Facilities Security Audit Checklist

Illa - M. E. Kabay , Chris Brown Phd , Cissp-Issmp

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

21 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Informations

Publié par	Illa
Nombre de lectures	29
Langue	English

Extrait

FACILITIES SECURITY AUDIT CHECKLIST
M. E. Kabay, PhD, CISSP-ISSMP
In all questions, YES answers are desirable if the question is relevant to the particular site and its security policies.
1. Fire hazards
1.1. Construction
1.1.1. Is the computer housed in a building constructed of fire-resistant and non-combustible
materials?
1.1.2. Is the sub-flooring concrete or non-combustible?
1.1.3. Does the sub-flooring have drainage?
1.1.4. Is the sub-floor cabling channeled through conduits?
1.1.5. Is the raised flooring non-combustible?
1.1.6. Are walls and trim non-combustible?

1.1.7. Are walls and trim painted with water-based fire-retardant paints?
1.1.8. Are ventilator grills and light diffusers made of fire-resistant materials?
1.1.9. Are doors, partitions, and framing made of metal?
1.1.10. Have self-closing fire doors been installed to exclude fire from other areas?
1.1.11. Are self-closing fire doors rated for at least 1 hour's fire resistance?
1.1.12. Is all glass in the facility steel-mesh or otherwise reinforced?
1.1.13. Is the ceiling tile non-combustible or made of high-melting-point materials (including
supports)?
1.1.14. Are cables connecting ceiling lights routed through conduits?
1.1.15. Are all electrical connections properly grounded?
1.1.16. Are sound-deadening materials (e.g., on walls, in cabinets, or around desks and other
operating areas) sprayed with fire-retardant chemicals?
1.1.17. Does the construction avoid foamed cellular plastics (e.g., Styrofoam)?
1.1.18. Is the data center placed far from potential sources of fire such as
1.1.18.1. cafeterias,
1.1.18.2. power cables,
1.1.18.3. rubbish storage,
1.1.18.4. caustic chemicals,
1.1.18.5. fumes,
1.1.18.6. odors,
1.1.18.7. petroleum supplies?
1.1.19. Is the data center away from steam lines?
Copyright © 2008 M. E. Kabay. All rights reserved. Page 1 of 21
Permission is granted to Norwich University to use this material for courses in the MSIA Program. FACILITIES SECURITY AUDIT CHECKLIST

1.1.20. Is the data center away from areas using hazardous processes (e.g., acid treatments,
explosives, high-pressure vats)?
1.1.21. Within the data center, are there sufficient distance or fire-resistant materials to prevent
fire in one area from spreading to other areas?
1.1.21.1. Tape and disk libraries?
1.1.21.2. Paper and punch-card storage?
1.1.21.3. Backup files?
1.1.21.4. Source listings?
1.1.21.5. Backup copies of operations procedures?
1.1.21.6. Forms handling equipment?
1.1.21.7. Report-distribution facilities?
1.1.21.8. Alternate computing facilities?
1.1.21.9. Punch-card processing?
1.1.21.10. Remote job entry or interactive terminals?
1.1.22. Does the construction avoid vertical cable conduits which could spread fire?
1.1.23. If a fire were to occur in one of the data center facilities, would other offices of the
business be physically disabled also?
1.1.24. Do computer room walls extend from floor to roof (below the false floor and above
the false ceiling)?
1.1.25. Are exits and evacuation routes clearly marked?
1.2. Combustibles
1.2.1. Are paper and other supplies stored outside the computer room?
1.2.2. Are curtains, rugs, and drapes non-combustible?
1.2.3. Are caustic or flammable cleaning agents excluded from the data center?
1.2.4. If flammable cleaning agents are permitted in the data center, are they in small
quantities and in approved containers?
1.2.5. Is the quantity of combustible supplies stored in the computer room kept to the
minimum?
1.2.6. Is computer-room furniture metal-only?
1.2.7. Are reference listings (e.g., lists of files backed up to tape) moved out of the computer
room as soon as possible?
1.2.8. Are clothing racks excluded from the computer room?
1.2.9. Are tapes stored away from the computer room?
1.2.10. Are paper-bursting and shredding equipment away from the computer room?
1.2.11. Are computer-room or media-library safes closed when not in use?
Copyright © 2008 M. E. Kabay. All rights reserved. Page 2 of 21
Permission is granted to Norwich University to use this material for courses in the MSIA Program. FACILITIES SECURITY AUDIT CHECKLIST

