Best Practices

-Data Center Security

Background
Datacenter are a crucial aspect of most organizational. Companies rely on their information systems to run their
operations. If systems become unavailable, business operations will be affected hence it becomes necessary to provide a
reliable infrastructure for IT operations.

In order to minimize any chance of disruption data center has to operate in a secure environment with less chances of a
security breach. A data center must therefore keep high standards for assuring the integrity and functionality of its
hosted computer environment. Outsourcing of IT operations and co-location services are in demand these days as a
result of which service provider needs to implement appropriate physical security to protect customer information.

Best Practices for Datacenter Security

1. Information systems must be kept in suitably designed secure areas based on their risk profile and vulnerability to
security threats. The access to such areas must be restricted and approved by the Information Security Officer (ISO).
The following should be taken into consideration.

• Minimize unnecessary access into work areas.

• Minimize risk of potential threats to the equipment such as fire, theft, dust, smoke, water etc.

• Minimize the impact of a disaster in the neighborhood

• The backup media storage must be kept at a safe distance from the main site to ensure recoverability in case
of disaster at the main site.

2. Access to the information processing facilities vendors, visitors should be granted only after due authorization. An
employee should always escort the visitor for the duration of access.

3. The visitor and the escorting personnel’s identities, their date and time of entry and departure should be logged for
future traceability.

4. Visitors, third parties and employees must wear visible identification badges so that they can be identified and
differentiated by security personnel.

5. Surveillance cameras should be installed around the perimeter of the building, at all entrances and exits, and at every
access point throughout the building. A combination of motion-detection devices, low-light cameras, pan-tilt-zoom
cameras and standard fixed cameras is ideal. Footage should be digitally recorded and stored offsite.
6. The datacenter should have 24-hour manned security arrangements for its premises.
1
Data Center Security

7. Visitors should not be allowed to carry photographic, video or other recording equipment inside the datacenter.
8. The movement of information processing equipments from outside the datacenter should only be allowed only upon
appropriate authorization from concerned IT Department Manager.

9. Datacenter, computer rooms should be secured using mechanisms such as combinations, keys, cards and / or
biometric access controls. Access to the secure areas such as Datacenter and Computer Rooms will be granted only
to authorize personnel only. All such access to the datacenter should be logged.

10. The power and telecommunication cables must be adequately protected and periodically inspected for any damage
and/or unauthorized interception.

11. The IT custodians must ensure that all equipments which contain removal media devices are checked for removal or
overwriting of sensitive data and licensed software prior to their disposal.

12. Fire extinguishers must be placed in appropriate locations throughout the building, Production facility and filling
stations. They must be inspected as per the vendor’s maintenance cycle.

13. Implement fire detection systems within the datacenter facility, all fire detection systems should be periodically
inspected.

14. There must be documented and tested emergency evacuation plans and these should emphasize human safety.

Reference
http://www.sans.org/reading_room/whitepapers/awareness/data_center_physical_security_checklist_416

http://www.csoonline.com/article/220665/_Ways_to_Build_Physical_Security_into_a_Data_Center

Disclaimer:

This is only meant as a guide and reference, these are recommendations only and appropriate regulatory and standards should always be followed
to ensure compliance and meet the organizations control and risk decisions. India Security Portal managed by DSCI makes no warranties, express,
implied, or statutory, as to the information in this document.