next up previous
Next: 3.1.5 Data security Up: 3.1 Local Network: Security Previous: 3.1.3 Systems development process

3.1.4 Physical security

Information cannot be appropriately protected unless the facilities that house the equipment are properly protected from physical threats and hazards. The major areas of concern are described below.

* Environmental conditions

For many types of computer equipment, strict environmental conditions must be maintained. Manufacturer's specifications should be observed for temperature, humidity, and electrical power requirements.

* Control of media

The media upon which information is stored should be carefully controlled. Transportable media such as tapes and cartridges should be kept in secure locations, and accurate records kept of the location and disposition of each. In addition, media from an external source should be subject to a check-in process to ensure it is from an authorized source.

* Control of physical hazards

Each area should be surveyed for potential physical hazards. Fire and water are two of the most damaging forces with regard to computer systems. Opportunities for loss should be minimized by an effective fire detection and suppression mechanism, and planning reduces the danger of leaks or flooding. Other physical controls include reducing the visibility of the equipment and strictly limiting access to the area or equipment.

* Contingency planning

Although risks can be minimized, they cannot be eliminated. When reliance upon a computer facility or application is substantial, some type of contingency plan should be devised to allow critical systems to be recovered following a major disaster, such as a fire. There are a number of alternative approaches that should be evaluated to most cost-effectively meet the company's need for continuity of service.

* Configuration management

Risk can be introduced through unofficial and unauthorized hardware or software. Another key component of information resource management is ensuring only authorized hardware and software are being utilized. There are several control issues to be addressed.

Records of hardware/software inventories, configurations, and locations should be maintained and kept up-to-date.

* Complying with terms of software licenses

Especially with microcomputer software, illegal copying and other uses in conflict with licensing agreements are concerns. The use of software subject to licensing agreements must be monitored to ensure it is used according to the terms of the agreement.

* Protecting against malicious software and hardware

The recent occurrences of destructive computer ``viruses'' point to the need to ensure that companies do not allow unauthorized software to be introduced to their computer environments. Unauthorized hardware can also contain hidden vulnerabilities. Management should adopt a strong policy against unauthorized hardware/software, inform personnel about the risks and consequences of unauthorized additions to computer systems, and develop a monitoring process to detect violations of the policy.

next up previous
Next: 3.1.5 Data security Up: 3.1 Local Network: Security Previous: 3.1.3 Systems development process
Denis Arnaud