Professional Documents
Culture Documents
May 3, 2012
Report Prepared by: Muhammad Kamran Imam, ICMAP Stage 6 kamranimam@rocketmail.com Registration # 20053076
Hyderabad
Contents
EXECUTIVE SUMMARY INTRODUCTION SCOPE BACK GROUND INFORMATION SAFWCO PHYSICAL & ENVIRONMENTAL SECURITY POLICY MAJOR CONCERNS SUMMARY ACTION 3 4 4 5 6 9 14 15
Executive Summary
The activity is designed and conducted to assess all the security risk attached with IT operations of SAFWCO. The overall Assessment results show that there are some control implemented in this regard but still some of related matters are need to be addressed and action are yet to be taken by organization. Such as 1. Information security policy is not fully implemented and some of matters are ignored while designing Backup of data and disaster aversion Policy for Data management. 2. Fire security and air conditioning is not up to the mark as compare to international benchmark procedures.
Top List
The list below contains the top findings, weaknesses, or Concerns discovered during the security assessment. Some of the issues listed here are from more than one section of the assessment report findings. Additional information about each is provided elsewhere in the report. It is recommended that these be evaluated and addressed as soon as possible. These should be considered significant and may impact the operations of the SAFWCO.
Page 3
Introduction
This report is an assessment report for SAWFCO physical security assessment .The assessment identifies major lapses in Server rooms as well as related security of IT administration room. For the matter of conducting the activity of assessment lot of points are included in working papers and make it sure that all related instruments and points are checked as per standards, policy and procedures applicable and implemented by The SAFWCO.
Scope
The following activities are within the scope of this project: Interviews with key staff members in charge of policy, administration, dayto-day operations, system administration, and facilities management. A Visual Walk Through of the facilities with administrative and facilities personnel to assess physical security. Test the environmental control execution with respect of practical guidelines and related functionality of system. Out of Scope The following activities are NOT part of this security assessment: Other then Buildings, IT server Room or facilities. Social Engineering to acquire sensitive information from staff members. Testing other then Disaster Recovery Plans, Business Continuity Plans, or Emergency Response Plans.
Background Information
Having long number of clients The SAFWCO arrange web based software namely MIS and FIS (for their data base management and accounts operations) designed by local programmer. Organizations all related data are properly entered stored and retrieved to and from server located at head office ground floor where a room is allocated for this purpose and there is related room for the IT staff. The organization has developed some little controls for I .T operations and still on the way of its developments phase.
Page 5
POLICY
1. Staff and equipment require a safe, secure, and technically sound physical environment. While it is necessary to comply with each of the areas addressed, appropriate adjustments or allowances may be made for the organization, physical plant, and any special requirements of the individual office or facility. Deviation from the minimum requirements must be annotated on the system risk assessment and the Office Head or Facility Director must be aware and acknowledge this deviation in the accreditation of the system. 2. There must be, at a minimum, a cipher lock or suitable substitute on each door to the computer room. 3. Only personnel who require access to perform their official duties will be permitted in the computer room. 4. A log will be kept of all personnel who were issued the combination/key to the computer and the person will be required to sign for that combination/key. 5. The combination of a cipher lock will be changed frequently, especially when a person who was previously given the combination leaves the organization. Presented for IS & IT audit case presentation
6. Keys or card keys will be returned to the Organization upon separation, transfer, or termination. 7. Loss of keys or disclosure of cipher key code will be reported to the ISO immediately. 8. A computer room access roster will be established. 9. There will be signs posted designating the room as a Restricted Area. 10. Contract maintenance personnel and others not authorized unrestricted access but who are required to be in the controlled area, will be escorted by an authorized person at all times when they are within the controlled area. 11. All access to the computer room will be logged, and logs reviewed monthly by the ISO to determine if access is still required. 12. There shall be no signs to indicate that an information system is located in any particular building or area. 13. The main computer room should have certain structural physical security features.
14. Media used to record and store sensitive software or data will be labeled, protected, controlled and secured when not in use. 15. Physical access controls will also be implemented not only in the area containing system hardware, but also locations of wiring used to connect elements of the system, supporting services (such as electric power), backup media, communications closets, and any other elements required for the systems operation. 16. It is important to review the effectiveness of physical access controls in each area, both during normal business hours and at other times particularly when an area may be unoccupied. 17. A computer room will have appropriate environmental security controls implemented, which include measures implemented to mitigate damage to IT System resources caused by fire, electrical surges and outages, water, and climate control failure.
Climate
Page 7
Water
Electricity
Major Concerns
Listed below are the Concerns discovered during the assessment relating to policy. These are considered significant and steps should be taken to address them.
Recommendations
2. FIRE Extinguishers
Explanation All the related fire extinguisher are either placed inside the server room where all.. Risk There are possibilities that at the time of outbreak of fire at the facility all the fire extinguisher will not be available to related person and may cause heavy damages despite of available cure. There should be a well known and marked position in the office where all the staff have easily access There should all so be certain steps training to staff about how to tackle fire and how to operate extinguishers. It is recommended to use FM 200 gas as the fire suppression system as this is environment friendly. This agent suppresses fire by discharging as a gas onto the surface of combusting materials. Large amounts of heat energy are absorbed from the surface of the burning material, lowering its temperature below the ignition point. FM-200 fire suppression systems have low atmospheric lifetimes, global warming and ozone depletion potentials.
