Administrative controls, as opposed to physical or technical controls, can be thought of as the area of physical security protection that benefits from the proper administrative steps. These steps encompass proper emergency procedures, personnel control (in the area of Human Resources), planning, and policy implementation.
We will look at the following various elements of Administrative Controls:
· Facility Requirements Planning
· Secure Facility Management
· Administrative Personnel Controls
Facility Requirements Planning
Facility Requirements Planning describes the need for planning for physical security controls in the early stages of the construction of a data facility. There may be an occasion when security professionals are able to provide input at the construction phase of a building or data center. Some of the physical security elements involved at the construction stage include choosing and designing a secure site.
Choosing a Secure Site
The environmental placement of the facility is also a concern during initial planning. Security professionals need to consider such questions as:
- Visibility. What kind of neighbors will the proposed site have? Will the site have any external markings that will identify it as a sensitive processing area? Low visibility is the rule here.
- Local considerations. Is the proposed site near possible hazards (for example, a waste dump)? What is the local rate of crime (such as forced entry and burglary)?
- Natural disasters. Is it likely this location will have more natural disasters than other locations? Natural disasters can include weather-related problems (wind, snow, flooding, and so forth) and the existence of an earthquake fault.
- Transportation. Does the site have a problem due to excessive air, highway, or road traffic?
- Joint tenancy. Are access to environmental and HVAC controls complicated by a shared responsibility? A data center may not have full access to the systems when an emergency occurs.
- External services. Do you know the relative proximity of the local emergency services, such as police, fire, and hospitals or medical facilities?
Designing a Secure Site
Information Security processing areas are the main focus of physical control. Examples of areas that require attention during the construction planning stage are:
- Walls. Entire walls, from the floor to the ceiling, must have an acceptable fire rating. Closets or rooms that store media must have a high fire rating.
- Ceilings. Issues of concern regarding ceilings are the weight-bearing rating and the fire rating.
- Floors. The following are the concerns about flooring:
o Slab - If the floor is a concrete slab, the concerns are the physical weight it can bear (known as loading, which is commonly 150 pounds per square foot) and its fire rating.
o Raised - The fire rating, its electrical conductivity (grounding against static buildup), and that it employs a nonconducting surface material are concerns of raised flooring in the data center. Electrical cables must be enclosed in metal conduit, and data cables must be enclosed in raceways, with all abandoned cable removed. Openings in the raised floor must be smooth and nonabrasive, and they should be protected to minimize the entrance of debris or other combustibles.
- Windows. Windows are normally not acceptable in the data center. If they do exist, however, they must be translucent and shatterproof.
- Doors. Doors in the data center must resist forcible entry and have a fire rating equal to the walls. Emergency exits must be clearly marked and monitored or alarmed. To enable safe evacuation, electric door locks on emergency exits should revert to a disabled state if power outages occur. While this may be considered a security issue, personnel safety always takes precedence, and these doors should be manned in an emergency.
- Sprinkler system and fire resistance. The location and type of fire suppression system must be known. The fire-resistant rating of construction materials is a major factor in determining the fire safety of a computer operations room. The term fire-resistant refers to materials or construction that has a fire resistance rating of not less than the specified standard. For example, the computer room must be separated from other occupancy areas by construction with a fire-resistant rating of not less than one hour.
- Liquid or gas lines. Security professionals should know where the shut-off valves are to water, steam, or gas pipes entering the building. Also, water drains should be “positive” - that is, they should flow outward, away from the building, so that they do not carry contaminants into the facility.
- Air conditioning. AC units should have dedicated power circuits. Security professionals should know where the Emergency Power Off (EPO) switch is. As with water drains, the AC system should provide outward, positive air pressure and have protected intake vents to prevent air-carried toxins from entering the facility.
- Electrical requirements. The facility should have established backup and alternate power sources. Dedicated feeders and circuits are required in the data center. Security professionals should check for access controls to the electrical distribution panels and circuit breakers.
