Improving the Physical and Environmental Security of a Data

Centre: Case Study of a Hong Kong Wines and Spirits Distribution

Company

ASSIGNMENT

DATE: 29 SEPTEMBER, 2020

BY: NAWAL ZAHEER

INTRODUCTION:

Data Center security management has become a major challenge due to the increase in the

number of additional equipment and devices. In this assessment, you will come to know how you

can build an ISO 27001 adaptable center with the identification and effectiveness of the controls

of information security. This assessment improves the security of the Data Center by summarizes

the requirements of the ISO 27001.

A Data Center is a dedicated building or facility that holds all the systems that are critical or

Information Technology infrastructure of an organization. The number of attacks in the security

that includes those which are affecting Data Centers is increasing its number day by day. Data

Centers keep all the sensitive information of the organization. So, the concern in the security of

the data is important. The Data Center must maintain high standards of secrecy of data,

coherence, and access to the environment of IT (Information Technology).

The term physical and environmental safety refers to the steps taken to protect systems,

structures, and supporting infrastructure associated with the threats associated with their

environment. Physical and environmental protection is mostly overlooked but is very important

in the protection of information. Physical security in recent decades has become increasingly

difficult for organizations. Technology and computer facilities now allow for more compromise

due to increased risk.

The researcher in this case study on which we are going to do the assessment does a study on the

environmental and physical security of Hong Kong wine and spirits database Distribution

Company. The main responsibility of this company is the distribution of wine and spirits to many

South Asian countries which includes China, Hong Kong, Singapore, Malaysia, Thailand,
Vietnam, Laos, Cambodia, Indonesia, and the Philippines. The small data center of this company

is in Hong Kong. The environmental and physical status of this data center was not good at all.

No physical and environmental safety policy evolved from this institution. The researchers were

hired to do the research on the problems and to provide solutions to the problems that are taken

out. The Data security policy that includes lots of information, details, and guidelines that are

used to solve the driven problems that are related to security is ISO/IEC 27001:2005. This ISO

benchmark is the most effective practice which assists organizations and other businesses from

all over the world to make the best Information Security Management System (ISMS) for

making the best management practice in their organizations.

For data security, the ISO 27001 (known as the Security Management System (ISMS) standard)

is the most widely used standard. It focuses on ensuring integrity, access, and confidentiality, and

is a structured approach designed to provide information. ISO 27001 is defined as a management

system that can be used to test, operate, and maintain an Information Security Management

System. Many companies around the world are working to implement this standard for several

reasons, among them: debt reduction due to unused policies and procedures; measuring the

effectiveness of safety controls; and improving the effectiveness of information security.

ISO 27001 or more precisely ISO / IEC 27001: 2005 Information technology - Security

Strategies - The definition of a Quality Management System is an internationally recognized

standard that governs the construction, implementation, monitoring, maintenance, development,

and local security of Data Protection Systems (ISMS). ISO 27001 is not a mandatory law; is a

collection of "best practices" and "certified knowledge-based practices" related to ISMS. ISO

27001 is an official standard where organizations can claim an independent ISMS certificate.
ISO 27001 is a "top-down" data management system. This policy includes nine parts that contain

environmental security.

ISMS Standard 27001: 2005 considers all of the risks involved in determining the requirements

for innovation, use operation, monitoring, review, maintain and improve the written ISMS within

total business risk overall. The three main principles involved are confidentiality, integrity, and

availability. The environmental and physical security are covered by these principles.

Solution Domain Application of ISO to Identified processes

BETTER Physical  Most machines are usually in the form of
PHYSICAL Layout servers mounted on 19-inch cabinet racks
ENVIRONMENT mounted in single rows which forms channels
DATA CENTER between them. In this way, people can access
the front and back of each cabinet.

 Servers vary a lot in size from 1U servers to

large storage frames that cover the space with
multiple tiles down on the floor.

 Some of the utensils that include mainframe

computers and storage devices are usually as
large as the actual racks and are placed next to
them.

 Shipping containers full of 1,000 or more

servers can be used by very large data centers.
Complete containers are while repairing or
upgrading, replaced (instead of repairing
individual servers).

 Most of the time, local building codes control

the high ceilings. The physical environment of
the data center is strictly controlled.
Air  Changing the temperature rate according to the
Conditioning ASHRAE’s “Thermal Guidelines for Data
Processing Environments”. The range is 16-21
degrees C (61-75 degrees F) and the range of
humidity 40-55% with max dew point 15
degrees C which is optimal for the environment
of the data center.

 In the data center, the heats are used by

electrical power. Electronic gadgets
malfunction will be caused as the existing
temperature rise until the heat is removed.

 If the temperature is controlled, the humidity

range and temperature range are kept in a
specific range.

 During the dry atmosphere, if the humidity is

low, the systems can add water vapor. So the
systems and the other components should be
kept cool to avoid static electricity discharge
problems.

 The use of economizer cooling, the outside air

keep the inside data center cool. The data
center should use these to enhance the working
systems.
Power Supply  The backup power supply is important as is
plays a vital role in the data center. One or
more uninterruptible power supplies or
generators are kept in the data center.

