Professional Documents
Culture Documents
Robert Thompson
Contents
Abstract ........................................................................................................................................... 3
BCP/DRP ........................................................................................................................................ 6
Visitors ............................................................................................................................................ 7
References ..................................................................................................................................... 15
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 3
Abstract
This document will outline the basic and detailed security needs of the new datacenter.
Since no expense will be spared in order to protect the integrity of our customers data, no stretch
within this document will be viewed as oversight. Physical access is a major point of control
which should be controlled and scrutinized as much as possible; this includes but is not limited
to: building access, wing clearance, room access, guard training and scrutiny of all entities,
entity coaching is a must and no shortcuts are to be taken when dealing with facility operational
briefing and training; all employees must be informed and alert of policies regarding practices
and facility standards. BCP/DRP plans are to be created and applied; locale determination,
functional and practical mitigation/adaptive strategies and plans should be premeditated (assume
worst case scenario). Administration and technical maintenance duties will be delegated across
staff and no one person will have absolute control/access; higher level security access controls
require dual authentication for access/change/update/etc. to prevent error and/or malicious inside
activity. Documentation of all activity is necessary, and backup of said documentation will be
kept.
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 4
Physical Facility
The location of the facility has several things to be taken into consideration when
determining. The primary thing to consider is the weather patterns of the location; the ideal
location will have the least amount of plausible risk regarding natural disasters or otherwise
uncontrollable and/or unforeseen destructive events that threaten the physical integrity of the
building. Earthquakes are more frequent along tectonic plate fault lines; regions with high
tectonic-plate activity are not preferred, however if a location with activity is deemed
unavoidable, the building should/must be constructed with the highest quality of building bracing
and/or fortification to withstand the motion of the earth and the shaking caused by earthquakes.
and will be avoided at all costs. Avoidance of any coastline border is also ideal;
Hurricanes/Tsunamis and the threat of the damage they pose is not to be taken lightly. Should a
location with these threats be used, the facility will adhere to any and all building code during
construction to minimize water damage from all angles. Primary location suggestion in these
possible, which have guard posts at each to authorize entrance and confirm departure. These
posts will be manned twenty-four hours a day every day, with live camera feeds covering the
posts; cameras should have HD video quality or better to make out small details as clearly as
possible, such as license plates and vehicle make/model information on the vehicles that pass
through these checkpoints day and night. The recordings will be saved and backups created
daily. Guards must scan employee badges (more on this in Employee Badges section) and any
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 5
visitors (more on this in Visitors section) will be logged at this point as well. Vehicles will not be
Fences will be constructed around the facility to assist in bottlenecking access to these
posts. Minimum fence height will be eight to ten feet high. Fences made of chain-link to allow
cameras to monitor exterior and watch for intrusions; these chain link fences will also be armed
with a Perimeter Intrusion and Detection Assessment System (PIDAS) to monitor vibrations and
alert guard stations of attempted breaches. Cameras will be mounted on an additional eight to ten
foot brick fence behind this chain-link fence. Between the two is enough space for the cameras to
All entrances to the building will be monitored inside and outside day and night. Same
camera specifications as the guard posts will be standard across the facility. Physical access to
the building entrances will require employee contact smart cards, in addition to a PIN to gain
entry. Upon entry, an additional guard station will be present to log entrance. Below is a basic
Personal effects will be subject to search and cleared by this post. This includes but is not
limited to: Bags/briefcases of any sort, devices such as phones, cameras, USB drives, Laptops
(authorized only), etc. Any unauthorized devices are to be kept at this post until departure,
locked in a locker of which only security has access to; each locker is to contain one persons
Beyond this point, only employees with necessary access/clearance to relevant work-
related wings are permitted and controlled via biometric thumb print scanners complimented
Detection Systems (IDS) should be armed and applied to all plausible non-entrant points, such as
windows or other non-descript entry points (like crawl spaces in walls). Certain areas may be
armed 24/7 depending on the risk factor (discussed later). These IDSs should be audited
regularly to ensure their functionality; the alarms they sound will inform necessary security
response teams and authorities of intrusions. Cameras should monitor the facility with as little
blind spots as possible; do not sell short when contracting security camera installation company,
highest quality possible preferred. No blind spots, especially regarding the servers/machines
containing the customers data. Washrooms are not to be monitored, but access to them might be
considered.
