Control A.9.1.3 of the standard requires the organization to create secure areas within the security perimeter to protect offices, rooms and facilities that have additional, special security requirements. A secure room may contain lockable cabinets or safes. Secure rooms could be any rooms within the premises but will certainly include server rooms, telecoms rooms and plant (power and air-conditioning) rooms. Some other areas (such as accounts or HR, or directors’ offices) might also need to be secured. Many chief execu- tives’ offices should also be treated as secure rooms.
There could be a clash, within organizations that are strongly committed to open-plan working, between the desire for openness and the need for security. This will have to be addressed and solutions found that can be consistently and coherently applied across the whole organization. Part of the solution will lie in what sort of meeting rooms or available secured areas can
be used by employees, and part will depend on how information is classified and what facilities are made available for its storage.
ISO27002 provides very common-sense advice on the selection and design of a secure area, and this section should be read in conjunction with the next sub-section, ‘Protecting against external and environmental threats’. Secure area design should take account of the possibility of damage from fire, flood, explosion, civil unrest and other forms of natural or human-created disaster. The risks posed by neighbouring premises should be considered, such as potential leakage of water from outside the secure area. Secure storage facil- ities, such as safes and high-security document stores, need also to be sited in such a way that they can be located on a site map within the business conti- nuity documentation and quickly and easily recovered (as described in Chapter 26) after a disaster. This will require consideration to be given to issues such as the fire-resistance period of surrounding doors and floors; the organization wants to avoid scenarios where, for example, after an explosion in the building, a safe containing all the organization’s insurance documents falls from its location on the first floor right through into the basement of the building and has to be recovered (when it can be found) from among the debris of fire and flood.
The controls that ISO27002 recommends should be considered and, if appropriate, implemented include the following:
ᔢ Key storage areas and keyed entrance areas should be sited to avoid access by unauthorized persons and by the public.
ᔢ Buildings that contain information processing facilities should be unob- trusive and give as little indication as possible of their presence or purpose.
ᔢ Office machinery, such as faxes and photocopiers, should be sited within the secure perimeter in such a way that access to more secure rooms is not required. In other words, do not put the photocopier or fax machine in the same room as the computer servers.
ᔢ Doors and windows should be locked when the building or room is unat- tended. External protection, such as burglar bars, should be considered in the context of the risk assessment for ground-floor and any other acces- sible windows. This is particularly important for the computer server and communications rooms, which should be accessible only to a small number of authorized personnel, each of whom has individual access codes so that a record of access and egress can be maintained at an indi- vidual level. No one should be allowed into one of these rooms unless accompanied at all times by an authorized person. Externally, any special
precautions taken for specific rooms (eg whitewashed windows or bars) should not stand out in comparison to other rooms, as this would clearly indicate to a potential intruder where the most valuable assets might be stored. There should be no obvious signs outside the building to indicate how valuable or important it is.
ᔢ As discussed earlier, information processing facilities managed by the organization should be physically separate from those managed by third parties, even if this means erecting a cage or some other form of physical security within a shared secure area.
ᔢ Internal directories or telephone books or other guides that identify the location or telephone numbers of secure, sensitive areas should not be accessible by the public or unauthorized persons.
ᔢ Hazardous or combustible material, particularly office stationery, should not be bulk-stored within a secure area. There should be a separate area, some distance away, where such material is stored. Regular inspections of secure rooms, by someone other than those responsible for their day-to- day management, are usually necessary to ensure that this requirement is observed.
ᔢ Back-up equipment and media should not be stored with the equipment that they will back up, in order to ensure that the organization can actually restore operations if it loses or otherwise has compromised its front-line facilities (through, for example, fire in the server room or terrorist activity affecting the whole of the premises).
Finally, a word about keys: keys should not be left in locks, irrespective of whether or not the access route has an automatic door closer. If the lock has not been engaged, it is possible for the key to be used by someone (whether accidentally or maliciously) to activate the lock, thus restricting planned access/egress at a later time.