Previous Table of Contents Next


The IT department must be in control of changing the combination (periodically or whenever an employee leaves the organization) and designating someone to be responsible for deciding who is authorized for the combination and subsequent access. The ironic element in choosing a combination lock over a key lock is that a combination is duplicated much more easily than a key.

The most important advantages and disadvantages to combination locks are shown in Exhibit 8-3.

Exhibit 8-3. Evaluation of Mechanical Combination Locks
Advantages Disadvantages
Relatively low cost
Readily available
Combination is usually simple enough to remember
Some locks may be able to lock out any access after too many unsuccessful attempts
Changing combinations periodically or when someone leaves
Risk of malfunction (although a manual override is often built into lock)
No ability to know who accesses the area being secured
Combinations can be easily duplicated

Magnetic or Electronic Locks. Magnetic and electronic locks are the most sophisticated and practical alternative. These locks also represent the first opportunity for the enterprise to determine who is unlocking the door and entering the authorized personnel area. This improved control is made possible because these locks are usually opened by a card that may have any one of the following characteristics:

  Visible magnetic strip
  Invisible magnetic or chemical strip
  Embedded microchip or transmitter
  Visible magnetic strip
  Invisible magnetic or chemical strip
  Embedded microchip or transmitter

In every instance, the card is unique and identifies to the system who is entering based on which card is being activated. Of course, the enterprise likes to think that it knows who is entering but, unless there is a camera or a guard on duty, the system cannot determine who is holding the card and actually gaining access to the secured area. The compensation for this continuing inability to ensure that the enterprise knows in advance who is entering is twofold: responsibility and event identification. In this situation, responsibility means that each user must be responsible for his or her card such that anything that happens associated with that card is the responsibility of that person. However, assigning this responsibility does not make these cards a 100 percent reliable control. Event identification means that the enterprise can know when an access attempt is made and initiate a secondary response, such as having a fixed camera take a picture of the entrance or a fixed video camera tape a few moments to capture the entry activity. The system makes a secondary response possible because the system takes the card coding and checks it in realtime against the access database, returning either the signal to open the door or the signal not to open the door and to trigger the red light or other mechanism indicating that access is being denied (if that feature is available or enabled).

Exhibit 8-4. Evaluation of Electronic and Magnetic Locks
Advantages Disadvantages
Locks do not require changing unless there is a personnel change, and then the change is usually only logical and made through a terminal
Lock management system can track who accesses secured areas along with the time and date of each access
Secondary security responses can be activated based on entry system activity
Relatively high cost Identification still not assured

The significant advantages and disadvantages to using magnetic or electronic locks are summarized in Exhibit 8-4.

WINDOWS

Many data centers have windows. The windows may open to an interior area, to the outside, or both. Typically, the windows are present because of one of the following three reasons.

  The computer was placed in a room that already had windows.
  The windows were designed for the data center room to provide light for employees working in that area.
  The windows were put in the data center room to display the equipment to customers and employees.

Corresponding reasons exist to place the computer in a room that does not have any windows, interior or exterior.

  What someone cannot see, he or she may not think to damage.
  The computer and its operators do not need exterior light or a view for job satisfaction or performance.
  The windows may be the weakest link in the data center construction.

The IT auditor is likely to encounter windows in the majority of data centers where physical security is being evaluated. The first task is to understand what risks are relevant for the data center under review. The primary risks to consider are:

  the hardware damage after someone enters the room or uses the window to get a foreign object into the room
  the theft of computer hardware that may be salable on the black market
  access to the computer by someone who wants to do something that is not possible from a terminal

Although these may not seem like common occurrences, not many of the security risks addressed by effective general controls are frequent events. This is clearly one of the areas in which the IT auditor should work to ensure that effective controls are in place because the controls will not require maintenance or followup. These controls will simply be in place, working to reduce or eliminate risk at all times.

If the IT auditor does not believe that these issues should be addressed, or if there is a resistance from the customer, consider the following events.

  During an extended strike, one frustrated union member prepared a Molotov cocktail and threw it at the window through which a computer that the member believed belonged to the employer could be seen. The explosive device went through the plate-glass window and landed on the data center floor of the company adjacent to the employer of the disgruntled employee.
  During a wildcat strike at a Midwest employer, someone fired a shot into the data center through the wire-reinforced glass in an attempt, it is believed, to damage the computer. No one was injured, and there was so little damage to the glass that it was not replaced. Management left the punctured glass in place as a testament to what could, but should not, happen in such a situation. It was never determined if one of the strikers or someone else fired the shot.
  An employer in the Southwest had personal computers being serviced stored in the data center. The room was not in use after the end of the day Friday until early Monday morning. Over one weekend, someone broke the plate-glass window and stole the personal computers. The good news was that the thief or thieves did not recognize that a brand-new midrange computer that could be the server for a network, valued at more than $200,000, was still in the box adjacent to where the personal computers were located.


Previous Table of Contents Next