Secure Facility Management
Here we list audit trails and emergency procedures. These are elements of the Administrative Security Controls that are not related to the initial planning of the secure site but are implemented on an ongoing basis.
An audit trail is a record of events. A computer system may have several audit trails, each focused on a particular type of activity, such as detecting security violations, performance problems, and design and programming flaws in applications. In the domain of Physical Security, access logs are vital audit trails because management needs to know where access attempts occurred and who attempted them.
The audit trails or access logs must record the following:
· The date and time of the access attempt
· Whether the attempt was successful or not
· Where the access was granted (which door, for example)
· Who attempted the access
· Who modified the access privileges at the supervisor level
Some audit trail systems can also send alarms or alerts to personnel whether multiple access failure attempts have been made.
Remember that audit trails are detective, rather than preventative. Access logs do not stop an intrusion, although knowing that an audit trail of the entry attempt is being compiled may influence the intruder to not attempt entry. Audit trails do help an administrator reconstruct the details of an intrusion post-event, however.
The implementation of emergency procedures and the employee training and knowledge of these procedures is an important part of administrative physical controls. These procedures should be clearly documented, readily accessible (including copies stored off-site in the event of a disaster), and updated periodically.
Elements of emergency procedure administration should include the following:
· Emergency system shutdown procedures
· Evacuation procedures
· Employee training, awareness programs, and periodic drills
· Periodic equipment and systems tests
Administrative Personnel Controls
Administrative Personnel Controls encompass those administrative processes that commonly are implemented by the Human Resources department during employee hiring and firing. Examples of personnel controls implemented by HR often include the following:
· Pre-employment screening:
· Employment, references, or educational history checks
· Background investigation or credit rating checks for sensitive positions
· Ongoing employee checks:
o Security clearances - generated only if the employee is to have access to classified documents
o Ongoing employee ratings or reviews by their supervisor
· Post employment procedures:
o Exit interview
o Removal of network access and change of passwords
o Return of computer inventory or laptops
Environmental and Life Safety Controls
Environmental and Life Safety Controls are considered to be those elements of physical security controls that are required to sustain either the computer’s operating environment or the personnel’s operating environment. The following are the three main areas of environmental control:
1. Electrical power
2. Fire detection and suppression
3. Heating, Ventilation, and Air Conditioning (HVAC)
Electrical systems are the lifeblood of computer operations. The continued supply of clean, steady power is required to maintain the proper personnel environment as well as to sustain data operations. Many elements can threaten power systems, the most common being noise, brownouts, and humidity.
The term noise in power systems refers not to audible sound but to the presence of electrical fluctuation in the system that is unintentional and interferes with the transmission of clean power. There are several types of noise, the most common being electromagnetic interference (EMI) and radio frequency interference (RFI). EMI and RFI are terms used to describe disruption or noise generated by electromagnetic waves. RFI refers to noise generated from radio waves, and EMI is the general term for all electromagnetic interference, including radio waves. EMI and RFI are often generated naturally, for example from sunspots or the earth’s magnetic field. Man-made sources of EMI and RFI - such as cell phones, laptops, and other computers - pose the largest threat to electronic equipment.
EMI is noise that is caused by the generation of radiation from the charge differences among the three electrical wires - the hot, neutral, and ground wires.
Two common types of EMI generated by electrical systems are:
- Common-mode noise. Noise from the radiation generated by the charge difference between the hot and ground wires
- Traverse-mode noise. Noise from the radiation generated by the charge difference between the hot and neutral wires
RFI is generated by the components of an electrical system, such as radiating electrical cables, fluorescent lighting, and electric space heaters. RFI can be so serious that it not only interferes with computer operations but also can permanently damage sensitive components.
