthorized access and damage.
ISO 27002 Implementation Guidance
The following guidelines should be considered to protect equipment:
- siting equipment to minimize unnecessary access into work areas and to avoid unauthorized access;
- carefully positioning information processing facilities handling sensitive data to reduce the risk of information being viewed by unauthorized persons during their use;
- adopting controls to minimize the risk of potential physical and environmental threats [e.g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation and vandalism];
- establishing guidelines for eating, drinking and smoking in proximity to information processing facilities;
- monitoring environmental conditions, such as temperature and humidity, for conditions which can adversely affect the operation of information processing facilities;
- applying lightning protection to all buildings and fitting lightning protection filters to all incoming power and communications lines;
- considering the use of special protection methods, such as keyboard membranes, for equipment in industrial environments;
- protecting equipment processing confidential information to minimize the risk of information leakage due to electromagnetic emanation;
- physically separating information processing facilities managed by the organization from those not managed by the organization.
Specific requirements that should be taken into account for compliance:
- Equipment should be sited in secure areas so that unauthorised persons cannot gain access to equipment.
- Tools used for processing sensitive information such as computers, monitors, and printers should be positioned in a way that unauthorised persons cannot see information displayed on screens without permission.
- Appropriate measures should be put in place to eliminate and/or mitigate risks arising out of physical and environmental threats such as explosives, communications interferences, fire, dust, and electromagnetic radiation.
- For example, a Lightning rod can be an effective control against lightning strikes.
- Guidelines on eating and drinking around equipment should be established and communicated to all relevant parties.
- Environmental conditions that may disrupt the information processing operations should be continuously monitored. These may include temperature and humidity levels.
- Lightning protection mechanisms should be implemented in all buildings and offices. Furthermore, lightning protection filters should be built into all incoming power lines, including communication lines.
- If equipment is located in an industrial environment, special protection controls such as keyboard membranes should be used if needed.
- Electromagnetic emanation may result in the leakage of sensitive information. Therefore, equipment housing sensitive or critical information assets should be secured to prevent such risk.
- IT equipment owned and controlled by an organisation should be clearly segregated from those not owned and controlled by the organisation.
Physical security must be in place to control physical access to restricted areas and facilities containing covered devices. Covered devices such as server hardware, desktop computers and storage media should be locked behind cabinets or tied down to physical restraints that prevent unauthorized removal from restricted area. Access to areas containing covered device should be granted to personnel with a need-to-know based on job function. Restricted areas should display signs to give clear indication that access is for authorized personnel only. Facilities containing covered device should give minimum indication of their purpose, with no obvious signs identifying the presence of covered data or related functions. Physical access control devices such as key card reader, doors and cabinet locks, should be tested prior to use and on a periodic basis (e.g. annually). Resource proprietors and custodians should produce physical or electronic audit trails to record all personnel’s physical access to restricted area for the purpose of security incident investigation. Inventory of who has access to physical access control devices should be regularly reviewed and any inappropriate access identified during the review should be removed promptly.
Advice to protect your Equipment
- Keep doors and windows locked.
- Keep sensitive hard copy records locked away if possible.
- Fit an intruder alarm, with unique codes for each employee.
- Fit bars or shutters to vulnerable windows.
- Use CCTV to deter intruders and record incidences of criminal activity.
- Consider using computer locking cables on individual desktop machines and laptops.
- Keep a fire extinguisher suitable for use with electrical equipment, near your computer.
- Take care how you dispose of packaging that might advertise that you have new equipment.
- Consult with your insurance company or local crime prevention officer for additional security advice.
Advice for Servers & IT infrastructure
- Keep servers and network equipment in a locked room and control access to it.
- Server and networking racks and cabinets can also be protected by individual locks.
- Disable unused network ports.
- Locate equipment to minimize risks from fire, flooding and theft.
- Keep a fire extinguisher suitable for use with electrical equipment, near your IT equipment.
Advice on Visitors to your business:
- Be vigilant about granting access to any visitors, and escort them where appropriate.
- Vet contractors and support personnel.
- Restrict access to sensitive areas, such as server rooms or HR records.
- Encourage staff to challenge unescorted strangers in secure areas.
Limit the impact of a theft or loss
- Make a note of all IT equipment serial numbers to enable reporting if stolen.
- Security mark computers and other high-value items.
- Keep printed photographic records of all equipment and lock them away safely.
- Never store passwords on computers.
- Ensure computer equipment is adequately insured.
- Back up data (see Backups for more information).