Access Controls

Computer security covers a lot of territory: locking your server and telecommunications
rooms, locking your machine, protecting your login accounts with strong passwords,
using file protection and adhering to a regular backup schedule to keep your data from
being destroyed, encrypting network communications lines, and using special shields to
keep electromagnetic emanations from leaking out of your computer (TEMPEST). But
when people talk about computer security, they usually mean what is called computer
system security, which is a fancy way of saying data protection.

What Makes a System Secure?

In the most basic sense, computer system security ensures that your computer does
what it’s supposed to do—even if its users don’t do what they’re supposed to do. It
protects the information stored in it from being lost, changed either maliciously or
accidentally, or read or modified by those not authorized to access it.

The selection of a site for information technology equipment is the first consideration in
planning and preparing for the installation. Determine whether a new site is to be
constructed or alterations are to be performed on an existing site.
This section provides specific information on building location, structure, and space
requirements for present and future needs.
Utilities
Power and communication facilities must be available in the quantities required for
operation. If these are inadequate, contact the utility company to determine if additional
services can be made available.
Exposure to hazards
Pollution, flooding, radio or radar interference, and hazards caused by nearby industries
can cause problems to information technology equipment and recorded media. Any
indication of exposure in these areas should be recognized and included in the planning
of the installation.
PHYSICAL SECURITY OF PC

 The first step in security is considering the physical security of the PC. Maintenance of physical
security depends on the location and the budget.
  The second step is the factors related to physical stability that include the power supply,
physical location of the computer, room temperature, etc. Failure of anyone of the above said
factors leads the computer into risks.

There is a good chance that your home PC is one of the most expensive things in your home, or if you
have got a laptop, it is likely to be the most expensive thing you carry in a bag.
Although your insurance policy may cover the costs of replacing hardware if it’s stolen, there is nothing
that money can do to retrieve precious or personal data. So physical security is as important as software
security.

Reliable electrical power is required for the proper functioning of your data processing
equipment.
IBM® information technology equipment requires a reliable electrical power source that
is free from interference or disturbance. Electrical power companies generally supply
power of sufficient quality. The Power quality, Voltage and frequency limits, Power load,
and Power source topics provide the guidance and specifications needed to meet the
requirements of the equipment. Qualified personnel must ensure that electrical power
distribution system is safe and meets local and national codes. They must also ensure
that the voltage measured at the power receptacle is within the specified tolerance for
the equipment. In addition, a separate power feeder is required for items such as
lighting and air conditioning. A properly installed electrical power system will help to
provide for reliable operation of your IBM equipment.

Computers are nothing but electronic machines with the ability to perform functions
which we tell them to do or which for they are trained for.

Computers work for us as we program them. They do our work. They perform those
works with the help of various devices.

In doing all the above process energy in the form of electricity is consumed or i should
say utilised. The energy is then converted into heat energy and heat is produced. To
control this heat, we need to cool down the system. For cooling purpose air conditioners
are installed in computer labs.

But the true danger lies in how this heat can impact your vital equipment. High heat levels place
your equipment in considerable danger, threatening damage to hardware and software at worst,
but even at best the heat can reduce system efficiency and drastically impact performance.
The Benefits of Computer Room Air
Conditioning
A proper server room or computer room system is designed with your structure’s unique
needs in mind, including monitoring systems, humidity control options, and even more.
This offers a complete package that works hard to protect everything that makes your
business tick. The advantages include:
 Protection for equipment and critical data. By keeping cool air circulated in accordance
with your space’s needs, you’re guaranteed complete protection for hardware and software,
reducing the risks of down time.
 Improved productivity and compute system lifespans. Computer systems that retain
optimal cool temperature ranges work faster and more efficiency, and this drastically
reduces general wear and tear.
 Optimized low humidity levels. Humidity can be even more dangerous for your systems
than heat, but with a proper cooling system in place you’ve got nothing at all to worry about.
Even on the worst Chicago summer days!
 Comfort for employees. Even more important than the computers and devices,
employees that work closely with them must be kept comfortable in order to stay healthy
and productive. The conditions of poorly equipped computer rooms are often completely
unacceptable, posing considerable risks.

Fire suppression systems for server rooms and data centres are essential to the server room
itself. A fire suppression system will automatically extinguish a fire without the need of human
intervention. Fire suppression systems for data centres must be suitable for clean air
environments, as server rooms and data centres are mostly occupied by personnel.

The designs standards for Fire suppression systems for server rooms and data centres are
carried out with strict guidelines, as the fire suppression agents used can be dangerous if not
designed correctly.