Guidelines to prevent EMI and RFI interference in the computer room should be adopted, such as limiting the use and placement of magnets or cell phones around sensitive equipment. The United States government created the TEMPEST (Transient ElectroMagnetic Pulse Emanations Standard) standard to prevent EMI eavesdropping by employing heavy metal shielding.
Several protective measures for noise exist. Some of the ones that need to be noted are:
· Power line conditioning
· Proper grounding of the system to the earth
· Cable shielding
· Limiting exposure to magnets, fluorescent lights, electric motors, and space heaters
Table lists various electrical power terms and descriptions.
|Table Electrical Power Definitions|
Open table as spreadsheet
|Fault||Momentary power loss|
|Blackout||Complete loss of power|
|Sag||Momentary low voltage|
|Brownout||Prolonged low voltage|
|Spike||Momentary high voltage|
|Surge||Prolonged high voltage|
|Inrush||Initial surge of power at the beginning|
|Noise||Steady interfering disturbance|
|Transient||Short duration of line noise disturbances|
|Clean||Nonfluctuating pure power|
|Ground||One wire in an electrical circuit must be grounded|
Unlike a sag, a brownout is a prolonged drop in supplied usable voltage that can do serious physical damage to delicate electronic components. The American National Standards Institute (ANSI) standards permit an 8 percent drop between the power source and the building’s meter and permit a 3.5 percent drop between the meter and the wall. In New York City, 15 percent fluctuations are common, and a prolonged brownout can lower the supplied voltage more than 10 percent.
In addition, surges and spikes occurring when the power comes back up from either a brownout or an outage can be damaging to the components. All computer equipment should be protected by surge suppressors, and critical equipment will need an uninterruptible power supply (UPS).
The ideal operating humidity range is defined as 40 percent to 60 percent. High humidity, which is defined as greater than 60 percent, can produce a problem by causing condensation on computer parts. High humidity also creates problems with the corrosion of electrical connections. A process similar to electroplating occurs, causing silver atoms to migrate from the connectors onto the copper circuits, thus impeding the electrical efficiency of the components. Low humidity of less than 40 percent increases the static electricity damage potential. A static charge of 4,000 volts is possible under normal humidity conditions on a hardwood or vinyl floor, whereas charges up to 20,000 volts or more are possible under conditions of very low humidity with non–static-free carpeting. Although you cannot control the weather, you certainly can control your relative humidity level in the computer room through your HVAC systems.
Some precautions you can take to reduce static electricity damage are:
· Use antistatic sprays where possible.
· Operations or computer centers should have antistatic flooring.
· Building and computer rooms should be grounded properly.
· Antistatic table or floor mats can be used.
· HVAC should maintain the proper level of relative humidity in computer rooms.
Fire Detection and Suppression
The successful detection and suppression of fire is an absolute necessity for the safe, continued operation of information systems. A CISSP candidate will need to know the classes, combustibles, detectors, and suppression methods of fire safety.
The National Fire Protection Association (NFPA) defines risk factors to consider when designing fire and safety protection for computing environments.[*] The factors to be used when assessing the impact of damage and interruption resulting from a fire, in priority order, are:
· The life safety aspects of the function, such as air traffic controls or safety processing controls
· The fire threat of the installation to the occupants or property of the computing area
· The economic loss incurred from the loss of computing function or loss of stored records
· The economic loss incurred from the loss of the value of the equipment
As in all evaluations of risk (not only fire risk), life safety is always the number one priority.
Fire Classes and Combustibles
Fire combustibles are rated as either Class A, B, C, or D based upon their material composition, thus determining which type of extinguishing system or agent is used. Table lists the three main types of fires, what type of combustible gives the fire its class rating, and the recommended extinguishing agent.
|Table: Fire Suppression Mediums|
Open table as spreadsheet
|A||Common combustibles||Water or soda acid|
|B||Liquid||CO2, soda acid, or Halon|
|C||Electrical||CO2 or Halon|
For rapid oxidation (a fire) to occur, three elements must be present: oxygen, heat, and fuel. Each suppression medium affects a different element and is therefore better suited for different types of fires.
