Secured server and communications rooms provide appropriate physical security for servers and network devices.

]]> This section covers the physical security of servers and network devices. Information relating to network infrastructure and IT equipment can be found in other sections of this chapter.

]]> In order to reduce physical security requirements for information systems infrastructure, other network devices and servers, agencies may choose to certify and accredit the physical security of the site or IT equipment room to the standard specified in the PSR. This has the effect of providing an additional layer of physical security. See PSR - Physical Security

]]> Agencies choosing NOT to certify and accredit the physical security of the site or IT equipment room, must continue to meet the full storage requirements specified in the PSR.  See PSR - Physical Security, PSR - Information Security.

]]> Security containers for IT infrastructure, network devices or servers situated in an unsecure area must be compliant with the requirements of the PSR. Installing IT infrastructure, network devices or servers in a secure facility can lower the storage requirements, provided multiple layers of physical security have been implemented, certified and accredited.

]]> The establishment of a secure communications room to house IT infrastructure, network devices, and other related equipment will provide a further physical security layer.

]]> Agencies MUST ensure that servers and network devices are secured within cabinets as outlined in PSR Policy Framework - Physical security and supporting documentation.

]]> If personnel decide to leave server rooms, communications rooms or security containers with keys in locks, unlocked or with security functions disabled it negates the purpose of providing security in the first place. Such activities will compromise the security efforts of the agencies and should not be permitted by the agency.

]]> Agencies MUST ensure that keys or equivalent access mechanisms to server rooms, communications rooms and security containers are appropriately controlled.

]]> Agencies MUST NOT leave server rooms, communications rooms or security containers in an unsecured state unless the server room is occupied by authorised personnel.

]]> Site security plans (SitePlan), the physical security equivalent of the SSP and SOPs for systems, are used to document all aspects of physical security for systems. Formally documenting this information ensures that standards, controls and procedures can easily be reviewed by security personnel.

]]> Agencies MUST develop a Site Security Plan (SitePlan) for each server and communications room. Information to be covered includes, but is not limited to:

  • a summary of the security risk review for the facility the server or communications room is located in;
  • roles and responsibilities of facility and security personnel;
  • the administration, operation and maintenance of the electronic access control system or security alarm system;
  • key management, the enrolment and removal of system users and issuing of personal identification number codes and passwords;
  • personnel security clearances, security awareness training and regular briefings;
  • regular inspection of the generated audit trails and logs;
  • end of day checks and lockup;
  • reporting of information security incidents; and
  • what activities to undertake in response to security alarms.
]]> Areas containing particularly sensitive materials or IT equipment can be provided with additional security through the use of a designated no-lone-zone. The aim of this designation is to enforce two-person integrity, where all actions are witnessed by at least one other person.

]]> Agencies operating no-lone-zones MUST suitably signpost the area and have all entry and exit points appropriately secured.

]]>