Access Controls

Computer security covers a lot of territory: locking your server and telecommunications
rooms, locking your machine, protecting your login accounts with strong passwords,
using file protection and adhering to a regular backup schedule to keep your data from
being destroyed, encrypting network communications lines, and using special shields to
keep electromagnetic emanations from leaking out of your computer (TEMPEST). But
when people talk about computer security, they usually mean what is called computer
system security, which is a fancy way of saying data protection.

What Makes a System Secure?

In the most basic sense, computer system security ensures that your computer does
what it’s supposed to do—even if its users don’t do what they’re supposed to do. It
protects the information stored in it from being lost, changed either maliciously or
accidentally, or read or modified by those not authorized to access it.

The selection of a site for information technology equipment is the first consideration in
planning and preparing for the installation. Determine whether a new site is to be
constructed or alterations are to be performed on an existing site.
This section provides specific information on building location, structure, and space
requirements for present and future needs.
Utilities

Power and communication facilities must be available in the quantities required for
operation. If these are inadequate, contact the utility company to determine if additional
services can be made available.
Exposure to hazards

Pollution, flooding, radio or radar interference, and hazards caused by nearby industries
can cause problems to information technology equipment and recorded media. Any
indication of exposure in these areas should be recognized and included in the planning
of the installation.
PHYSICAL SECURITY OF PC

 The first step in security is considering the physical security of the PC. Maintenance of physical
security depends on the location and the budget.
  The second step is the factors related to physical stability that include the power supply, physical
location of the computer, room temperature, etc. Failure of anyone of the above said factors
leads the computer into risks.

There is a good chance that your home PC is one of the most expensive things in your home, or if you
have got a laptop, it is likely to be the most expensive thing you carry in a bag.
Although your insurance policy may cover the costs of replacing hardware if it’s stolen, there is nothing
that money can do to retrieve precious or personal data. So physical security is as important as software
security.

Reliable electrical power is required for the proper functioning of your data processing
equipment.
IBM® information technology equipment requires a reliable electrical power source that
is free from interference or disturbance. Electrical power companies generally supply
power of sufficient quality. The Power quality, Voltage and frequency limits, Power load,
and Power source topics provide the guidance and specifications needed to meet the
requirements of the equipment. Qualified personnel must ensure that electrical power
distribution system is safe and meets local and national codes. They must also ensure
that the voltage measured at the power receptacle is within the specified tolerance for
the equipment. In addition, a separate power feeder is required for items such as
lighting and air conditioning. A properly installed electrical power system will help to
provide for reliable operation of your IBM equipment.

Computers are nothing but electronic machines with the ability to perform functions
which we tell them to do or which for they are trained for.

Computers work for us as we program them. They do our work. They perform those
works with the help of various devices.

In doing all the above process energy in the form of electricity is consumed or i should
say utilised. The energy is then converted into heat energy and heat is produced. To
control this heat, we need to cool down the system. For cooling purpose air conditioners
are installed in computer labs.

But the true danger lies in how this heat can impact your vital equipment.
High heat levels place your equipment in considerable danger, threatening
damage to hardware and software at worst, but even at best the heat can
reduce system efficiency and drastically impact performance.
The Benefits of Computer Room Air
Conditioning
A proper server room or computer room system is designed with your
structure’s unique needs in mind, including monitoring systems,
humidity control options, and even more. This offers a complete
package that works hard to protect everything that makes your
business tick. The advantages include:
 Protection for equipment and critical data. By keeping cool air
circulated in accordance with your space’s needs, you’re guaranteed
complete protection for hardware and software, reducing the risks of
down time.
 Improved productivity and compute system lifespans. Computer
systems that retain optimal cool temperature ranges work faster and
more efficiency, and this drastically reduces general wear and tear.
 Optimized low humidity levels. Humidity can be even more dangerous
for your systems than heat, but with a proper cooling system in place
you’ve got nothing at all to worry about. Even on the worst Chicago
summer days!
 Comfort for employees. Even more important than the computers and
devices, employees that work closely with them must be kept
comfortable in order to stay healthy and productive. The conditions of
poorly equipped computer rooms are often completely unacceptable,
posing considerable risks.

Fire suppression systems for server rooms and data centres are essential to the server room
itself. A fire suppression system will automatically extinguish a fire without the need of human
intervention. Fire suppression systems for data centres must be suitable for clean air
environments, as server rooms and data centres are mostly occupied by personnel.

