Previous | Table of Contents | Next |
Controls over physical security should ensure that only authorized access is permitted to computer hardware, peripheral devices, and any other equipment that may indirectly affect the operation of the computer hardware. Controls should also ensure that the physical risks to the equipment have been addressed, whether the appropriate managers have chosen to eliminate the risk, compensate for the risk at some intermediate level, or accept the risk in the normal course of doing business.
The room used to house the computer should be designed and built consistently with the hardware to be placed there and the risks relevant in the particular circumstances of that installation. These circumstances include the size of the computer; requirements for electricity, cooling, and other utilities; and the number of people expected to attend to that hardware. The range of potential issues is covered item by item in the text.
Many of these items are predicated on the belief that the computer should be kept in a separate area, whether the computer is a mainframe, midrange, or microcomputer. This may seem excessive, particularly when the central computer is a microcomputer but, under any circumstances, if the central computer is an integral part of the business activity, it should at least be protected from accidental harm.
Having transaction processing interrupted simply because someone carrying a box or other package ended up stumbling into the data center and damaging the computer could prove embarrassing to the person responsible for the computer, let alone the individuals responsible for the business.
The data centers should be physically separated from other areas of the building by making it a separate fire zone. This generally means that the construction is floor-to-ceiling concrete block and that any wires, conduits, or other through-the-wall items have been plugged with a fire-resistant material. The objective is to prevent or significantly slow the progress of a fire or other physical event from outside the data center or vice versa. The building code in any particular state, county, or municipality is the source of more specific requirements.
Data center door locks are important because the lock should provide for all appropriate security, and the incorrect lock will most often result in the door being propped or left open. If the door lock causes the door to be open, the control objectives have been compromised, and the organization has to be concerned not only with individual noncompliance, but also with institutional noncompliance.
In selecting the appropriate door lock, or evaluating one already installed, the difference between the risk for internal and external sources should be considered. If the risk is only from an outside agency, it is reasonable to use a lock that would be used only during those times when no one was present in the data center. If a risk also exists from insiders, it is normal to use a lock that is always in service.
A risk-based decision process is illustrated in Exhibit 8-1. This may appear overly complicated for deciding what type of door lock is required, but it allows us to easily see how risk assessment plays an important role in control-based decision support situations.
Regardless of the type of lock used, the IT auditor should consider that:
Types of Door Locks
The three types of locks commonly available today are: key-operated locks, combination locks, and magnetic or electronic locks. How they work and their advantages and disadvantages are discussed in the following paragraphs.
Key Locks. Key-operated locks can range from simple, single knob locks found in most homes to the laminated deadbolt style more often used to lock double doors at the entrance to a business. Many of these locks have keys that can be duplicated for almost no cost at any hardware store or convenience store. Even those keys stamped DO NOT DUPLICATE are so stamped because they can be duplicated. That message is supposed to prevent scrupulous persons from making copies; it does little to deter the unscrupulous.
Exhibit 8-1. Risk-Based Decision Support Process
Other keys have special beveled ridges that standard key duplicating machines cannot copy. The number of machines capable of copying these keys is far less than standard machines, and they are not normally available to the general public. This may deter the person who would copy the key just because he or she was curious or for a prank, but it would not stop someone determined to copy the key to gain unauthorized access to a data center. Such a person could make a copy of the key on a standard machine, which would produce the necessary peaks and valleys, but would then have to bevel each one manually. This is difficult to do, but certainly not impossible.
Key locks should also prevent against the use of a credit card or other stiff object being used to depress the lock plunger find thus open the door. The construction of the door and the door frame should also be consistent with the lock. If the lock is the best in the world, but the door or the frame is easily compromised, little security exists. Exhibit 8-2 compares the advantages and the disadvantages of key locks.
Advantages | Disadvantages |
---|---|
Low cost Readily available Low risk of failure or malfunction | Recording and tracking keys Keys can be duplicated without authorization Lower cost locks may be easily compromised No ability to know who accesses the area being secured |
Combination Locks. Combination locks may be manual or electronic. The core idea is that a combination is used to enter instead of a physical object, like a key. Combination locks generally can be opened only by a single combination. Thus, everyone authorized for access has the same key, and the identification issues associated with key locks are also relevant here.
Certain combination locks may have more than one combination, but those would be the exception rather than the rule. Other combination locks may be attached to a system that records access and attempts. These locks are discussed in the following section.
The IT auditor should develop a list of common combinations based on the type of locks employed within the organization, or at least at specific sites, so that during audit and review procedures those standard combinations can be attempted to evaluate the difficulty of the combination chosen. The auditor should also be aware of standard combinations. For example, one common combination lock, with five vertical buttons, is always shipped from the factory with the same combination. The manual and instructions that come with the lock indicate that the first action to take after installing the lock is to change the combination. This is not always done, and being able to walk up to that lock and open it with that combination is an attention-getter.
Previous | Table of Contents | Next |