Recommendations
Page 9
3. Air conditioning
Explanation There is no efficient air conditioning system installed in the server room for maintaining a constant temperature. Risk Systems heat sink may not be easily remove from system and may cause damages to servers and related computers. It is recommended to have the temperature of the server room in control. Because network devices dissipates large amount of heat when in the working state. So A/C should be installed and in the working state to minimize the temperature of the server room to keep the devices working
efficiently.
Recommendations
There is no temperature and humidity measurement device is installed in the IT / server room. Risk In the absence of temperature and humidity measurement devices, increased temperature in the server room cannot be measured which results in inefficiency of the network devises. If the humidity is other than normal range, the network equipments start showing sign of corrosion resulting in permanent loss of system and data.
Recommendations The server room should be visited on regular intervals to determine if temperature and humidity are adequate. Also automatic temperature and humidity measurement device should be installed in the server room in order to alert for the raise in temperature.
5. Smoke Detectors Explanation There is no multiple smoke detectors installed in the IT/ server room as major area is not covered for efficient detection of fire.
Presented for IS & IT audit case presentation
Risk Absence of smoke detectors and fire alarm will not indicate the presence of fire in the server room, which will result damage to equipment hence financial loss
Recommendations
Smoke detectors should be installed above and below the ceiling tiles throughout the facilities and below the raised computer room floor. The detectors should produce an audible alarm when activated and be linked to a monitored station (preferably by the fire department). The location of the smoke detectors above the ceiling tiles and below the raised floor should be marked on the tiling for easy identification and access. Smoke detectors
should supplement, not replace, and fire suppression systems.
Recommendations
8. Building Concerns Several key doors within the building are unlocked or can be forced open
Explanation There are several important doors in the interior SAFWCO office area that are normally unlocked or can be forced open even when locked. The door to the utility room is a hollow core wooden door with no lock. The utility room contains the wiring panel for the telephones, a junction for the fiber optic cable, and the alarm system box.. The system administrators office containing the files and is usually unlocked and open. Risk These doors protect valuable assets of the SAFWCO. A determined attacker, thief, or disgruntled employee could get through these important doors with minimal effort to steal and/or destroy. Recommendations
Replace current doors with stronger fire doors. Replace existing door hardware with high security locks.
There are several risks in not having an entryway access control system. Unauthorized people can enter secure areas unescorted. There is no record of personnel entries into secure areas. It is not possible to disable access for a specific person. Evaluate available and suitable entryway access systems. Develop appropriate procedures for assigning and removing access. Install an appropriate system and assign access rights.
Recommendations
Page 13
Summary
1. There is no possible estimations and expectation for any above such natural disasters but there are handsome chances of floods and lightening problems as well as electromagnetic waves 2. An entryway access control system limits physical access to a secure area to authorized personnel with the correct PIN number or access card. These systems have either a control panel where a correct PIN number must be entered before entry is allowed or a unique access card (contact or contactless) for each person to enter. Advanced systems provide log information each time personnel enter the secure area. 3. The backup media are stored near the backup system on an open shelf in the server area. The media could be stolen, misplaced, accidentally erased, dropped, or destroyed in a fire. If a system or data must be recovered, the media may not be available or functional when needed. 4. The door to the utility room is a hollow core wooden door with no lock. The utility room contains the wiring panel for the telephones, a junction for the fiber optic cable, and the alarm system box. The system administrators office containing the files and is usually unlocked and open. 5. There is no efficient air conditioning system installed in the server room for maintaining a constant temperature. 6. There is no efficient air conditioning system installed in the server room for maintaining a constant temperature. 7. In the absence of temperature and humidity measurement devices, increased temperature in the server room cannot be measured which results in inefficiency of the network devises. If the humidity is other than normal range, the network equipments start showing sign of corrosion resulting in permanent loss of system and data.
Action Plan
It is recommended to have the temperature of the server room in control. Because network devices dissipates large amount of heat when in the working state. So A/C should be installed and in the working state to minimize the temperature of the server room to keep the devices working efficiently. It is recommended to use FM 200 gas as the fire suppression system as this is environment friendly. This agent suppresses fire by discharging as a gas onto the surface of combusting materials. Large amounts of heat energy are absorbed from the surface of the burning material, lowering its temperature below the ignition point. FM-200 fire suppression systems have low atmospheric lifetimes, global warming and ozone depletion potentials. Fire alarms should be placed strategically throughout the facility. The resulting audible alarm should be linked to a monitored guard station. The server room should be visited on regular intervals to determine if temperature and humidity are adequate. Also automatic temperature and humidity measurement device should be installed in the server room in order to alert for the raise in temperature. Smoke detectors should be installed above and below the ceiling tiles throughout the facilities and below the raised computer room floor. The detectors should produce an audible alarm when activated and be linked to a monitored station (preferably by the fire department). The location of the smoke detectors above the ceiling tiles and below the raised floor should be marked on the tiling for easy identification and access. Smoke detectors should supplement, not replace, and fire suppression systems. Fire alarms should be placed strategically throughout the facility. The resulting audible alarm should be linked to a monitored guard station. Short-term interruptions, such as sags, spikes and surges, can be controlled by UPS devices. For long-term interruptions, which last from a few hours to several days, require the use of alternate power generators Other concerns, outside of natural threats, are man-made. They include terrorist threats/attacks, vandalism, electrical shock and equipment failure. To reduce the risk of flooding, the computer room should not be located in the basement or top floor. If located in a multistory building, studies show that the best location for the computer roomthe location which reduces the risk of fire, smoke and water damageis on the middle floors (e.g., third, fourth, fifth or sixth floor).
Page 15