1.2.12. Are loose pieces of plastic (e.g., tape rings, disk covers, tape covers, empty tape reels)
stored outside the computer room?
1.2.13. Is decoration of the computer room (e.g., posters, company literature, holiday
decoration such as Halloween and Christmas streamers) avoided?
1.3. Storage
1.3.1. Are copies of critical files stored off-site?
1.3.2. Are on-site copies of critical files in fireproof safes?
1.3.3. Is the number of tapes outside the tape library kept to a minimum?
1.3.4. Are fireproof safes located in a separate area away from the tape library?
1.3.5. Is there a fireproof safe in the computer room for storing tapes and disks while they
are needed for operations in the computer room?
1.3.6. Are disk and tape storage cabinets fitted with rollers to permit rapid emergency
relocation?
1.3.7. Are there obstructions (e.g., risers in front of doors, narrow doorframes) which
prevent rapid removal of storage cabinets in an emergency?
1.3.8. Are disks and tapes coded to show their evacuation priority?
1.3.9. If files are kept in the computer room, are they coded to show their evacuation
priority?
1.3.10. Are there means of transporting fireproof safes away from the data center in an
emergency?
1.3.11. Is there a supply of critical forms stored off-site?
1.4. Practice sessions and drills
1.4.1. Are there regular fire drills?
1.4.2. Are operators trained periodically in fire-fighting techniques?
1.4.3. Are operators assigned specific, individual responsibilities in case of fire?
1.4.4. Is the fire detection system regularly tested?
1.4.5. Is the no-smoking rule for the computer room and media library strictly enforced?
1.4.6. Is an area fire warden (to coordinate evacuation) assigned for every shift?
1.4.7. Is the alarm system tested frequently?
1.4.8. Are there simulated disasters to exercise and improve the evacuation plans?
1.4.9. Is a fire inspection periodically conducted by in-house or municipal fire inspectors?
1.4.10. Are automatic detection and protection systems regularly inspected by qualified
personnel?
1.5. Protection and reaction
1.5.1. Detection equipment
1.5.1.1. Do the facilities have equipment for detecting one or more of the following:
Copyright © 2008 M. E. Kabay. All rights reserved. Page 3 of 21
Permission is granted to Norwich University to use this material for courses in the MSIA Program. FACILITIES SECURITY AUDIT CHECKLIST

1.5.1.1.1. Smoke?
1.5.1.1.2. Heat?
1.5.1.2. Are any of these detection units mounted inside cabinets of critical system
components?
1.5.1.3. Are smoke detectors mounted
1.5.1.3.1. in ceiling (above suspended tiling)?
1.5.1.3.2. under raised floor?
1.5.1.3.3. in in-bound air ducts?
1.5.1.4. Does smoke-detection equipment shut down the air conditioning system?
1.5.1.5. Is the smoke-detection system tested regularly?
1.5.1.6. Are smoke and fire detection systems connected to the plant security panel and to
municipal public safety departments?
1.5.1.7. Does the smoke-detection system have a count-down period (e.g., 0-180 seconds)
before shutting off other systems?
1.5.1.8. Are under-floor smoke detector positions marked by hanging markers on the
computer-room ceiling?
1.5.2. Alarm mechanisms
1.5.2.1. Do the detection facilities described above include alarms?
1.5.2.2. Are there several strategically-located stations for initiating a manual alarm?
1.5.2.3. Do the alarm devices report the position of a fire accurately
1.5.2.3.1. locally?
1.5.2.3.2. to a watchman position?
1.5.2.3.3. to a centralized security position?
1.5.2.3.4. to a municipal security office?
1.5.2.4. Do the alarms provide pre-alarm audible signals?
1.5.2.5. Are the alarms from different detectors clearly identifiable (e.g., are there labeled
luminescent panels in a central security display)?
1.5.2.6. Do the alarm mechanisms provide for automatic shutdown of critical equipment?
1.5.2.7. Is there a smoke detector alarm horn in a central location in the computer room?
1.5.2.8. Do building alarms (linked to systems outside the computer room) sound within
the computer room?
1.5.3. Protection equipment: do the facilities have
1.5.3.1. Automatic dispersal of a fire-extinguishing or retardant agent such as
1.5.3.1.1. Gas
1.5.3.1.1.1. into main computer room volume?
1.5.3.1.1.2. (above and beneath floors and ceilings)?
Copyright © 2008 M. E. Kabay. All rights reserved. Page 4 of 21
Permission is granted to Norwich University to use this material for courses in the MSIA Program. FACILITIES SECURITY AUDIT CHECKLIST

1.5.3.1.2. Have personnel been trained in
1.5.3.1.2.1. use of the gas system?
1.5.3.1.2.2. personal safety measures?
1.5.3.1.2.3. gas removal standards (e.g., ventilation measures)?
1.5.3.1.3. Water (last resort) including
1.5.3.1.3.1. hoses?
1.5.3.1.3.2. sprinkling systems?
1.5.3.1.3.2.1. pre-action (sounds alarm and delays water release)?
1.5.3.1.3.2.2. d