BCP/DRP
regardless of facility locale. All aspects of a climate must be taken into consideration, and a
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 7
backup plan must be practical and executable in the event of the unforeseen. A warm/cold site is
recommended to be constructed and prepared for the absolute worst case scenario (complete
destruction of the facility, facility-wide server failure). The site could/should also be the off-site
Visitors
Under no circumstances are personal visitors permitted on the premises. Access to the
facility will not be granted to the employee should they have a guest with them. Business related
visitors must be cleared by security beforehand, whom of which must have a log to be informed
of such visitors to the facility. These visitors are to have specialized badges differentiating their
affiliation to the facility from employees; this badge must be visible at all times. Business
Bar coded dumb-card-esque badges must be worn on the outside of the upper-torso area
at all times on the facility. This is the badge that the first guard post scans in order to grant access
to the facility. This badge contains a unique barcode badge number which is correlated to a
database of authorized badge numbers. The employee number required for the sign-in at the first
guard station at the physical facility access point is printed on here as well. These badges are not
to be worn/visible outside the facility. Employees will also be given Contact Smart Cards for
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 8
access throughout the building; with this card they are to associate a 6-digit PIN number which
expires bi-monthly (60 days). The PIN cannot be identical to a PIN used within 24 months, and
at least two digits must be different each change. This PIN is not to be written down at any given
point; employee PINs discovered written anywhere (physically or digitally [including but not
limited to: sticky notes, phones, other personal devices]) are subject to disciplinary action. Refer
to disciplinary policies for more information. Thumbprints will be saved and logged at the first
Physical security of terminals/towers is highly recommended; the data center will consist
primarily of servers, but towers are still a security vulnerability in that they can contain any
type/amount of critical data, and are much more mobile than a server. Below is a sample of a
tower enclosure (custom sizes can be fitted for the models used on the facility):
The tower itself is locked within this enclosure, and the enclosure can be bolted down to inhibit
theft further. This enclosure also limits access to the physical hardware within the tower,
Server racks are a must and there are standards which to abide. Servers can be bolted to
the racks and the racks bolted to the ground to deter/inhibit theft. Servers, like all computers,
need airflow. It is recommended that the server racks, should they be enclosed, to have proper
top ventilation to allow heat to escape (as heat rises) and possibly even bottom ventilation to
allow fans or other forms of powered cooling devices underneath the server racks. This will
greatly decrease the risk of overheating failures and greatly increase the life of the servers.
Below is an example:
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 10
Employee/Guard Coaching
All employees are to be briefed and informed of facility standards and procedures at hire.
Guards specifically have an important role in the security of the facility, and are held liable for
their allowance of access to the grounds. All entities are to be logged at entrance and departure of
the facility at all posts. They are responsible for updating the authorized employee database at
their posts, and are to be informed of necessary updates (I.E. new hires, terminations, company
departures, etc.) as soon as the status of the on-site employees change. Guards are to question all
entities aside employees (I.E. business visitors) as they are to be cleared prior to arrival to the
facility. Guards are not to allow personal visitors under any circumstances.
Employees are responsible for the integrity and security of their Contact Smart Cards.
Should one be lost, they are subject to disciplinary action; the Smart Cards are their keys into the
disciplinary action taken, if/when the card is reinstated or a new one created for the employee,
they are to go through the same process as if they were a new hire for the authentication of their
cards/thumb prints/PINs. Employees must check in/out of the internal guard station every time
they arrive/leave for logging purposes. Coaching sessions regarding Social Engineering tactics is
a must; these coaching sessions are important for educating employees on how to manage their
passwords, integrity of company access tools such as Smart Cards and badges, and PIN numbers.
Passwords should be related to personal interests or personal lives; I.E. pet names,
else that could possibly come up in casual conversation; things like these examples need to be
heavily emphasized when coaching employees. PIN numbers should not be similar to PINs used
outside of the company such as bank accounts or other personal identifiable accounts. Smart
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 11
Cards should never be the topic of discussion, nor should they ever be needed outside of the
company grounds. The Smart Card is considered company property and the employee is liable
for its integrity. Other topics of coaching regard good vs. bad security decisions, such as always
locking your terminals or work computers when you are not present or intend to leave it, no
matter the amount of time. Passwords/PINs/etc. should never be written down (See Employee
Badge/Access Controls). Employees should always be aware of their colleagues and co-workers.
