Secure Your IT - Part 2: Answering the Right Questions

What are you doing to physically secure your IT investments & data?

Last month we focused on asking the right questions to brainstorm about IT physical security.  This month we answer those questions.  Again, physical security is the basis for all other security measures to prevent theft and destruction.

1.) Secure Room for IT

What critical systems should be stored in a secure room? There are critical systems and general systems. Critical systems store and process sensitive information. 

Is the room structurally sound and free of unwanted environmental conditions such as hot temperatures, high humidity, leaks? If possible, the room should have full height walls and fireproof ceilings. The temperature and humidity should be maintained at a reasonable level even during nights and weekends. 

What kinds of access are provided to the secure room such as doors and windows?  A secure room only has one or two doors which should never be propped open. All doors and windows need to have locks.

How are those access points secured?  Locks are effective if the appropriate people maintain their keys and combinations.

Who has entry access to the room? Determine who will have access to the room or how you will keep a log of who enters and exits.

Are non-essential items stored in the room?  Don't allow the secure room to become a catch all. This will limit who has access to the room and any further safety concerns such as food, drink, flammable items, etc...

Is there an up-to-date log of equipment in the secure room?  Consider making a list of all equipment including manufacture name, model, and serial numbers. If anything should happen to the equipment, your ready list will make it easier to make insurance claims.

What policies are in place to ensure repairs to the room and IT equipment are preformed safely?  Consider creating a list of approved technicians and companies to do repairs before the need arises. Keep a list of telephone numbers, maintenance contract numbers, customer identification numbers, equipment serial numbers handy.

2.) User Equipment

Is there an up-to-date log of current equipment assigned to users?  It may seem tedious to document all users' equipment but without a list a company has no way of knowing what goes missing.

Is the equipment labeled to identify the owner or company? Make the identification overt so it can't be mistaken. One suggestion is to use neon paint on the equipment.

Do you have policies to allow only authorized user access to particular equipment (user passwords and such) Ensure the right people have access to the right information. Don't forget printers and fax machines that may print confidential information. Also, don't forget to have policies on how to store passwords, etc...

Do you have policies for portable equipment that users take out of the office?  Make sure all users are on the same page with your policies for using equipment outside the office. This includes using approved devices, locking devices up where they aren't visible when not in use, and using passwords.