 All electrical systems elements which also

include backup systems are duplicated and
servers are connected to power feeds which
achieves redundancy in the systems. This can
help in case of power loss, blackout, or power
failure.
Fire  Data centers include fire protection programs,
Protection which include artificial and functional synthetic
materials, and also applying fire protection
systems in operation.

 The smoke detectors are also used in the data

centers that give the early warning of fire.
Installing smoke detectors that receive
manufactured particles with shorter materials
before the start of flames. This allows for
investigation, power disturbances, and hand
pressure fire holding fire extinguishers before
the fire grows larger.

 A fire spray system is often used to control a

complete fire when it grows. Fire sprinklers
require 18 in (46 cm) clearance such as free of
cable trays below the sprayers.

 Clean agent fire suppression systems can also

be used to stop a fire. This suppression system
works faster and earlier than a fire sprinkler
system.

 The installation of passive firewalls around the

data center which are protective elements.
While using these walls, at some limited
facility of the center the fire can behold for a
few time in case there is a failure in the running
fire protection systems

Raised  The floor is mostly data center is raised made

Flooring up of almost 60 cm covered with removable
tiles. These raised floors are used for the air
circulation around the floor and it also provides
a huge place or space for cabling the different
wires. This provides a good space for the cables
to be inserted below the floor and also this
raised flooring system is used for security
 purposes.
Physical  If the data center contains sensitive information
Security and physical access is granted to a few people,
so it is restricted to some of the selected people.

 Apply controls like bollards or mantraps.

 Permanent security guards.

 It is also very common to use fingerprints to

trap the wrong entry by an unrecognized
person.
Application  The applications are used to handle the main
operations and business data. Some
organizations develop their own applications
internally or externally by the software vendor.

 Applications such as ERP and CRM systems

are common software used one or more than
one host. These components include databases,
file servers, application servers, etc.

 For off-site backups, data centers are also used.

 Large hardware sellers like Cisco Systems,

Sun, IBM, Microsystems, and HP as also used
in case of disaster recovery.

 In this age, it has become important for all

kinds of company organizations to get their
data security through data security applications.

PHYSICAL AND Physical  Health and safety regulations must be taken

ENVIRONMENTA Security into account
L POLICY Perimeter and
Entry Control  Edges need to be defined for all intents and
purposes depicted that each degree utilized hav
e to be appropriate and share to
the security level of the property covered and
the impacts of a risk assessment
 Edges of any building housing insights and
structures have to be substantial sound without
a gap with inside the border

 Outside segments ought to be
of steady construction.

 Entryways with control components such as
bars, alarms, and locks ought
to be utilized against unauthorized access

 Windows should be bolted and windows at
ground level ought to have extra assurance like
intruder detection systems

 Monitored and tested alarms should be fitted at

the emergency exits

 The fire doors must work
while in understanding with fire regulations

 Different parties who are managing systems

must be physically separated

 Extra boundaries like staff card control get

to the system should be actualized to control
physical access
between zones with distinctive security levels

 All staff must be identifiable by their staff card

 All guests must be issued a
guest pass sometime recently entering the
office

 All guests ought to be escorted by a part of the

company at any time within the office
  Secure areas which are special that require
staff PIN or staff card like server rooms ought
to not be open by unauthorized faculty or
visitors.

 Get to rights to secure regions must be updated

Protecting  Unsafe or combustible materials must be stored
Against appropriately and at a secure distance from any
External and areas keeping basic data or systems
Environmenta
l Threats  Back-up media or recovery equipment must be
sited at a remove absent from the main site

 The data center should be
utilized for quick recuperation after damaging
incidents

 Firefighting supplies must be introduced and
placed appropriately in accordance with the law

 Server rooms must NOT

be utilized as capacity areas especially paper or
cardboard

 All server and hardware racks must

be fastened to an adjacent strong surface

 All server rooms ought to have a positive

pressure environment such that
no unessential fabric is blown into the server
room

 Floor tiling must be laid accurately and

replaced immediately after any underfloor work
is done

Secure Areas  Secure regions areas should be known on

a need to know basis
  Avoiding unsurprised working in such areas

 Secure regions should be appropriately bolted a
nd periodically checked

 As it was authorized staff will get permitted to
the secure areas

 Limited access to the security room and the IT

manager must have the access and other
relevant staff
Public  Restriction of access of outsider to delivery and
Access, loading area and it should be limited to the
Delivery, and identified personnel
Loading
Areas  Keeping the record of the incoming and
outgoing materials through entry and exit.
Before reaching to the point of use, it must be
double-checked.

 The shipments that are incoming and outgoing

must be kept apart from each other.

REFERENCES:

A. Calder. (2005) Nine Steps to Success: An ISO 27001 Implementation Overview. London: IT

Governance Publishing.

Unknown Author. (2020) IT Governance, The One-Stop-Shop for everything to do with IT

Governance

Unknown Author. (2020) Legal Advantage, The Document Review Process

Anonymous (2005) ISO/IEC JTC 1/SC 27 Information security, cybersecurity, and privacy

protection

Bird, Katie (2020)  "NEW VERSION OF ISO/IEC 27001 TO BETTER TACKLE IT SECURITY

RISKS". iso.org. ISO.

Neha Yadav. (2019). The most common physical and network controls when implementing ISO

27001 in a data center