Given how much equipment can cost, from desktops to enterprise scale UPS’, it is important to make sure they are protected, maintained and supported.
Security category – 11.2. Equipment
11.2.1. Equipment sitting and protection.
Don’t leave physical equipment accessible to the public or in environmentally unsuitable areas. Work equipment, where possible, should be placed and used in secure areas where they can be access by authorized individuals to perform their required tasks. This can include environmental controls such as having a HVAC system in the data centre to keep temperature and humidity at an acceptable level, and including in your company policies restrictions on physical risks present by the employee, such as storing a glass of water on top of their desktop unit.
11.2.2. Supporting utilities.
For this control, its recommended to have redundancy for all our utilities (Telecoms, electricity, water, heating etc). For example, having multiple fiber connections with 2 or more telecoms providers gives us greater redundancy if 1 provider is suffering an outage, having a different type of telecoms connection such as satellite can provide even more redundancy. Applying the same thought pattern to other utilities can grant us greater uptime (such as using UPS’ and generators for redundant power/electricity requirements). Monitoring for all utilities should be in place to give immediate notice of when there is a problem with any of these most basic services.
11.2.3. Cabling security.
The crux here is to avoid having cables easily accessible, within reach of people that are unauthorized to access the data being carried. Specialist cabling cabinets should be used when running cables through a building or, if possible, cables should be run underground. On a related note, to protect the integrity of the information being sent on data cables proper shielding should be put in place and the data cables should be kept separate from power cables.
11.2.4. Equipment maintenance.
Keeping devices and equipment in a good state of repair should always be considered best practice to prevent unexpected failures and malfunction. Schedule regular inspections of your equipment with staff who have the required skills to assess and maintain the relevant equipment. If using outside vendors to provide support ensure that for any equipment they and inspecting any data they should not have access to has been removed prior to their visit. If that is not possible the vendor should be vetted and screened to a level appropriate to the data being carried.
11.2.5. Removal of assets.
Whenever we move an item outside of the organization we lose many of the controls in place to protect it. As such an authorization procedure should be in place that designate responsibility and requirements make sure risks of removal facing those items are mitigated. This can include having a sign out procedure, giving time limits for equipment being moved off site and having handling guidelines. Authorization should always be required when equipment is moved off-site.
11.2.6. Security of equipment and assets off premises.
Part of taking assets off site should include maintaining a chain of custody for when the equipment changes hands. Records on who is in control of that asset at which time should be kept up to date. Other steps can include not viewing sensitive data in public, not leaving the asset unsupervised in a public place and taking reasonable steps to protect it from physical damage. Encryption should also be used for assets taken off-site even if encryption is not normally used in your organization. A higher standard of security should be given, where possible, to these assets.
11.2.7. Secure disposal or re-use of equipment.
A big security risk is the lack or a proper sanitation procedure for media at the end of its life. All media that holds non-public data should be zeroed before disposal. The higher the data classification of the media the more through the destruction of data. For the most sensitive data the media should be physically destroyed or degaussed. Deleting files or formatting is not enough for this type of data (this PII) as reusing, or allowing the reuse of the media could cause disclosure. Staff should be trained to follow the correct procedure for the safe disposal of media and instructions should be clearly documented. Another good practise for reusing old media is to never reuse media for lower classification purposes, for example do not reuse a top secret hard drive for a confidential or secret server.
11.2.8. Unattended user equipment.
Users should never leave equipment unattended but if they do there should be controls in place to mitigate the risk. Technical controls can be a great help here such as having a screensaver timeout if a workstation is inactive for more than 15 minutes and requiring the user to enter their login credentials when they return to unlock it. This can prevent an unauthorized person accessing an employee’s workstation and information if that employee leaves his desk without signing out. In Ireland especially, this can be a big risk as staff need to leave their desk to ensure their cup of tea is continuously full.
11.2.9. Clear desk and clear screen policy.
One of the easiest ways to find information in your office is to walk around, look at what post-its are on your staff’s computer monitors, what documents have been left on their desks or are waiting to be collected in the printer. Requiring your staff to maintain a clean desk can prevent information from being accidentally disclosed to staff that do not have clearance to view it, such as cleaners, or visitors temporarily in the office. Like the previous control the user should also be required to log off their workstation when leaving their desk and to be conscious of what is displayed on their screen and who is around them.