The most common sources of fires in data centers are the electrical system or the hardware.
Breakdowns in insulation and the resultant short circuiting can lead to intense heat that can melt
materials or cause a fire. Computer room fires are often small or smoldering, with little effect on the
temperatures in the room. Because the smoke itself can impact the computer hardware, it is necessary
to employ a detection system that is sensitive to smoke and other products of combustion rather than
temperature. The specific detection and extinguishing system is dependent on the specific design and
exposures of the individual data center area. NFPA 75 states:
5-2: Automatic detection equipment shall be installed to provide early warning of fire. The equipment
used shall a be listed smoke detection type. Each installation shall be engineered for the specific area to
be protected, giving due consideration to air currents and patterns within the space and shall be
installed and maintained in accordance with NFPA 72E, Standard on Automatic Fire Detectors.

2-4.3a: An automatic detection and extinguishing system shall be installed in the space below the raised
floor.

A passive suppression system reacts to detected hazards with no manual intervention. The most
common forms of passive suppression are sprinkler systems or chemical suppression systems. Sprinkler
systems can be flooded (wet pipe) or pre-action (dry pipe). A flooded system incorporates pipes that are
full at all times, allowing the system to discharge immediately upon threat detection. A pre-action
system will flood the sprinkler pipes upon an initial detection, but will have a delay before actual
discharge. Chemical total flooding systems work by suffocating the fire within the controlled zone. The
suppression chemical most often found in data centers is Halon 1301. Halon is being eliminated in favor
of the more environmentally friendly FM200 or various forms of water suppression. Carbon dioxide
suppression systems are also used, but can be a concern due to operator safety issues in the instance of
a discharge. These can be used independently, or in combination depending on the exposures in the
room, local ordinances and insurance requirements.

The ideal system would incorporate both a gas system and a pre-action water sprinkler system in the
ambient space. The gas suppression systems are friendlier to the hardware in the event of a discharge.
Water sprinklers often cause catastrophic and irreparable damage to the hardware, whereas the
hardware in a room subjected to a gas discharge can often be brought back on-line soon after the room
is purged. Gas systems are, however, "one-shot" designs. If the fire is not put out in the initial discharge,
there is no second chance. The gas system cannot be reused until it is recharged or connected to a back-
up source. Water systems can continue to address the fire until it has been brought under control. While
this is more likely to damage the hardware, it is also a more secure means of protecting the building
structure. Water suppression systems are often preferred or mandated by building owners or insurance
companies. Water systems are also highly recommended in areas containing a high level of combustible
materials use or storage. The decision of what means of fire suppression to utilize must incorporate
numerous factors including the mission and criticality of the data center operations.

Halon 1301 fire suppression gas is no longer in production, as of January 1994, and may be subject to
punative tariffs under certain circumstances. Alternate gasses, such as FM-200, are available. FM-200
requires a slightly higher gas concentration than Halon 1301 (7% versus 5%), but is similar in
effectiveness and has none of the environmental side-effects that led to the banning of Halon 1301.

Manual means of fire suppression system discharge should also be installed. These should take the form
of manual pull stations at strategic points in the room. In areas where gas suppression systems are used,
there is normally also a means of manual abort for the suppression system. In designs where it is
necessary to hold the abort button to maintain the delay in discharge, it is essential that a means of
communication is available within reach.
Portable fire extinguishers should also be placed strategically throughout the room. These should be
unobstructed, and should be clearly marked. Labels should be visible above the tall computer
equipment from across the room. Appropriate tile lifters should be located at each extinguisher station
to allow access to the subfloor void for inspection, or to address a fire.

Fault-tolerant technology is a capability of a computer system, electronic

system or networkto deliver uninterrupted service, despite one or more of
its components failing. Fault tolerance also resolves potential service
interruptions related to software or logic errors. The purpose is to
prevent catastrophic failure that could result from a single point of failure.

Developing an IT Disaster Recovery Plan

Businesses should develop an IT disaster recovery plan. It begins by compiling an inventory
of hardware (e.g. servers, desktops, laptops and wireless devices), software applications
and data. The plan should include a strategy to ensure that all critical information is backed
up.

Identify critical software applications and data and the hardware required to run them. Using
standardized hardware will help to replicate and reimage new hardware. Ensure that copies
of program software are available to enable re-installation on replacement equipment.
Prioritize hardware and software restoration.

Document the IT disaster recovery plan as part of the business continuity plan. Test the
plan periodically to make sure that it works.

Businesses use information technology to quickly and effectively process information.

Employees use electronic mail and Voice Over Internet Protocol (VOIP) telephone systems
to communicate. Electronic data interchange (EDI) is used to transmit data including orders
and payments from one company to another. Servers process information and store large
amounts of data. Desktop computers, laptops and wireless devices are used by employees
to create, process, manage and communicate information. What do you when your
information technology stops working?

An information technology disaster recovery plan (IT DRP) should be developed in

conjunction with the business continuity plan. Priorities and recovery time objectives for
information technology should be developed during the business impact analysis.
Technology recovery strategies should be developed to restore hardware, applications and
data in time to meet the needs of the business recovery.

