SECURITY IMPLEMENTATION GUIDELINES THOMPSON 1

Security Implementation Guidelines

Robert Thompson

University of Advancing Technology

SECURITY IMPLEMENTATION GUIDELINES THOMPSON 2

Contents

Abstract ........................................................................................................................................... 3

Physical Facility .............................................................................................................................. 4

BCP/DRP ........................................................................................................................................ 6

Visitors ............................................................................................................................................ 7

Employee Badges/Access Controls ................................................................................................ 7

Terminal Security/Server Security.................................................................................................. 8

Employee/Guard Coaching ........................................................................................................... 10

People, Process, Technology Triad ............................................................................................... 11

Risk Assessment ........................................................................................................................... 13

References ..................................................................................................................................... 15
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 3

Abstract

This document will outline the basic and detailed security needs of the new datacenter.

Since no expense will be spared in order to protect the integrity of our customers data, no stretch

within this document will be viewed as oversight. Physical access is a major point of control

which should be controlled and scrutinized as much as possible; this includes but is not limited

to: building access, wing clearance, room access, guard training and scrutiny of all entities,

proper relevant communication between all departments/staff/administration. Employee and

entity coaching is a must and no shortcuts are to be taken when dealing with facility operational

briefing and training; all employees must be informed and alert of policies regarding practices

and facility standards. BCP/DRP plans are to be created and applied; locale determination,

functional and practical mitigation/adaptive strategies and plans should be premeditated (assume

worst case scenario). Administration and technical maintenance duties will be delegated across

staff and no one person will have absolute control/access; higher level security access controls

require dual authentication for access/change/update/etc. to prevent error and/or malicious inside

activity. Documentation of all activity is necessary, and backup of said documentation will be

kept.
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 4

Physical Facility

The location of the facility has several things to be taken into consideration when

determining. The primary thing to consider is the weather patterns of the location; the ideal

location will have the least amount of plausible risk regarding natural disasters or otherwise

uncontrollable and/or unforeseen destructive events that threaten the physical integrity of the

building. Earthquakes are more frequent along tectonic plate fault lines; regions with high

tectonic-plate activity are not preferred, however if a location with activity is deemed

unavoidable, the building should/must be constructed with the highest quality of building bracing

and/or fortification to withstand the motion of the earth and the shaking caused by earthquakes.

However, building on a fault line of any sort (convergent/divergent/transform) is not acceptable

and will be avoided at all costs. Avoidance of any coastline border is also ideal;

Hurricanes/Tsunamis and the threat of the damage they pose is not to be taken lightly. Should a

location with these threats be used, the facility will adhere to any and all building code during

construction to minimize water damage from all angles. Primary location suggestion in these

areas is high ground to encourage water run-off.

Access to the grounds of the facility should be bottlenecked to as few entrances/exits as

possible, which have guard posts at each to authorize entrance and confirm departure. These

posts will be manned twenty-four hours a day every day, with live camera feeds covering the

posts; cameras should have HD video quality or better to make out small details as clearly as

possible, such as license plates and vehicle make/model information on the vehicles that pass

through these checkpoints day and night. The recordings will be saved and backups created

daily. Guards must scan employee badges (more on this in Employee Badges section) and any
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 5

visitors (more on this in Visitors section) will be logged at this point as well. Vehicles will not be

granted access without proper authentication.

Fences will be constructed around the facility to assist in bottlenecking access to these

posts. Minimum fence height will be eight to ten feet high. Fences made of chain-link to allow

cameras to monitor exterior and watch for intrusions; these chain link fences will also be armed

with a Perimeter Intrusion and Detection Assessment System (PIDAS) to monitor vibrations and

alert guard stations of attempted breaches. Cameras will be mounted on an additional eight to ten

foot brick fence behind this chain-link fence. Between the two is enough space for the cameras to

cover wide range of space and guards to patrol through overnight.