- Water. Suppresses the temperature required to sustain the fire.
- Soda Acid. Suppresses the fuel supply of the fire.
- CO2. Suppresses the oxygen supply required to sustain the fire.
- Halon. A little different, it suppresses combustion through a chemical reaction that kills the fire.
Anyone who has made the mistake of throwing water on a grease fire in a skillet and suffered the resultant steam explosion will never need to be reminded that certain combustibles require very specific suppression methods.
The NFPA recommends that only the absolute minimum essential records, paper stock, inks, unused recording media, or other combustibles be housed in the computer room. Because of the threat of fire, these combustibles - including old, unused cabling - should not be stored in the computer room or under raised flooring. Underfloor abandoned cables can interfere with airflow and extinguishing systems. Cables that are not intended to be used should be removed from the room. It also recommends that tape libraries and record storage rooms be protected by an extinguishing system and separated from the computer room by wall construction fire-resistant rated for not less than one hour.
Table shows the NFPA fire class ratings for various combustible materials.
|Table: Combustible Materials Fire Class Ratings|
Open table as spreadsheet
|FIRE CLASS||COMBUSTIBLE MATERIALS|
|A||Wood, cloth, paper, rubber, most plastics, ordinary combustibles|
|B||Flammable liquids and gases, oils, greases, tars, oil-base paints and lacquers|
|C||Energized electrical equipment|
|D||Flammable chemicals such as magnesium and sodium|
Fire detectors respond to heat, flame, or smoke to detect thermal combustion or its by-products. Different types of detectors have various properties and use the different properties of a fire to raise an alarm.
- Heat-sensing. Heat-actuated sensing devices usually detect one of two conditions: (1) The temperature reaches a predetermined level, or (2) the temperature rises quickly regardless of the initial temperature. The first type, the fixed-temperature device, has a much lower rate of false positives (false alarms) than the second, the rate-of-rise detector.
- Flame-actuated. Flame-actuated sensing devices are fairly expensive, as they sense either the infrared energy of a flame or the pulsation of the flame and have a very fast response time. They are usually used in specialized applications for the protection of valuable equipment.
- Smoke-actuated. Smoke-actuated fire sensing devices are used primarily in ventilation systems where an early-warning device would be useful. Photoelectric devices are triggered by the variation in the light hitting the photoelectric cell as a result of the smoke condition. Another type of smoke detector, the radioactive smoke detection device, generates an alarm when the ionization current created by its radioactive material is disturbed by the smoke.
- Automatic dial-up fire alarm. This is a type of signal response mechanism that dials the local fire and/or police stations and plays a prerecorded message when a fire is detected. This alarm system is often used in conjunction with the previous fire detectors. These units are inexpensive but can easily be intentionally subverted.
Fire Extinguishing Systems
Most fire extinguishing systems come in two flavors: water sprinkler systems and gas discharge systems.
Water sprinkler systems come in four variations:
- Wet pipe. Wet pipe sprinkler systems always contain water and are also called a closed-head system. In the most common implementation, the fusible link in the nozzle melts in the event of a heat rise to 165° F, causing a gate valve to open and allowing water to flow. This is considered the most reliable sprinkler system; however, its main drawbacks are that nozzle or pipe failure can cause a water flood, and the pipe can freeze if exposed to cold weather.
- Dry pipe. In a dry pipe system, there is no water standing in the pipe; it is being held back by a clapper valve. Upon the previously described fire conditions arising, the valve opens, the air is blown out of the pipe, and the water flows. While this system is considered less efficient, it is commonly preferred over wet pipe systems for computer installations because a time delay may enable the computer systems to power down before the dry pipe system activates.
- Deluge. A deluge system is a type of dry pipe, but the volume of water discharged is much larger. Unlike a sprinkler head, a deluge system is designed to deliver a large amount of water to an area quickly. It is not considered appropriate for computer equipment, however, because of the time required to get back on-line after an incident.
