Scribd
Upload
99 views

CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3

This document outlines physical and environmental security standards for Christchurch Polytechnic Institute of Technology's (CPIT) Information Communication Technology (ICT) secure facilities. It addresses standards for physical access, visitor access, facility security, power supply, and protection from fire, flood and cooling issues. The standards are designed to restrict unauthorized access to ICT facilities, protect critical equipment, and ensure a reliable environment for ICT operations through measures like access control, intruder alarms, UPS systems, and appropriate climate controls. The document provides guidance for securing current and future ICT facilities at CPIT.

Uploaded by

ZL2ABV
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
99 views

CPP121f CPIT ICT Security Physical and Environmental Security Standard v2 3

This document outlines physical and environmental security standards for Christchurch Polytechnic Institute of Technology's (CPIT) Information Communication Technology (ICT) secure facilities. It addresses standards for physical access, visitor access, facility security, power supply, and protection from fire, flood and cooling issues. The standards are designed to restrict unauthorized access to ICT facilities, protect critical equipment, and ensure a reliable environment for ICT operations through measures like access control, intruder alarms, UPS systems, and appropriate climate controls. The document provides guidance for securing current and future ICT facilities at CPIT.

Uploaded by

ZL2ABV
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

CPIT Corporate Services Division: ICT

Christchurch Polytechnic
Institute of Technology
Physical and Environmental
Security Standard
Corporate Policies & Procedures
Section 1: General Administration Document CPP121f

Information Communication
Technology Division
Principles

Security Standard, aligned with

Security Policy
Security Standards
Guidelines and Procedures

AS/NZS ISO/IEC 27001: 2006


for Information Security
Management

Contents

CPIT Corporate Services Division: ICT

INTRODUCTION ............................................................................................... 4

PHYSICAL ICT SECURE FACILITIES STANDARDS ............................................. 5


2.1 Physical Access Standards ............................................................................ 5
2.2 Visitor Access Standards .............................................................................. 5
2.3 ICT Secure Facilities Standards ..................................................................... 5

ENVIRONMENTAL SECURE ICT FACILITY STANDARDS ..................................... 7


3.1 Power Supply ............................................................................................. 7
3.2 Fire, flood and Cooling Protection .................................................................. 7

Physical and Environmental Security Standard

Page 2 of 8

CPIT Corporate Services Division: ICT

Physical and Environmental Security Standard


Purpose:

This Standard defines the recommended security practices to protect, monitor


and maintain the ICT operational environment and ICT Secure Facilities.
This standard applies to all CPIT ICT Secure Facilities, regardless of size and
location.

Authorised By:

ICT Director

Document
Owner

Technology Manager

Date of Issue:

15 March 2012

Review date:

November 2014

Version:

2.3

References:

This document should be read in conjunction with the ICT Security Policy.
In addition it should be read in conjunction with the following ICT Security
Standards:
1.

ICT Asset and Media Management Standard

2.

Human Resources ICT Security Standard

3.

Communications and Operations Management Security Standard

4.

Access Control Security Standard

5.

Information Systems Acquisition, Development and Maintenance Security


Standard

Physical and Environmental Security Standard

Page 3 of 8

CPIT Corporate Services Division: ICT

INTRODUCTION

Physical and Environmental Security refers to the protection of ICT Secure Facilities and equipment
from theft, natural disaster, accidental damage and environmental changes like power or cooling.
ICT Secure Facilities typically house computer equipment and communication equipment that are
critical for delivering the ICT service; it is therefore important that these facilities have reliable power
supply, appropriate climate control and preventative monitoring in place.
Access to ICT Secure Facilities needs to be restricted and monitored to ensure that only authorised
personnel access the facilities. Finally, ICT staff should follow best practices to monitor and maintain
the ICT services within an ICT facility.
These Security Standards recommend the security measures that the Institution need to consider to
protect the physical ICT Secure Facilities and maintain the environmental conditions to support an
ICT operation.
The following topics are covered:
Physical Access

Standards to control access to ICT Secure Facilities and particularly


record visitor access to ICT Secure Facilities.

ICT Secure Facilities

Standards to maintain the security of the secure ICT facility and


mitigate the risk of unauthorised access.

Environmental
Standards

Standards to protect ICT Secure Facilities and equipment against


environmental changes in power, cooling or flooding. Without the right
level of protection, ICT services are at risk and the likelihood of a
service being unavailable, following a change in the environmental
conditions, increases.

Physical and Environmental Security Standard

Page 4 of 8

CPIT Corporate Services Division: ICT

PHYSICAL ICT SECURE FACILITIES STANDARDS

The purpose of this section is to ensure that CPIT ICT Secure Facilities are appropriately protected
and secured through access control.

2.1

Physical Access Standards

Physical access to ICT Secure Facilities should be restricted to authorised individuals, backed with
suitable mechanisms to record and monitor visitors to the facility.
Access to ICT Secure Facilities should include the following controls:

Access to ICT Secure Facilities should be granted only to those ICT staff or contractors whose job
responsibilities require access to the facility.

The process for authorising card and/or key access to


ICT Secure Facilities must include approval by the
Infrastructure Manager or ICT Director.

Access cards or keys to the secure ICT facility should


not be shared or loaned to others.