All entrances to the building will be monitored inside and outside day and night. Same

camera specifications as the guard posts will be standard across the facility. Physical access to

the building entrances will require employee contact smart cards, in addition to a PIN to gain

entry. Upon entry, an additional guard station will be present to log entrance. Below is a basic

example of criteria this station will be logging:

Name Employee # Reason Time of Arrival Time of Departure

SECURITY IMPLEMENTATION GUIDELINES THOMPSON 6

Personal effects will be subject to search and cleared by this post. This includes but is not

limited to: Bags/briefcases of any sort, devices such as phones, cameras, USB drives, Laptops

(authorized only), etc. Any unauthorized devices are to be kept at this post until departure,

locked in a locker of which only security has access to; each locker is to contain one persons

effects per locker.

Beyond this point, only employees with necessary access/clearance to relevant work-

related wings are permitted and controlled via biometric thumb print scanners complimented

with their contact smart cards. New/Ex-employees are updated/removed as a priority.

Additional security features to consider: depending on business hours, Intrusion

Detection Systems (IDS) should be armed and applied to all plausible non-entrant points, such as

windows or other non-descript entry points (like crawl spaces in walls). Certain areas may be

armed 24/7 depending on the risk factor (discussed later). These IDSs should be audited

regularly to ensure their functionality; the alarms they sound will inform necessary security

response teams and authorities of intrusions. Cameras should monitor the facility with as little

blind spots as possible; do not sell short when contracting security camera installation company,

highest quality possible preferred. No blind spots, especially regarding the servers/machines

containing the customers data. Washrooms are not to be monitored, but access to them might be

considered.

BCP/DRP

A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) is absolutely necessary

regardless of facility locale. All aspects of a climate must be taken into consideration, and a
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 7

backup plan must be practical and executable in the event of the unforeseen. A warm/cold site is

recommended to be constructed and prepared for the absolute worst case scenario (complete

destruction of the facility, facility-wide server failure). The site could/should also be the off-site

storage location of all backups of data/OS configuration/documentation/logs. The sites mere

existence is that of redundancy; if the integrity of our customers data is to be ensured as

indefinitely as possible, a warm/cold site for this redundancy is a must.

Visitors

Under no circumstances are personal visitors permitted on the premises. Access to the

facility will not be granted to the employee should they have a guest with them. Business related

visitors must be cleared by security beforehand, whom of which must have a log to be informed

of such visitors to the facility. These visitors are to have specialized badges differentiating their

affiliation to the facility from employees; this badge must be visible at all times. Business

visitors are never to be left unattended.

Employee Badges/Access Controls

Bar coded dumb-card-esque badges must be worn on the outside of the upper-torso area

at all times on the facility. This is the badge that the first guard post scans in order to grant access

to the facility. This badge contains a unique barcode badge number which is correlated to a

database of authorized badge numbers. The employee number required for the sign-in at the first

guard station at the physical facility access point is printed on here as well. These badges are not

to be worn/visible outside the facility. Employees will also be given Contact Smart Cards for
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 8

access throughout the building; with this card they are to associate a 6-digit PIN number which

expires bi-monthly (60 days). The PIN cannot be identical to a PIN used within 24 months, and

at least two digits must be different each change. This PIN is not to be written down at any given

point; employee PINs discovered written anywhere (physically or digitally [including but not

limited to: sticky notes, phones, other personal devices]) are subject to disciplinary action. Refer

to disciplinary policies for more information. Thumbprints will be saved and logged at the first

security station within the facility when necessary (at-hire).

Terminal Security/Server Security

Physical security of terminals/towers is highly recommended; the data center will consist

primarily of servers, but towers are still a security vulnerability in that they can contain any

type/amount of critical data, and are much more mobile than a server. Below is a sample of a

tower enclosure (custom sizes can be fitted for the models used on the facility):

The tower itself is locked within this enclosure, and the enclosure can be bolted down to inhibit

theft further. This enclosure also limits access to the physical hardware within the tower,

preventing internal malicious alterations to machines.