- Preaction. This is currently the most recommended water system for a computer room. It combines both the dry and wet pipe systems by first releasing the water into the pipes when heat is detected (dry pipe) and then releasing the water flow when the link in the nozzle melts (wet pipe). This feature enables manual intervention before a full discharge of water on the equipment occurs.
Gas discharge systems employ a pressurized inert gas and are usually installed under the computer room raised floor. The fire detection system typically activates the gas discharge system to quickly smother the fire either under the floor in the cable areas or throughout the room. Typical agents of a gas discharge system are carbon dioxide (CO2) or Halon. Halon 1211 does not require the sophisticated pressurization system of Halon 1301 and is used in self-pressurized portable extinguishers. Of the various replacements for Halon, FM-200 is now the most common.
- Carbon Dioxide (CO2). CO2 is a colorless and odorless gas commonly used in gas discharge fire suppression systems. It is very effective in fire suppression, because it quickly removes any oxygen that can be used to sustain the fire. This oxygen removal also makes it very dangerous for personnel, and it is potentially lethal. It is primarily recommended for use in unmanned computer facilities. If used in manned operations centers, the fire detection and alarm system must enable personnel ample time to either exit the facility or to cancel the release of the CO2.
- Portable fire extinguishers commonly contain CO2 or Soda Acid and should be:
o Commonly located at exits
o Clearly marked with their fire types
o Checked regularly by licensed personnel
- Halon. At one time, Halon was considered the perfect fire suppression method in computer operations centers because it is not harmful to the equipment, mixes thoroughly with the air, and spreads extremely fast. The benefits of using Halons are that they do not leave liquid or solid residues when discharged. Therefore, they are preferred for sensitive areas, such as computer rooms and data storage areas.
- Several issues arose with the deployment of Halon, however. For example, it cannot be breathed safely in concentrations greater than 10 percent, and when deployed on fires with temperatures greater than 900 degrees, it degrades into seriously toxic chemicals - hydrogen fluoride, hydrogen bromide, and bromine. Implementation of halogenated extinguishing agents in computer rooms must be extremely well designed to enable personnel to evacuate immediately when deployed, whether Halon is released under the flooring or overhead in the raised ceiling.
- At the Montreal Protocol of 1987, Halon was designated an ozone-depleting substance because of its use of chlorofluorocarbon compounds (CFCs). Halon has an extremely high ozone-depleting potential (three to ten times more than CFCs), and its intended use results in its release into the environment.
- Current federal regulations prohibit the production of Halons and the import and export of recovered Halons except by permit. There are federal controls on the uses, releases, and mandatory removal of Halon prior to decommissioning equipment, and reporting Halon releases, accidental or not, is mandatory.
- There are alternatives to Halon. Many large users of Halon are taking steps to remove Halon-containing equipment from all but the most critical areas. Most Halon 1211 in commercial and industrial applications is being replaced and recovered. Halon 1301 is being banked for future use. The two types of Halon used are:
o Halon 1211 - A liquid steaming agent that is used in portable extinguisers
o Halon 1301 - A gaseous agent that is used in fixed total flooding systems
· No new Halon 1301 installations are allowed, and existing installations are encouraged to replace Halon with a nontoxic substitute. Some common EPA-acceptable Halon replacements are:
o FM-200 (HFC-227ea)
o CEA-410 or CEA-308
o NAF-S-III (HCFC Blend A)
o FE-13 (HFC-23)
o Argon (IG 55) or Argonite (IG 01)
o Inergen (IG 541)
o Low-pressure water mists
- Either halocarbon agents or inert gas agents can be replacements for Halon 1301 and Halon 1211 in gas-discharge fire extinguishing systems. Halocarbon agents contain one or more organic compounds as primary components in chemical combination with one or more of the elements fluorine, chlorine, bromine, and iodine. Halocarbon agents are hydrofluorocarbons (HFCs), hydrochlorofluorocarbons (HCFCs), perfluorocarbons (PFCs or FCs), or fluoroiodocarbons (FICs).