Question all entities that are unrecognized and/or are not wearing badges properly. They are just
as effective as security guards when questioning entities; its an additional layer of security, and
employee at any time, they are to inform the proper parties (I.E. IT or technical maintenance
teams) as soon as possible. Work Order forms for client-terminals are required; employees are
To further emphasize layered defense, the concept of this triad can be applied to ensure
the facility runs smoothly with aforementioned security measures and procedures. People are
prone to error, but are also prone to correcting errors before they happen; people act as a check
and balance system when working together. Some back end logical security of the systems
require two (or more depending on severity) people in order to alter/adjust/execute specific
security details. Should a single individual have malicious intent or otherwise desire to harm the
facilities integrity, additional people are required for such malicious activity to ensue. The
additional people would act as a check/balance to prevent such activity from commencing;
although not a perfect system, it is still an additional layer of protection from internal malicious
activity. This same theory is applicable to mistakes or unintended changes, if the same
alteration/adjustment made is caught by another person, it can be corrected with a second or third
look due to the required additional authentication. These processes ensure that no one person is
in control of any given aspect of security procedures and measures, which is referred to as
Separation of Duties; no single person should have more access or control than necessary within
the facility, and the system can/will correct mistakes and can catch malicious activity before it
The Process portion of this triad refers to documentation of activity. For example, regular
everyday work-related activity should be logged and documented to ensure that the process can
be repeated by multiple people the same way each time; with this practice in place, the facility
will not hinge on the ability of a single person knowing how carry out specialized operations; for
example, Operating System updates require very close attention in that you dont want certain
services to ever be unavailable to the facility, customers, or any other entity that would require
the resources the data center is providing, therefore a secondary system of which provides the
services is required to be initialized and utilized during the process of the update. This process
should be documented with every little detail associated with its process in order to be completed
by other people with the technical ability but without the full knowledge of the entire systems
The documentation will assist the final piece of this triad, technology. Technology can
fail, and documentation is a great place to start looking to when attempting to troubleshoot what
happened when something fails depending on the failure. A minor example of technology failing
would be ACLs not being applied correctly to a specific person; should an employee not have
access to necessary files they cannot do their work. Checking to see when the ACLs were
applied and if they were properly documented to reflect the necessary access to said files is a
good place to look, aside from looking at the actual ACL itself in order to determine whether or
not it was properly applied to the person in question. The documentation would also reflect upon
who wrote it, should that person have stated in the documentation that the ACL was properly
applied. Should that be the case, the person who wrote it would be informed of the mistake and
prevent them from making the same mistake in the future. The idea is that technology isnt
perfect, and relies on us to use it properly in order for it to function as it is intended to function.
This triad is an important principle to bear in mind throughout the whole of the facility.
Risk Assessment
In order to maintain and adjust security standards, protocols, measures, practices, and
procedures to ensure they are effective and working as intended, regular, repeated, and periodic
Risk Assessments must be conducted throughout the facility regarding each of the
aforementioned security details. New vulnerabilities could be discovered along the way, and
overprotection can eventually cost a lot more than necessary. To illustrate, the below diagram
After an assessment, the amount of risk related to the security measure will be determined and
adjustments can be made accordingly. For example, copying customer files to a flash drive,
regardless of whether or not it is to be permitted to leave the facility, might a high risk of leaking
through onto other flash drives, and therefore would be a high security risk should the flash drive
be handled by unauthorized personnel. The flashing of customer data in this case is a very high -
extreme risk vulnerability, and the ability to do so should be limited if not eradicated through
GPOs or other forms of access controls, such as powering off USB ports on machines with
critical information. Another example would be fire extinguishers and their strategic placement
throughout the building; fire extinguisher placement may not be necessary near/in washrooms
where fires are not prone to happening, making it a low risk vulnerability.
SECURITY IMPLEMENTATION GUIDELINES THOMPSON 15
References
CSP. (n.d.). Lockdowns and Enclosures for Desktop and Tower PCs. Retrieved from Computer
Edward A. Keller, D. E. (2015). Natural Hazards: Earths Processes as Hazards, Disasters, and
Pearson Education.
R&D Data Products, Inc. (n.d.). Great Lakes Enhanced Server Enclosure. Retrieved from R&D
FeaturesLarge.jpg
SANS Institute. (2002). Implementing an Effective IT Security Program. Retrieved from SANS:
https://www.sans.org/reading-room/whitepapers/bestprac/implementing-effective-
security-program-80
Program: Protecting The Data Assets Of Individuals, Small And Large Businesses.
room/whitepapers/hsoffice/designing-implementing-effective-information-security-
program-protecting-data-assets-of-1398