SECURITY IMPLEMENTATION GUIDELINES THOMPSON 9

Server racks are a must and there are standards which to abide. Servers can be bolted to

the racks and the racks bolted to the ground to deter/inhibit theft. Servers, like all computers,

need airflow. It is recommended that the server racks, should they be enclosed, to have proper

top ventilation to allow heat to escape (as heat rises) and possibly even bottom ventilation to

allow fans or other forms of powered cooling devices underneath the server racks. This will

greatly decrease the risk of overheating failures and greatly increase the life of the servers.

Below is an example:
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 10

Employee/Guard Coaching

All employees are to be briefed and informed of facility standards and procedures at hire.

Guards specifically have an important role in the security of the facility, and are held liable for

their allowance of access to the grounds. All entities are to be logged at entrance and departure of

the facility at all posts. They are responsible for updating the authorized employee database at

their posts, and are to be informed of necessary updates (I.E. new hires, terminations, company

departures, etc.) as soon as the status of the on-site employees change. Guards are to question all

entities aside employees (I.E. business visitors) as they are to be cleared prior to arrival to the

facility. Guards are not to allow personal visitors under any circumstances.

Employees are responsible for the integrity and security of their Contact Smart Cards.

Should one be lost, they are subject to disciplinary action; the Smart Cards are their keys into the

building, if one is reported missing, that card is to be immediately deactivated. Depending on

disciplinary action taken, if/when the card is reinstated or a new one created for the employee,

they are to go through the same process as if they were a new hire for the authentication of their

cards/thumb prints/PINs. Employees must check in/out of the internal guard station every time

they arrive/leave for logging purposes. Coaching sessions regarding Social Engineering tactics is

a must; these coaching sessions are important for educating employees on how to manage their

passwords, integrity of company access tools such as Smart Cards and badges, and PIN numbers.

Passwords should be related to personal interests or personal lives; I.E. pet names,

spouse/offspring names, e-mail addresses, dictionary words, addresses, restaurants, or anything

else that could possibly come up in casual conversation; things like these examples need to be

heavily emphasized when coaching employees. PIN numbers should not be similar to PINs used

outside of the company such as bank accounts or other personal identifiable accounts. Smart
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 11

Cards should never be the topic of discussion, nor should they ever be needed outside of the

company grounds. The Smart Card is considered company property and the employee is liable

for its integrity. Other topics of coaching regard good vs. bad security decisions, such as always

locking your terminals or work computers when you are not present or intend to leave it, no

matter the amount of time. Passwords/PINs/etc. should never be written down (See Employee

Badge/Access Controls). Employees should always be aware of their colleagues and co-workers.

Question all entities that are unrecognized and/or are not wearing badges properly. They are just

as effective as security guards when questioning entities; its an additional layer of security, and

should be taken very seriously on premises.

Should a defective or malfunctioning machine/terminal/server/etc. be discovered by an

employee at any time, they are to inform the proper parties (I.E. IT or technical maintenance

teams) as soon as possible. Work Order forms for client-terminals are required; employees are

not to attempt to repair terminals themselves. A temporary terminal will be assigned/provided

should the need arise.

People, Process, Technology Triad

To further emphasize layered defense, the concept of this triad can be applied to ensure

the facility runs smoothly with aforementioned security measures and procedures. People are

prone to error, but are also prone to correcting errors before they happen; people act as a check

and balance system when working together. Some back end logical security of the systems

themselves, such as firewall settings, ACLs, or credential updates/changes should be considered

for Dual Control mechanisms or procedures. These mechanisms/procedures are designed to

SECURITY IMPLEMENTATION GUIDELINES THOMPSON 12

require two (or more depending on severity) people in order to alter/adjust/execute specific

security details. Should a single individual have malicious intent or otherwise desire to harm the

facilities integrity, additional people are required for such malicious activity to ensue. The

additional people would act as a check/balance to prevent such activity from commencing;

although not a perfect system, it is still an additional layer of protection from internal malicious

activity. This same theory is applicable to mistakes or unintended changes, if the same

alteration/adjustment made is caught by another person, it can be corrected with a second or third

look due to the required additional authentication. These processes ensure that no one person is

in control of any given aspect of security procedures and measures, which is referred to as

Separation of Duties; no single person should have more access or control than necessary within

the facility, and the system can/will correct mistakes and can catch malicious activity before it

becomes a larger problem.