- Inert gas agents contain as primary components one or more of the gases helium, neon, argon, and nitrogen. Some inert gas agents also contain carbon dioxide as a secondary component. Common inert gas agents for fire extinguishing systems are IG-01, IG-100, IG -55, and IG-541.
Because Halon was banned for use in fire suppression systems, many different chemical agents have been used. Some of these agents are called clean agents because they do not leave a residue on electronic parts after evaporation. CO2 (carbon dioxide) does leave a corrosive residue, and it is therefore not recommended for computer facility fire suppression systems. A clean agent is defined as an electrically nonconducting, nonvolatile fire extinguishant that does not leave a residue upon evaporation. IG-55 and IG-01 are inert gas agents that do not decompose measurably or leave corrosive decomposition products and are, therefore, considered clean agents.
Environmental contamination resulting from the fire (or its suppression) can cause damage to the computer systems by depositing conductive particles on the components.
The following are some examples of fire contaminants:
· Suppression medium contamination (Halon or CO2)
Immediate smoke exposure to electronic equipment does little damage. However, the particulate residue left after the smoke has dissipated contains active by-products that corrode metal contact surfaces in the presence of moisture and oxygen. Removal of the contaminant from the electrical contacts, such as printed circuit boards and backplanes, should be implemented as soon as possible, because much of the damage is done during this corrosion period. Also, power should be immediately disconnected to the affected equipment, because continuing voltage can plate the contaminants into the circuitry permanently.
The order of steps to be taken after electronic equipment or media has been exposed to smoke contaminants are:
1. Turn off power to equipment.
2. Move equipment into an air-conditioned and humidity-controlled environment.
3. Spray connectors, backplanes, and printed circuit boards with Freon or Freon-alcohol solvents.
4. Spray corrosion-inhibiting aerosol to stabilize metal contact surfaces.
Water-based emergencies can include pipe breakage or damage to sensitive electronic equipment through the proper use of water fire sprinklers. The first order of business is shutting down the power to the affected equipment to prevent shock hazards, shorting, or further damage. Any visible standing water should be removed and allowed to drain from around and inside the unit. Because the room may still be extremely humid, move the equipment, if possible, to a humidity-controlled environment, and then wipe the parts and use water displacement sprays. If corrective action is initiated immediately, the damage done to the computer equipment can be greatly reduced and the chances of recovering the data are increased.
The proper order of steps to be taken after electronic equipment or media has been exposed to water are:
1. Turn off all electrical power to the equipment.
2. Open cabinet doors and remove panels and covers to allow water to run out.
3. Place all affected equipment or media in an air-conditioned area, if portable.
4. Wipe with alcohol or Freon-alcohol solutions or spray with water-displacement aerosol sprays.
Table lists the temperatures required to damage various computer parts.
|Table: Heat Damage Temperatures|
Open table as spreadsheet
|Computer hardware||175º F|
|Magnetic storage||100º F|
|Paper products||350º F|
Heating, Ventilation, and Air Conditioning
HVAC is sometimes referred to as HVACR for the addition of refrigeration. HVAC systems can be quite complex in modern high-rise buildings, and they are the focal point for environmental controls. An IT manager needs to know who is responsible for HVAC, and clear escalation steps need to be defined well in advance of an environment-threatening incident. The same department is often responsible for fire, water, and other disaster response, all of which impact the availability of the computer systems.
Underfloor ventilation, as is true of all computer room ventilation, should not vent to any other office or area. HVAC air ducts serving other rooms should not pass through the computer room unless an automatic damping system is provided. A damper is activated by fire and smoke detectors and prevents the spread of computer room smoke or toxins through the building HVAC.