Previous | Table of Contents | Next |
The IT department must be in control of changing the combination (periodically or whenever an employee leaves the organization) and designating someone to be responsible for deciding who is authorized for the combination and subsequent access. The ironic element in choosing a combination lock over a key lock is that a combination is duplicated much more easily than a key.
The most important advantages and disadvantages to combination locks are shown in Exhibit 8-3.
Advantages | Disadvantages |
---|---|
Relatively low cost Readily available Combination is usually simple enough to remember Some locks may be able to lock out any access after too many unsuccessful attempts | Changing combinations periodically or when someone leaves Risk of malfunction (although a manual override is often built into lock) No ability to know who accesses the area being secured Combinations can be easily duplicated |
Magnetic or Electronic Locks. Magnetic and electronic locks are the most sophisticated and practical alternative. These locks also represent the first opportunity for the enterprise to determine who is unlocking the door and entering the authorized personnel area. This improved control is made possible because these locks are usually opened by a card that may have any one of the following characteristics:
In every instance, the card is unique and identifies to the system who is entering based on which card is being activated. Of course, the enterprise likes to think that it knows who is entering but, unless there is a camera or a guard on duty, the system cannot determine who is holding the card and actually gaining access to the secured area. The compensation for this continuing inability to ensure that the enterprise knows in advance who is entering is twofold: responsibility and event identification. In this situation, responsibility means that each user must be responsible for his or her card such that anything that happens associated with that card is the responsibility of that person. However, assigning this responsibility does not make these cards a 100 percent reliable control. Event identification means that the enterprise can know when an access attempt is made and initiate a secondary response, such as having a fixed camera take a picture of the entrance or a fixed video camera tape a few moments to capture the entry activity. The system makes a secondary response possible because the system takes the card coding and checks it in realtime against the access database, returning either the signal to open the door or the signal not to open the door and to trigger the red light or other mechanism indicating that access is being denied (if that feature is available or enabled).
Advantages | Disadvantages |
---|---|
Locks do not require changing unless there is a personnel change, and then the change is usually only logical and made through a terminal Lock management system can track who accesses secured areas along with the time and date of each access Secondary security responses can be activated based on entry system activity | Relatively high cost Identification still not assured |
The significant advantages and disadvantages to using magnetic or electronic locks are summarized in Exhibit 8-4.
Many data centers have windows. The windows may open to an interior area, to the outside, or both. Typically, the windows are present because of one of the following three reasons.
Corresponding reasons exist to place the computer in a room that does not have any windows, interior or exterior.
The IT auditor is likely to encounter windows in the majority of data centers where physical security is being evaluated. The first task is to understand what risks are relevant for the data center under review. The primary risks to consider are:
Although these may not seem like common occurrences, not many of the security risks addressed by effective general controls are frequent events. This is clearly one of the areas in which the IT auditor should work to ensure that effective controls are in place because the controls will not require maintenance or followup. These controls will simply be in place, working to reduce or eliminate risk at all times.
If the IT auditor does not believe that these issues should be addressed, or if there is a resistance from the customer, consider the following events.
Previous | Table of Contents | Next |