The Process portion of this triad refers to documentation of activity. For example, regular

everyday work-related activity should be logged and documented to ensure that the process can

be repeated by multiple people the same way each time; with this practice in place, the facility

will not hinge on the ability of a single person knowing how carry out specialized operations; for

example, Operating System updates require very close attention in that you dont want certain

services to ever be unavailable to the facility, customers, or any other entity that would require

the resources the data center is providing, therefore a secondary system of which provides the

services is required to be initialized and utilized during the process of the update. This process

should be documented with every little detail associated with its process in order to be completed

by other people with the technical ability but without the full knowledge of the entire systems

functionality and stability.

SECURITY IMPLEMENTATION GUIDELINES THOMPSON 13

The documentation will assist the final piece of this triad, technology. Technology can

fail, and documentation is a great place to start looking to when attempting to troubleshoot what

happened when something fails depending on the failure. A minor example of technology failing

would be ACLs not being applied correctly to a specific person; should an employee not have

access to necessary files they cannot do their work. Checking to see when the ACLs were

applied and if they were properly documented to reflect the necessary access to said files is a

good place to look, aside from looking at the actual ACL itself in order to determine whether or

not it was properly applied to the person in question. The documentation would also reflect upon

who wrote it, should that person have stated in the documentation that the ACL was properly

applied. Should that be the case, the person who wrote it would be informed of the mistake and

prevent them from making the same mistake in the future. The idea is that technology isnt

perfect, and relies on us to use it properly in order for it to function as it is intended to function.

This triad is an important principle to bear in mind throughout the whole of the facility.

Risk Assessment

In order to maintain and adjust security standards, protocols, measures, practices, and

procedures to ensure they are effective and working as intended, regular, repeated, and periodic

Risk Assessments must be conducted throughout the facility regarding each of the

aforementioned security details. New vulnerabilities could be discovered along the way, and

overprotection can eventually cost a lot more than necessary. To illustrate, the below diagram

should assist in realizing the concept:

SECURITY IMPLEMENTATION GUIDELINES THOMPSON 14

After an assessment, the amount of risk related to the security measure will be determined and

adjustments can be made accordingly. For example, copying customer files to a flash drive,

regardless of whether or not it is to be permitted to leave the facility, might a high risk of leaking

through onto other flash drives, and therefore would be a high security risk should the flash drive

be handled by unauthorized personnel. The flashing of customer data in this case is a very high -

extreme risk vulnerability, and the ability to do so should be limited if not eradicated through

GPOs or other forms of access controls, such as powering off USB ports on machines with

critical information. Another example would be fire extinguishers and their strategic placement

throughout the building; fire extinguisher placement may not be necessary near/in washrooms

where fires are not prone to happening, making it a low risk vulnerability.
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 15

References

CSP. (n.d.). Lockdowns and Enclosures for Desktop and Tower PCs. Retrieved from Computer

Security Products: http://www.computersecurity.com/lockdown/fullmetaljackets.htm

Edward A. Keller, D. E. (2015). Natural Hazards: Earths Processes as Hazards, Disasters, and

Catastrophes. Indianapolis: Pearson Education.

Mark S. Merkow, J. B. (2014). Information Security: Principles and Practices. Indianapolis:

Pearson Education.

R&D Data Products, Inc. (n.d.). Great Lakes Enhanced Server Enclosure. Retrieved from R&D

Data Products: http://www.r-ddataproducts.com/great/Enhanced-Server-

FeaturesLarge.jpg

SANS Institute. (2002). Implementing an Effective IT Security Program. Retrieved from SANS:

https://www.sans.org/reading-room/whitepapers/bestprac/implementing-effective-

security-program-80

SANS Institute. (2004). Designing And Implementing An Effective Information Security

Program: Protecting The Data Assets Of Individuals, Small And Large Businesses.

Retrieved from SANS: https://www.sans.org/reading-

room/whitepapers/hsoffice/designing-implementing-effective-information-security-

program-protecting-data-assets-of-1398