All state information processing areas must be protected by physical controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operated at those locations.
STANDARD. Management reviews of physical security measures shall be conducted annually, as well as whenever facilities or security procedures are significantly modified.
GUIDELINES. Issues addressed in these management reviews should include:
1. security policies and procedures to determine if they are being followed and whether they warrant modification;
2. computer room facilities to determine if security safeguards are adequate; the review should include the space under the raised floor, communication closets, employee break rooms, and storage areas; and,
3. employee badges (if badges are required), to affirm that they are worn at all times.
Plans for new computer facilities or modifications to existing facilities should be reviewed by the Facilities Construction & Space Management Division of the General Services Commission (GSC). That office may be contacted for a preliminary consultation. Plans for installing critical computing assets such as telecommunications or optical scanning equipment, which often are not housed in the computer room itself, should also be reviewed by the GSC.
GUIDELINES. Security factors to be considered with respect to the location of information management facilities include:
1. Location of the computer installation in relation to its source of electrical power. Preferably, the computer installation should be located with access to two power substations. Access to power from two substations will decrease the need for an uninterrupted power supply.
2. The geography of the area chosen for the computer center. Computer facilities should not be located near flood plains, fault lines, highway accesses, railroads, and aircraft flight paths.
3. The social nature of the surrounding area. Many computer installations are round-the-clock operations with staff coming and going at odd hours. The safety of personnel should always be a prime requisite.
4. The building grounds. The area around the building and parking lots should be well lighted and clear of shrubbery that could be used for concealment.
5. The computer facility should have surveillance equipment to monitor entrances and exits.
GUIDELINES. General security guidelines with respect to the building within which the information management facility is housed include:
1. If possible, the computer room should be located above the first floor of the building. Computer installations should not be located in the basement or first floor of a building. The likelihood of water damage (from broken water lines, floods, or fire fighting) and theft is greater in basement and first floor locations.
2. Kitchen facilities should be located on floors above, but not directly over, the computer installation to minimize water, smoke, and fire damage.
3. There should be no signs which indicate the location of the computing facility.
4. The computer room should not be adjacent to an exterior building wall. A buffer zone (typically in the form of interior office space) between the computer room installation and outer building walls should be provided.
5. Computer room facilities should be equipped with adequate communications capabilities to ensure prompt detection and reporting of emergency conditions.
Access to computers and telecommunications devices must be restricted to authorized personnel. Access can be limited to authorized personnel through the use of passwords, user identification codes, terminal locks, or locked rooms. Visits to a computing facility should be permitted only under the supervision of agency personnel. Access and movement of all personnel who are not employees of the agency should be controlled. Service personnel, telephone repair persons, and delivery personnel are not employees of the agency and should be escorted by agency staff at all times.
STANDARD. Physical access to central computer rooms shall be restricted to only authorized personnel. Authorized visitors shall be recorded and supervised.
1. Visitors should be required to sign a register log containing such information as name, time in, time out, and person to be seen, in order to gain entry to the facility.
2. Visitors should be escorted to and from their destination by a facility employee.
3. Agency personnel and visitors should carry identification badges. A system should be in effect wherein employees and authorized visitors are issued badges and are required to wear them in plain view at all times.
4. Items such as packages, briefcases, and tool boxes carried into or removed from a computing facility should be inspected. When feasible, such items should be retained at the control point.
5. Visitors should not be issued keys or given lock combinations. Should a visitor or unauthorized employee require access to a locked area, an authorized employee of the agency should unlock and then lock the area.
6. Loading docks should have the same level of security as any other entrance to the computing facility.
7. Employees should be required to give prior notification to management to gain entry to the computing facility during the employee's non-scheduled working hours.
8. Access to tape, disk, and documentation libraries should be restricted exclusively to those employees whose responsibility is the maintenance of those libraries.
9. Authorized vendor support personnel should provide a letter on the company letterhead stating that the person is an employee of the company and assigned to work with the agency. The company should submit a revised authorization letter each time a new employee is added as support to the facility or has a change in assignment. Support personnel should be restricted to the area of the facility in which their services are required.
10. Measures should be implemented to prevent and detect attempts to disrupt operations or to enter or depart from restricted areas in an unauthorized manner. Responsibility should be clearly assigned for timely and effective response to such attempts.
