Physical security is a topic that covers all the interior and exterior of company facilities. While the subtopics are focused on the interior, many of the same common techniques are applicable to the exterior too.
- Wiring closets. A wiring closet is typically a small room that holds IT hardware. It is common to find telephony and network devices in a wiring closet. Occasionally, you also have a small number of servers in a wiring closet. Access to the wiring closest should be restricted to the people responsible for managing the IT hardware. You should use some type of access control for the door, such as an electronic badge system or electronic combination lock. From a layout perspective, wiring closets should be accessible only in private areas of the building interior; people must pass through a visitor center and a controlled doorway prior to be able to enter a wiring closet.
- Server rooms and data centers. A server room is a bigger version of a wiring closet but not nearly as big as a data center. A server room typically houses telephony equipment, network equipment, backup infrastructure and servers. A server room should have the same minimum requirements as a wiring closet. While the room is bigger, it should have only one entry door; if there is a second door, it should be an emergency exit door only. It is common to use door alarms for server rooms: If the door is propped open for more than 30 seconds, the alarm goes off. All attempts to enter the server room without authorization should be logged. After multiple failed attempts, an alert should be generated.
Data centers are protected like server rooms, but often with a bit more protection. For example, in some data centers, you might need to use your badge both to enter and to leave, whereas with a server room, it is common to be able to walk out by just opening the door. In a data center, it is common to have one security guard checking visitors in and another guard walking the interior or exterior. Some organizations set time limits for authorized people to remain inside the data center. Inside a data center, you should lock everything possible, such as storage cabinets and IT equipment racks.
- Media storage facilities. Media storage facilities often store backup tapes and other media, so they should be protected just like a server room. It is common to have video surveillance too.
- Evidence storage. An evidence storage room should be protected like a server room or media storage facility.
- Restricted work area. Restricted work areas are used for sensitive operations, such as network operations or security operations. The work area can also be non-IT related, such as a bank vault. Protection should be like a server room, although video surveillance is typically limited to entry and exit points.
- Utilities and HVAC. When it comes to utilities such as HVAC, you need to think through the physical controls. For example, a person should not be able to crawl through the vents or ducts to reach a restricted area. For the health of your IT equipment, you should use separate HVAC systems. All utilities should be redundant. While a building full of cubicles might not require a backup HVAC system, a data center does, to prevent IT equipment from overheating and failing. In a high-security environment, the data center should be on a different electrical system than other parts of the building. It is common to use a backup generator just for the data center, whereas the main cubicle and office areas have only emergency lighting.
- Environmental issues. Some buildings use water-based sprinklers for fire suppression. In a fire, shut down the electricity before turning on the water sprinklers (this can be automated). Water damage is possible; by having individual sprinklers turn on, you can minimize the water damage to only what is required to put out a fire. Other water issues include flood, a burst pipe or backed up drains. Besides water issues, there are other environmental issues that can create trouble, such as earthquakes, power outages, tornados and wind. These issues should be considered before deciding on a data center site or a backup site. It is a good practice to have your secondary data center far enough away from your primary data center so it is not at risk from any environmental issues affecting the primary data center. For example, you should avoid building your backup data center on the same earthquake fault line as your primary data center, even if they are hundreds of miles away from each other.
Fire prevention, detection and suppression. The following key points highlight things to know for this section:
- Fire prevention. To prevent fires, you need to deploy the proper equipment, test it and manage it. This includes fire detectors and fire extinguishers. You also need to ensure that workers are trained about what to do if they see a fire and how to properly store combustible material. From a physical perspective, you can use firewalls and fire suppressing doors to slow the advancement of a fire and compartmentalize it.
- Fire detection. The goal is to detect a fire as soon as possible. For example, use smoke detectors, fire detectors and other sensors (such as heat sensors).
- Fire suppression. You need a way to suppress a fire once a fire breaks out. Having emergency pull levers for employees to pull down if they see a fire can help expedite the suppression response (for example, by automatically calling the fire department when the lever is pulled). You can use water-based firesuppression system, or minimize the chances of destroying IT equipment by choosing non-water fire suppressants, such as foams, powders CO2-based solutions, or an FM-200 system. FM-200 systems replace Halon, which was banned for depleting the ozone layer. FM-200 is more expensive than water sprinklers.