it-05 physical security of it equipment

DOCUMENT NO:REVISION NO:EFFECTIVE DATE:PAGE NO:PREPARED BY:APPROVED BY:

IT-05 0 1-August-2009 1 of 5 Hong Chan Chuen Lim Hock Chee

PHYSICAL SECURITY OF INFORMATION TECHNOLOGY EQUIPMENT

1.0 PURPOSE:

1.1 To define the minimum level of physical security needed for CMM IT equipment to effectively protect the security, reliability and availability of CMM electronic data systems.

1.2 To assign responsibility for implementing and maintaining physical security of IT equipment.

2.0 SCOPE:

2.1 For the purpose of this Policy, “IT equipment” is any equipment managed by the CMM IT infrastructure group covering all CMM sites. This includes IT equipment owned by CMM and equipment owned by third parties whose safekeeping is the responsibility of CMM.

2.2 This policy also applies to CMM IT equipment that may reside at off-site locations (e.g. third party sites, external service providers, business joint venture partners). Where applicable, the provisions of this policy must be included in relevant legal agreements between the third parties and CMM.

2.3 Types of IT equipment covered by this policy includes but is not limited to: Intel-type, mid-range and mainframe servers, ‘terminal server’ servers, routers, switches and related monitoring equipment; Internet gateways for browsing and email, telephone switches (PABX’s), voicemail and call distribution (ACD) systems.

2.4 Some equipment such as LAN premises wiring and distribution systems and wireless access points cannot usually be concentrated in a protected area (‘server room’). Those responsible for implementing this Policy are responsible for assessing the risks and implementing reasonable controls to ensure ongoing security, availability and reliability of CMM systems.

2.5 This policy excludes portable user devices such as laptops, cellular phones, and PDA’s (e.g. Blackberry). Refer to IT-01 Company Electronic Data Policy for guidance.

2.6 The physical security of machine-readable removable media such as backup tapes and cartridges is covered by the separately issued IT-10 Corporate Backup and Restore Policy.

3.0 REFERENCES:2-MAY-23



3.1 IT-01 (Company Electronic Data Policy)

3.2 IT-06 (Access to CMM Server Room and Backup Media)

3.3 IT-10 (Corporate Backup and Restore Policy)

4.0 DEFINITIONS:

4.1 IT – Information Technology

5.0 EXHIBITS:

5.1 None

6.0 RESPONSIBILITIES:

6.1 IT Management- Ensuring that IT develops and implements appropriate policies, practices and

procedures on a company wide basis.- Ensuring that IT management implements and ensures compliance to this policy

and all related practices and procedures.- Ensuring that the policy, practices and procedures are maintained.

6.2 IT Support Leader- Ensuring all staff in their area of responsibility is familiar with and complies with

all policies practices and procedures.- Ensuring that all third parties and external service providers are provided with

necessary information and are held responsible for complying with all policies practices and procedures.

- Ensuring responsibility for security is appropriately assigned to staff or other individuals.

- Maintaining an inventory list of all IT equipment they are responsible for, including the equipment within the scope of this policy.

- Implementing the policy for all IT equipment for which they are responsible for.- Approving access to server rooms, wiring closets or other areas they are responsible

for.- Maintaining and reviewing approved access lists on a monthly basis.- Notifying the IT Management of any changes in responsibilities for physical

security of CMM IT equipment.- Confirming, on an annual basis, that their sites are in compliance with this policy.

6.3 Third Parties & External Service Providers- Including provisions of this policy in relevant legal agreements.- Complying with all related policies, practices and procedures.

7.0 PRACTICE:

2-MAY-23



7.1 Physical SecurityCMM IT equipment should be housed in a dedicated server room. This is a secure room that is used exclusively for housing CMM IT equipment. If such a room is not available or feasible, then CMM IT equipment must be housed in secure lockable IT hardware cabinets. Ideally, these cabinets will reside in a separate room or area.

Question SolutionWhere should IT equipment be sited?

Equipment to be stored in either:i) A securely locked dedicated server room, orii) Securely locked purpose built IT hardware cabinet(s)

Who is responsible for security of IT equipment?

IT Support Leader

Who is permitted to access the IT equipment?

CMM and third-party personnel with a legitimate need to access it; for example to perform system management functions or to carry out equipment upgrades or repairs. (Access to be defined by IT Infrastructure managers).