11. Entrances to areas of the highest sensitivity or criticality should be monitored using closed circuit television or automated systems or should be protected by guard. Some combination of these is preferable to relying wholly on one technique.
12. Card or badge access systems and man traps should be installed in large central computer rooms. Some card or badge access control systems have a feature which prevents their sharing such as requiring an exit before re-entry.
13. Identification badges should contain only photographs, badge numbers, and sufficient information to associate them with their owner. Badges should contain no facility identification or address to which the badges will permit access. Procedures should require that they be worn at all times in computer operations areas.
14. Computer operations personnel should be instructed in actions to be taken upon discovery of an individual without a badge or of a badge without an individual.
15. Physical access controls may be enhanced by biometric verification systems, such as those designed for palm print recognition, fingerprint matching, or retinal scanning. Systems which automatically test an individual's signature dynamics are also gaining acceptance.
16. Guards or alarmed doors, or both, should be used to protect facilities during off-hours.
17. A manager should notify the appropriate security section immediately when a person is no longer allowed access to the computer facility or when such action is impending.
18. Controls applicable to central computer rooms should be considered for facilities containing other sizeable collections of information resources, such as minicomputers or large concentrations of microcomputers.
1. Printed paper stock or special forms that require a long lead time for re-order and other critical supplies should be controlled to ensure that they are available when needed.
2. Preprinted check stock should be stored in a vault. Stock should be inventoried on a periodic basis and controls placed on disbursement.
3. For compliance with the agency's Operational Recovery Plan, it may be necessary to maintain a reasonable supply of printed paper stock, check stock, special forms, and other critical supplies at an off-site location. The decision would be based upon the time that would be required to replenish the supply from a vendor.
1. Fire walls surrounding a computer room should be fire resistant, non- combustible, and rated at 1 hour. All openings in these walls should be 1 hour rated, self closing.
2. Inner walls and ceilings surrounding a tape library should be fire resistant, non-combustible, and rated at 2 hours. Vaults for the storage of library tapes should be rated at 2 hours. All openings in these walls should be 90-minutes rated, self closing.
3. All perimeter walls and fire walls should extend from the structural floor to the structural ceiling.
4. Computer rooms should be equipped with riot doors, fire doors, or other doors that are resistant to forcible entry.
5. Computer room floor, covering, ceiling, decorative, and construction materials should have a flame-spread rating of 25 or less. Floor coverings should be static free.
6. The power room should be constructed minimally at or above the first floor level. This room should contain all environmental control warnings. This room should be isolated from all water sources. The power room should have monitoring panels located in the centrally staffed area.
7. To contain paper dust, printing equipment should be enclosed in a walled area with a negative air pressure relative to the computer room.
8. Water or sewage lines should be eliminated from the ceiling in the computer room.
9. Areas beneath the subfloor should have drainage capability or other means to remove liquids.
10. Floors on which equipment and supplies are to be located should be rated at sufficient load carrying capacity. Load carrying capacity is particularly important if large quantities of paper stock are to be stored in the area.
11. If conditions require that critical computing resources be housed below areas that normally contain liquids (kitchens, rest rooms, etc.), give consideration to the construction of a water collection and drain system or a second roof.
1. Electrical power to supply computer room equipment, lighting, utility outlets, and air conditioning should be isolated from all other building electrical loads. The electrical power supply to the computer itself should be isolated from other building and computer room circuits.
2. Electrical power should be supplied to the computer room directly from the building's main distribution panel.
3. Electrical power distribution units should be used for power distribution in the computer room.
4. Circuit breaker panels for lighting, utility outlets, emergency lights, etc., should be located in the computer room.
5. Emergency Off Power switches should be provided in accessible locations within the computer room and at each exit.
6. Automated Emergency Off Power circuits should be integrated into the fire detection control panel to shut down electrical power to all computer equipment and the environmental system, and to automatically close vents and drains in the event of an emergency.
7. Electrical power isolation equipment should be installed to eliminate power transients.
8. Uninterruptable power systems should be installed in computer facilities that process data that is critical to public safety or state operations. Consideration of the use of uninterruptable power systems is especially important if the computer facility receives its electrical power from a single electrical power substation or if the electrical power is subject to high voltage spikes or other irregularities.