All access must be notified to and authorised by the


Infrastructure Manager or ICT Director.

Access to hosted services is controlled via the hosting


companys access policies and procedures which will
be periodically audited by the ICT Director.

2.2

Visitor Access Standards

Visitors to the ICT Secure Facilities should follow the


following security controls:

Why worry?
It is important to safeguard ICT Secure
Facilities and ensure you know who has
access to these facilities. It can be too
easy sometimes to walk into a secure ICT
facility without being challenged. The
standards recommend the following:

when in a restricted area challenge


those who you dont know

keep doors closed into restricted


areas

when a visitor arrives, check


identification, and make them sign in
and out

All access must be authorised by the Infrastructure Manager or ICT Director and allocated
appropriate 'visitor' identification.

Visitors are only permitted access for defined and authorised purposes.

Visitors must be appropriately supervised at all times as defined by the Infrastructure Manager
or ICT Director.

Visitors must comply with the Institutions Health and Safety Policy CPP501.

2.3

ICT Secure Facilities Standards

ICT Secure Facilities need to be constructed and monitored to maintain a high level of security. A
secure ICT facility typically contains CPIT sensitive information, financial information and user data
or provides services essential to the operations of the Institution. Hence, these facilities must be
protected well and have appropriate security standards followed.
The following measures need to be considered as best practice to protect all current and future ICT
facilities at CPIT. These best practices also apply to any other location that is used to host CPITs
ICT equipment:

Physically secure all ICT Secure Facilities.

Physical and Environmental Security Standard

Page 5 of 8

CPIT Corporate Services Division: ICT

ICT Secure Facilities are to be located away from public thoroughfares when practicable.
Location signs are to be kept to a minimum.

No doors or windows should be externally accessible to


reduce the risk of unauthorised access. If windows
are present they should be blocked so it is not possible
to see in and ideally they should have security bars
fitted to prevent access.

Today and the Future.


These security best practices are
designed to protect against unauthorised
access to CPIT ICT facilities. They are
designed to provide guidance on how
current and future ICT facilities need to
be built, operated and controlled. A set
of best practices for today and in the
future.

ICT Secure Facilities are to be located as central as


possible within a building, to minimise the risk of
damage or break-ins.

Intruder alarms that are monitored (ideally 24 hours a


day, all year round) should be used to detect
unauthorised access.

A fire-proof safe should be available to locate sensitive information and backup media. This may
be off-site.

Physical and Environmental Security Standard

Page 6 of 8

CPIT Corporate Services Division: ICT

ENVIRONMENTAL SECURE ICT FACILITY STANDARDS

ICT Secure Facilities and equipment should be protected against environmental changes in power,
cooling or flooding. Without the right level of protection, ICT services are at risk and the likelihood
of a service being unavailable, following a change in the environmental conditions, increases.
Once an appropriate level of power and cooling protection has been established these systems
require regular review to ensure they function as expected and they meet the needs of CPIT.

3.1

Power Supply

The objective is to establish a reliable power supply for computer installations to prevent disruption
to services.
Measures to consider include:

Placement of Infrastructure within a tier 3 external data centre environment.

Segregating power cables away from communications cables to limit the potential of
interference.

Clearly mark power cables so they can be identified appropriately.

Locate power cables away from foot traffic to minimise ICT staff tripping or knocking power
cables out of ICT equipment.

Termination points or inspection points must be locked from general access.

Use uninterruptable power supplies (UPS) devices that are:


o

Scaled to provide sufficient power to the ICT Secure Facilities for an agreed period of time
required to support the SLAs and deliver the services as determined by the Institution.

Monitored to inform ICT staff when UPS power has been engaged.

Providing ICT support staff, including security staff, with UPS equipment supporting local desktop
computers and associated communications infrastructure; this is to allow support/security staff
access to servers when the power is out.

Installation of appropriate back up emergency lighting in case of a mains power failure.

3.2

Fire, flood and Cooling Protection

ICT Secure Facilities and equipment should be protected against fire, flooding, heat, earthquake and
other natural disasters. This is to reduce the risk of ICT services being disrupted and the potential
loss of data.
Measures to consider include:

Locate ICT Secure Facilities in a safe environment with a low risk of fire, flood, explosion or
damage from neighbouring activities.

Ensuring ICT Secure Facilities do not contain intrinsic fire hazards such as paper or chemicals.

Installation of a fire detection alarm and an approved fire suppression system.

Installation of fire resistant doors to limit the spread of fire.

Installation of water monitors to detect the presence of water within the server room; these are
to be suitably alarmed.

Hand-held fire extinguishers available within every server room.

Physical and Environmental Security Standard

Page 7 of 8

CPIT Corporate Services Division: ICT

Locating servers and associated equipment above ground level to minimise risk from flooding.

Installation of devices and physical infrastructure to control the temperature and humidity of
server rooms in accordance with the equipment manufacturers recommended levels.

This is the end of the Physical and Environmental Security Standard.


This standard is one of six standards that provide advice and guidance on the best practices to
follow when using and accessing ICT services. The other standards are available on the CPIT ICT
intranet.

Physical and Environmental Security Standard

Page 8 of 8

You might also like