Equipment siting and protection
Equipment should be sited and protected to prevent threats from environmental contamination, damage, theft or tampering.
It should be sited to reduce unnecessary access to work areas or viewing processing facilities. The weakest area being people working within server rooms / data centres. Storage areas should be secured – particularly when this contains information rather than simply goods.
Guidelines should be established for eating, drinking, smoking near equipment to prevent damage and/or loitering. Environmental conditions should be managed in accordance with manufacturers guidance with respect to operating condition to prevent failures/outages particularly around server cabinets/comms equipment.
Safeguards should be applied to protect against electrical damage – lightening conductors / smoothed power supplies removing the risk of power spikes.
Processing and media storing equipment should not be sited in proximity to anything that could interfere with it by way of electromagnetic or radiological emissions. (Don’t store a server next to an x-ray machine!)
One of the most overlooked areas in a small to medium sized business (often because it is expensive) – think as part of your risk assessment how you will continue in the event of power failure (generators with supporting fuel in the event of an extended outage), communications failure, heat, light, gas, water, air conditioning, dehumidifying, or simply that as a growing business, you simply need more than can be delivered of any of these things.
These connections should be inspected and alarmed where appropriate and if considered necessary, multiple redundancy feeds with diverse routing (particualrly with power and comms) from different providers can be beneficial.
Emergency switches should be in place to cut off utilities where required.
Power and communications cabling should be protected and monitored from interference, damage or interference. Cables should be underground up to the point of presentation within the facility otherwise subject to other protection. Power cables should be segregated from communications cables to prevent interference. Points of presentation should be secured as appropriate and cables should be shielded. Consideration should be given to technical sweeps of communication cables for devices (bugs and sniffers) attached to cabling. Cabling around server rooms / datacentres should be isolated and secure to prevent the same.
This is not mentioned in the standard, but specifically before attempting to maintain a piece of equipment, a specific risk assessment should take place to ensure any outage will not affect business processing or information security. This can be particularly disruptive when maintaining / upgrading a switch / router.
Only authorised personnel should maintain critical equipment and records should be maintained. This should comply with any insurance policies in place. Testing prior and during reinstatement should allow for tamper checking.
Removal of assets
Equipment, software or information should not be taken off site unless authorised. Times limits should be set and verified to ensure nothing goes missing. Spot checks could be considered to detect unauthorised removal but his should be within the law.
Security of assets off site
Maintain a log of custody of any assets leaving site and conduct risk assessments for off site locations. This is covered earlier in the standard under mobile devices and teleworking.
Secure disposal or re-use of equipment
Equipment previously used to store or process information should ensure it has been removed (destroyed/deleted/overwritten) prior to release. It should be known that a standard delete/format function will almost never completely remove information from storage media.
Damaged equipment should be subjected to a risk assessment.
Whole disk encryption could be considered prior to release provided it covers the whole disk and the keys are secure and strong enough to prevent recovery.
Unattended user equipment
Users should not leave sessions open or equipment unattended. As well as screen locking procedures, application and network session should be logged out when connections are un-used. This should apply to mobile devices as well as hard wired equipment.
Clear desk / clear screen policy
One of the most easily recognised security policies as it applies to all people across all organisations. Screens should not display information when not is use and desks should be clear of papers when not in use or unattended. Depending on the classification of paper documents and the culture of the organisation paper and removable media should be secured as per policy when not in use.
Risk assessments should consider the availability and use of reproductive technologies – printers, copiers, scanners and cameras (particularly in phones)
Printers can be set so that only the originator can access copies once a code has been entered at the machine to prevent unauthorised access.