9. Computer rooms should be equipped with emergency lighting systems.
10. Diesel motor generators should be installed in computer facilities where data processing is critical to public safety or state operations.
One of the major causes of computer downtime is the failure to maintain proper controls over temperature, humidity, air movement, cleanliness, and power. Environmental controls should also provide for safety of personnel.
STANDARD. Employees and information resources shall be protected from environmental hazards. Designated employees shall be trained to monitor environmental control procedures and equipment and shall be trained in desired response in case of emergencies or equipment problems.
1. Personnel safety should be of paramount concern in the design of environmental controls.
2. Critical loads should be provided an alternate source of power independent from the primary source. Alternate power should be immediately switchable to all environmental units essential to continued operation of critical loads.
3. A power management analysis will aid in selecting appropriate power technology. The need for isolation and regulating transformers, line conditioners, motor generators, or uninterrupted power supplies should be explored. Single points of failure should be avoided.
4. The temperature and humidity within a computer facility should be monitored and controlled to ensure that the operational environment conforms to the manufacturer's specifications.
5. Air handler filters should be changed or cleaned on a regular basis.
6. Personal computer equipment should be protected as specified by the system manufacturer.
1. Air conditioning air intakes, whether located in the interior or exterior of the building, should be designed to prevent intake of flames, smoke, soot, dust, fumes, corrosive vapors, or other contaminated air into the computer room.
2. Computer room air conditioning systems should be designed to provide the capability to exhaust contaminated air.
3. Computer room air conditioning systems should be self contained and isolated from other building systems.
4. Computer room air conditioning ducts should be designed to prevent physical access to secured areas.
5. Air conditioning ducts should be equipped with dampers that can be activated by the automated emergency power system.
6. Air conditioning electrical circuits should be shut down by the automated emergency power system.
7. Data processing facilities should provide sufficient reserve air conditioning capacity to allow for short term failures and normal maintenance.
8. All air ducts not serving the computer room should be routed so as not to penetrate the perimeter walls.
STANDARD. Confidential or sensitive information, when handled or processed by terminals, communication switches, and network components outside the central computer room, shall receive the level of protection necessary to ensure its integrity and confidentiality. The required protection may be achieved by physical or logical controls, or a mix thereof.
1. As many system components as possible should be located contiguous to the computer room and accorded the same physical controls. Those components that must be located beyond the computer room controls should be provided the same degree of protection, although different methods of protection may be appropriate.
2. Communication equipment that requires the use of commercial power should be served from the power source that serves the computer room.
3. Communication lines should have their termination point within the computer room.
4. Communication line junctions below the flood level should be waterproofed.
5. Insufficient physical controls for remote system components may be compensated for by strengthened logical controls for gaining access to the information handled by the remote components.
6. Terminals, while unattended, should be protected from unauthorized use. Terminal devices should never be left logged on while unattended.
7. Terminals should be installed where they are not readily accessible to personnel not authorized to use them and should be positioned in such a manner that minimizes unauthorized viewing of the screen. Facing the screen away from doorways and windows will enhance visual protection.
8. Minicomputer systems and distributed processing system CPUs should be maintained in locked spaces when authorized users are not present and capable of monitoring access to the system processor.
1. All access doors to the computer room should be locked using a card-key or combination lock system for entry.
2. Emergency doors should have alarm systems.
3. If entry to the computer facility is to be controlled by security guards, the entry should be through a sally port using double door entry. Release of the locking mechanism should be controlled by a guard.
4. From inside the computer facility, locking devices should not require any special knowledge or effort nor hinder persons from exiting the facility.
5. The computer room facilities should not have windows or viewing ports to a non-secured area.
6. Control points should be maintained so that each entrance to the data processing facility will be guarded and locked at all times.
7. During non-working hours, the facility should be protected against intrusion with appropriate surveillance alarm systems or the use of security guards.
8. Closed circuit television monitoring should be considered for vulnerable areas where it is impractical to establish manual control points.
9. Access to rest rooms, utility rooms, and other unmonitored rooms in the vicinity of the facility should be restricted as necessary to protect the facility.
10. Entry and exit doors should have adequate locking devices. Special consideration should be given to protecting doors that are obscured from view, such as parking lot exits or emergency doors.