The designs standards for Fire suppression systems for server rooms and data centres are
carried out with strict guidelines, as the fire suppression agents used can be dangerous if not
designed correctly.
The most common sources of fires in data centers are the electrical system or the hardware. Breakdowns
in insulation and the resultant short circuiting can lead to intense heat that can melt materials or cause a
fire. Computer room fires are often small or smoldering, with little effect on the temperatures in the
room. Because the smoke itself can impact the computer hardware, it is necessary to employ a detection
system that is sensitive to smoke and other products of combustion rather than temperature. The
specific detection and extinguishing system is dependent on the specific design and exposures of the
individual data center area. NFPA 75 states:

5-2: Automatic detection equipment shall be installed to provide early warning of fire. The equipment
used shall a be listed smoke detection type. Each installation shall be engineered for the specific area to
be protected, giving due consideration to air currents and patterns within the space and shall be
installed and maintained in accordance with NFPA 72E, Standard on Automatic Fire Detectors.

2-4.3a: An automatic detection and extinguishing system shall be installed in the space below the raised
floor.

A passive suppression system reacts to detected hazards with no manual intervention. The most
common forms of passive suppression are sprinkler systems or chemical suppression systems. Sprinkler
systems can be flooded (wet pipe) or pre-action (dry pipe). A flooded system incorporates pipes that are
full at all times, allowing the system to discharge immediately upon threat detection. A pre-action
system will flood the sprinkler pipes upon an initial detection, but will have a delay before actual
discharge. Chemical total flooding systems work by suffocating the fire within the controlled zone. The
suppression chemical most often found in data centers is Halon 1301. Halon is being eliminated in favor
of the more environmentally friendly FM200 or various forms of water suppression. Carbon dioxide
suppression systems are also used, but can be a concern due to operator safety issues in the instance of
a discharge. These can be used independently, or in combination depending on the exposures in the
room, local ordinances and insurance requirements.

The ideal system would incorporate both a gas system and a pre-action water sprinkler system in the
ambient space. The gas suppression systems are friendlier to the hardware in the event of a discharge.
Water sprinklers often cause catastrophic and irreparable damage to the hardware, whereas the
hardware in a room subjected to a gas discharge can often be brought back on-line soon after the room
is purged. Gas systems are, however, "one-shot" designs. If the fire is not put out in the initial discharge,
there is no second chance. The gas system cannot be reused until it is recharged or connected to a back-
up source. Water systems can continue to address the fire until it has been brought under control. While
this is more likely to damage the hardware, it is also a more secure means of protecting the building
structure. Water suppression systems are often preferred or mandated by building owners or insurance
companies. Water systems are also highly recommended in areas containing a high level of combustible
materials use or storage. The decision of what means of fire suppression to utilize must incorporate
numerous factors including the mission and criticality of the data center operations.

Halon 1301 fire suppression gas is no longer in production, as of January 1994, and may be subject to
punative tariffs under certain circumstances. Alternate gasses, such as FM-200, are available. FM-200
requires a slightly higher gas concentration than Halon 1301 (7% versus 5%), but is similar in
effectiveness and has none of the environmental side-effects that led to the banning of Halon 1301.

Manual means of fire suppression system discharge should also be installed. These should take the form
of manual pull stations at strategic points in the room. In areas where gas suppression systems are used,
there is normally also a means of manual abort for the suppression system. In designs where it is
necessary to hold the abort button to maintain the delay in discharge, it is essential that a means of
communication is available within reach.

Portable fire extinguishers should also be placed strategically throughout the room. These should be
unobstructed, and should be clearly marked. Labels should be visible above the tall computer equipment
from across the room. Appropriate tile lifters should be located at each extinguisher station to allow
access to the subfloor void for inspection, or to address a fire.

Fault-tolerant technology is a capability of a computer system, electronic

system or networkto deliver uninterrupted service, despite one or more of
its components failing. Fault tolerance also resolves potential service
interruptions related to software or logic errors. The purpose is to
prevent catastrophic failure that could result from a single point of failure.

Developing an IT Disaster Recovery Plan

Businesses should develop an IT disaster recovery plan. It begins by
compiling an inventory of hardware (e.g. servers, desktops, laptops and
wireless devices), software applications and data. The plan should
include a strategy to ensure that all critical information is backed up.

Identify critical software applications and data and the hardware required
to run them. Using standardized hardware will help to replicate and
reimage new hardware. Ensure that copies of program software are
available to enable re-installation on replacement equipment. Prioritize
hardware and software restoration.
Document the IT disaster recovery plan as part of the business continuity
plan. Test the plan periodically to make sure that it works.

Businesses use information technology to quickly and effectively process

information. Employees use electronic mail and Voice Over Internet
Protocol (VOIP) telephone systems to communicate. Electronic data
interchange (EDI) is used to transmit data including orders and payments
from one company to another. Servers process information and store
large amounts of data. Desktop computers, laptops and wireless devices
are used by employees to create, process, manage and communicate
information. What do you when your information technology stops
working?

An information technology disaster recovery plan (IT DRP) should be

developed in conjunction with the business continuity plan. Priorities and
recovery time objectives for information technology should be developed
during the business impact analysis. Technology recovery strategies
should be developed to restore hardware, applications and data in time to
meet the needs of the business recovery.