Any access by third-party personnel not normally based at the site where the equipment is located must be approved by the IT Management. A record will be log for the purpose of access.Examples of such third parties are hardware engineers, building maintenance staff, landlords, and members of the Major Incident Team.

When may equipment be accessed?

Access to the equipment should only be granted as and when it is needed. At all other times dedicated server rooms and/or cabinets should be kept locked shut.

How is access to the IT equipment granted?

The ‘dedicated server room’ or hardware cabinet(s) should be kept locked, preferably by means of a badge access system or alternatively by lock and key.

Such badges or keys should only be issued when needed and should only be issued to personnel with a genuine need to access the equipment.

How should badges/keys be managed?

Badge access approvals/setups and lock keys should be available to the IT Management and/or nominated deputy responsible for granting access to the IT equipment.

Badge Access lists/and or key access lists should be reviewed on a scheduled basis (preferably monthly). Procedures should be documented and proof of review maintained for audit purposes.

An emergency copy of any key access should be securely stored in case required.

When IT staff with server room access either leave the company or change roles, this access must be changed/revoked immediately.

7.2 Environment

Ideally, CMM IT equipment should be housed where temperature, humidity and power supplies are controlled. Fire protection must meet the requirements of CMM’s insurers if appropriate. The following are recommendations (with the exception of the specified temperature and humidity limits which are mandatory:

2-MAY-23



Environment issue RecommendationTemperature control IT equipment can become unstable and unreliable if large or sudden temperature

fluctuations occur.

Where practical take steps to maintain an even temperature, consider using: thermostatically controlled air conditioning to maintain an even temperature,

and reflective material on windows or window blinds to reduce heating by

greenhouse effect.

A temperature of 20ºC ± 2ºC will be maintained while the equipment is running. Humidity control Excessive humidity can damage IT equipment.

Where practical, take steps to maintain a safe level of humidity, for example by keeping doors and windows closed and by use of air-conditioning or dehumidifiers.

A relative humidity of between 40% and 45% will be maintained while the equipment is running. Humidity when not operating will not exceed 50% (at 20ºC).

Fire detection All office areas, including those used to house IT equipment, should be protected by automated smoke and fire detection and alarm equipment.CMM’s insurers must approve fire detection equipment.

Fire extinguishing All office areas, including those used to house IT equipment, must be protected by readily available fire extinguishing facilities. Electrical equipment needs special fire extinguishing apparatus, and IT machine rooms normally have fire extinguishing systems that minimize the damage caused to the equipment by its use.

FM200 (Halon replacement) fire protection systems will only be installed at CMM designated 'Data Centre's' and/or IT will ensure these protection features are in place at any outsourced location designated as a data centre.CMM’s insurers must approve such equipment.

Power protection Critical IT equipment should be protected by a UPS and all other IT equipment by power conditioning units which protect against spikes or drops in voltage which last a very short time. ‘Critical’ equipment is that whose loss of service would affect a significant number of users or time-critical applications.

UPS run time – the rated time for which a particular UPS can supply power – should exceed the typical duration of power outages experienced by the site. Critical equipment used only by the site where the equipment is housed needs a UPS run time sufficient for the equipment to complete an automatically triggered shutdown (where the equipment supports it). If the equipment is also used by remote sites, a minimum run time of three standard deviations of historic outage should be used.

Sites with generators with sufficient capacity to power all IT equipment nevertheless need an approximately ‘one-minute duration’ UPS and power conditioner to cover the time it take the generator to start and the later switchover back to mains supply. Generators should be tested under full load at least once a month.

Rubbish Any dedicated server room must be kept free of rubbish. Loose paper and cardboard boxes are particular fire hazards.

7.3 Site ResponsibilitiesThe IT Management is responsible for the IT physical security at CMM. This responsibility includes authorizing access to the data centre/server rooms and ensuring an annual compliance assessment is conducted.

7.4 Exceptions to PolicyAny exceptions to this policy must be documented and submitted to the CIO for review and approval.

2-MAY-23



7.5 Annual Compliance AssessmentEvery twelve (12) months, each site that houses CMM IT equipment will be assessed to ensure that physical security conforms to this Policy. The individuals responsible on their nominees for physical security at each site will carry out this assessment. The results and date of each assessment and the due date for the next assessment will be sent to the owner of this policy.

8.0 REVISION HISTORY:

Rev # Sec./PageNo Name Change

Date Changes

0 - Hong Chan Chuen 6-July-09 New

2-MAY-23

it-05 physical security of it equipment

Documents