11. The security system should include procedures to disable a card-key in case it is lost or stolen.
12. Badges used as entry identification should be changed periodically.
13. Electronically controlled doors should be able to receive power from the building emergency power circuit.
STANDARD. Emergency procedures shall be developed and regularly tested.
1. Procedures should include shut down of equipment, evacuation of secured areas and building, evacuation routes and assembly points, access by emergency personnel to secure areas, and fire drills.
2. Consider the use of colored floor tiles to mark emergency exit paths.
GUIDELINES. Agencies should consider adoption of the National Fire Protection Association Standard 75 (NFPA 75), "Standard for the Protection of Electronic Computer/Data Processing Equipment". This standard sets forth minimum requirements for the protection of electronic computer/data processing equipment from damage by fire or its associated effects, i.e., smoke, corrosion, heat, water.
1. Fire detection and alarm system engineering and design should be in accordance with all state and local building code regulations and be installed by someone duly licensed by the Texas Commission on Fire Protection.
2. Computer facilities, equipment, libraries, and storage areas should be protected with a fire detection system. The fire detection, alarm, and extinguishing equipment should be Underwriter Laboratories, Factory Mutual Research Corporation or National Fire Protection Association approved.
3. Fire detection systems should include ionization, smoke, and/or temperature sensors located under raised floors, in ceilings or dropped ceilings, in attic areas, and in air conditioning ducts.
4. The fire detection alarm system should be linked to an off-site organization for purposes of monitoring the system and dispatching the public safety authority having jurisdiction. Such monitoring stations may be a local fire department, law enforcement agency, building security station or private business.
5. Fire detection systems should have a battery powered backup. The battery should be sufficiently large to maintain the fire detection system in full operation for a period exceeding 24 hours in standby and five minutes in alarm.
6. Control panels for the fire detection system should be located within the computer room. Manual emergency control stations to both engage or abort the fire detection systems should be located in the computer room, library area, and storage areas.
1. Supply rooms and paper storage areas should be protected with an automatic sprinkler system.
2. Portable fire extinguishers should be provided. Water or dry chemical extinguishers should be used in areas protected with sprinkler systems or in storage areas. The location of each fire extinguisher should be clearly marked.
3. Fire suppression systems should have the capability to automatically shut off electrical and environmental equipment and close vents and drains.
State agencies that plan to build new (or modify existing) computer facilities should consider installing dry stand pipe water sprinkler systems and not a halon-based fire suppression system. For information about water sprinklers and their use as a fire suppression device for computer facilities, refer to Datapro Research Corporation's Datapro Reports On Information Security, Volume 1, Physical Security (IS 40-49), Designing the Computer Room for Security, page IS40-050- 108, January, 1986.
The U.S. Environmental Protection Agency (EPA) has announced that it expects to require a 100 percent phaseout of halon in the United States. Halon is the chemical used in fire suppression equipment for many computer facilities. The phaseout is planned due to concerns that halon contributes to the depletion of the earth's protective ozone layer. While the phase-out is expected to occur over a ten year period, The EPA has not yet announced specific regulatory actions or a timetable for the phaseout.
1. Adequate drainage should be provided under raised floors. Water can collect in these areas from pipes that have burst in the ceiling or from any of the floors above.
2. Ensure that drainage pipes from the roof are regularly cleared of debris. Failure to clean drainage pipes can result in the roof collapsing.
3. Do not locate equipment or tape libraries in the basement of a building. Basements are natural collection areas for water.
4. Maintain plastic sheets that can be used to cover equipment, magnetic tape, and critical forms. Suppression of a fire on upper floors can result in water damage on lower floors.
5. Moisture detection sensors and alarms should be installed under raised floors.
6. Floor plans indicating shut off valves for all water systems should be available. Computer room managers should be aware of all water valves within the secured area.
1. The computer room should not be used as a temporary storage room or warehouse. All supplies, other than those needed for the current day's work, should be stored outside the computer room to reduce the possibility of injury, fire hazard, and pollutant problems.
2. Trash accumulation should be avoided. Waste baskets should be emptied outside the computer room to reduce dust.
3. Equipment, floors, and work surfaces should be regularly cleaned.
4. The area under the raised floor should be cleaned at least once a year.
5. Food or beverages should not be allowed in the computer facility.
6. Smoking should not be permitted in the computer facility.