Businesses large and small create and manage large volumes of

electronic information or data. Much of that data is important. Some data
is vital to the survival and continued operation of the business. The
impact of data loss or corruption from hardware failure, human error,
hacking or malware could be significant. A plan for data backup and
restoration of electronic information is essential.

Resources for Information Technology

Disaster Recovery Planning

 Computer Security Resource Center - National Institute of

Standards and Technology (NIST), Computer Security Division
Special Publications
  Contingency Planning Guide for Federal Information Systems - NIST
Special Publication 800-34 Rev. 1

 Guide to Test, Training, and Exercise Programs for IT Plans and

Capabilities – NIST Special Publication 800-84

 Building An Information Technology Security Awareness and Training

Program - NIST Special Publication 800-50

IT Recovery Strategies
Recovery strategies should be developed for Information technology (IT)
systems, applications and data. This includes networks, servers,
desktops, laptops, wireless devices, data and connectivity. Priorities for
IT recovery should be consistent with the priorities for recovery of
business functions and processes that were developed during
the business impact analysis. IT resources required to support time-
sensitive business functions and processes should also be identified. The
recovery time for an IT resource should match the recovery time
objective for the business function or process that depends on the IT
resource.

Information technology systems require hardware, software, data and

connectivity. Without one component of the “system,” the system may not
run. Therefore, recovery strategies should be developed to anticipate the
loss of one or more of the following system components:

 Computer room environment (secure computer room with climate

control, conditioned and backup power supply, etc.)

 Hardware (networks, servers, desktop and laptop computers,

wireless devices and peripherals)
  Connectivity to a service provider (fiber, cable, wireless, etc.)

 Software applications (electronic data interchange, electronic mail,

enterprise resource management, office productivity, etc.)

 Data and restoration

Some business applications cannot tolerate any downtime. They utilize

dual data centers capable of handling all data processing needs, which
run in parallel with data mirrored or synchronized between the two
centers. This is a very expensive solution that only larger companies can
afford. However, there are other solutions available for small to medium
sized businesses with critical business applications and data to protect.

A backup site or work area recovery site is a location where an organization can relocate
following a disaster, such as fire, flood, terrorist threat or other disruptive event. This is an integral
part of the disaster recovery plan and wider business continuity planning of an organization.
A backup, or alternate, site can be another data center location operated by the organization, or
contracted via a company that specializes in disaster recovery services. In some cases, one
organization will have an agreement with a second organization to operate a joint backup site. In
addition, an organization may have a reciprocal agreement with another organization to set up a
warm site at each of their data centers.
There are three types of backup sites, including cold sites, warm sites, and hot sites. The differences
between the types are determined by the costs and effort required to implement each.

8.3.2. Backup Sites: Cold, Warm, and Hot

One of the most important aspects of disaster recovery is to have a
location from which the recovery can take place. This location is known
as a backup site. In the event of a disaster, a backup site is where your
data center will be recreated, and where you will operate from, for the
length of the disaster.
There are three different types of backup sites:

o Cold backup sites

o Warm backup sites

o Hot backup sites

Obviously these terms do not refer to the temperature of the backup site.
Instead, they refer to the effort required to begin operations at the backup
site in the event of a disaster.
A cold backup site is little more than an appropriately configured space in
a building. Everything required to restore service to your users must be
procured and delivered to the site before the process of recovery can
begin. As you can imagine, the delay going from a cold backup site to full
operation can be substantial.

Cold backup sites are the least expensive sites.

A warm backup site is already stocked with hardware representing a

reasonable facsimile of that found in your data center. To restore service,
the last backups from your off-site storage facility must be delivered, and
bare metal restoration completed, before the real work of recovery can
begin.

Hot backup sites have a virtual mirror image of your current data center,
with all systems configured and waiting only for the last backups of your
user data from your off-site storage facility. As you can imagine, a hot
backup site can often be brought up to full production in no more than a
few hours.

A hot backup site is the most expensive approach to disaster recovery.

Backup sites can come from three different sources:

o Companies specializing in providing disaster recovery services

o Other locations owned and operated by your organization

o A mutual agreement with another organization to share data center

facilities in the event of a disaster
Each approach has its good and bad points. For example, contracting with
a disaster recovery firm often gives you access to professionals skilled in
guiding organizations through the process of creating, testing, and
implementing a disaster recovery plan. As you might imagine, these
services do not come without cost.
Using space in another facility owned and operated by your organization
can be essentially a zero-cost option, but stocking the backup site and
maintaining its readiness is still an expensive proposition.

Crafting an agreement to share data centers with another organization

can be extremely inexpensive, but long-term operations under such
conditions are usually not possible, as the host's data center must still
maintain their normal production, making the situation strained at best.

In the end, the selection of a backup site is a compromise between cost

and your organization's need for the continuation of production.