Businesses large and small create and manage large volumes of electronic information or
data. Much of that data is important. Some data is vital to the survival and continued
operation of the business. The impact of data loss or corruption from hardware failure,
human error, hacking or malware could be significant. A plan for data backup and
restoration of electronic information is essential.

Resources for Information Technology Disaster

Recovery Planning

 Computer Security Resource Center - National Institute of Standards and

Technology (NIST), Computer Security Division Special Publications
 Contingency Planning Guide for Federal Information Systems - NIST Special
Publication 800-34 Rev. 1
 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities –
NIST Special Publication 800-84
 Building An Information Technology Security Awareness and Training
Program - NIST Special Publication 800-50

IT Recovery Strategies
Recovery strategies should be developed for Information technology (IT) systems,
applications and data. This includes networks, servers, desktops, laptops, wireless devices,
data and connectivity. Priorities for IT recovery should be consistent with the priorities for
recovery of business functions and processes that were developed during the business
impact analysis. IT resources required to support time-sensitive business functions and
processes should also be identified. The recovery time for an IT resource should match
the recovery time objective for the business function or process that depends on the IT
resource.

Information technology systems require hardware, software, data and connectivity. Without
one component of the “system,” the system may not run. Therefore, recovery strategies
should be developed to anticipate the loss of one or more of the following system
components:

 Computer room environment (secure computer room with climate control,

conditioned and backup power supply, etc.)
 Hardware (networks, servers, desktop and laptop computers, wireless devices and
peripherals)
 Connectivity to a service provider (fiber, cable, wireless, etc.)
 Software applications (electronic data interchange, electronic mail, enterprise
resource management, office productivity, etc.)
 Data and restoration

Some business applications cannot tolerate any downtime. They utilize dual data centers
capable of handling all data processing needs, which run in parallel with data mirrored or
synchronized between the two centers. This is a very expensive solution that only larger
companies can afford. However, there are other solutions available for small to medium
sized businesses with critical business applications and data to protect.
A backup site or work area recovery site is a location where an organization can relocate
following a disaster, such as fire, flood, terrorist threat or other disruptive event. This is an integral
part of the disaster recovery plan and wider business continuity planning of an organization.
A backup, or alternate, site can be another data center location operated by the organization, or
contracted via a company that specializes in disaster recovery services. In some cases, one
organization will have an agreement with a second organization to operate a joint backup site. In
addition, an organization may have a reciprocal agreement with another organization to set up a
warm site at each of their data centers.
There are three types of backup sites, including cold sites, warm sites, and hot sites. The differences
between the types are determined by the costs and effort required to implement each.

8.3.2. Backup Sites: Cold, Warm, and Hot

One of the most important aspects of disaster recovery is to have a location from which the
recovery can take place. This location is known as a backup site. In the event of a disaster,
a backup site is where your data center will be recreated, and where you will operate from,
for the length of the disaster.

There are three different types of backup sites:

o Cold backup sites

o Warm backup sites

o Hot backup sites

Obviously these terms do not refer to the temperature of the backup site. Instead, they refer
to the effort required to begin operations at the backup site in the event of a disaster.
A cold backup site is little more than an appropriately configured space in a building.
Everything required to restore service to your users must be procured and delivered to the
site before the process of recovery can begin. As you can imagine, the delay going from a
cold backup site to full operation can be substantial.

Cold backup sites are the least expensive sites.

A warm backup site is already stocked with hardware representing a reasonable facsimile of
that found in your data center. To restore service, the last backups from your off-site
storage facility must be delivered, and bare metal restoration completed, before the real
work of recovery can begin.

Hot backup sites have a virtual mirror image of your current data center, with all systems
configured and waiting only for the last backups of your user data from your off-site storage
facility. As you can imagine, a hot backup site can often be brought up to full production in
no more than a few hours.

A hot backup site is the most expensive approach to disaster recovery.

Backup sites can come from three different sources:

o Companies specializing in providing disaster recovery services

o Other locations owned and operated by your organization

o A mutual agreement with another organization to share data center facilities in the
event of a disaster

Each approach has its good and bad points. For example, contracting with a disaster
recovery firm often gives you access to professionals skilled in guiding organizations
through the process of creating, testing, and implementing a disaster recovery plan. As you
might imagine, these services do not come without cost.
Using space in another facility owned and operated by your organization can be essentially
a zero-cost option, but stocking the backup site and maintaining its readiness is still an
expensive proposition.

Crafting an agreement to share data centers with another organization can be extremely
inexpensive, but long-term operations under such conditions are usually not possible, as the
host's data center must still maintain their normal production, making the situation strained
at best.

In the end, the selection of a backup site is a compromise between cost and your
organization's need for the continuation of production.