How Safe is Your Data Centre- 10 Questions
Martin Grigg of PTS Consulting discusses the challenges within a high-security environment and proposesa solution to identify and mitigate the risks associated with an insider threat.
1. How do you manage visitors to your Data Centre?
Whether they are contracted services or deliveries personnel, or members of the public, it is inevitable that you will encounter visitors to your data centre facility.
For facilities where access is strictly controlled it is normal for a formal visitor management process to be in place. Visitor management allows temporary access to areas within your facility making it important not only for security but also for safety.
Without a formal visitor management process it could be easier for a potential adversary to enter and move around a facility unchallenged; remember that the human element of the process is generally the weakest. Visitor management is a complex subject which, when executed effectively can introduce a strong strategic layer of security beyond that of the physical measures which you may already have.
2. Who are you neighbours
You may well have selected the location for your Data Centre based upon a number of key factors, but did you consider your neighbours? Knowing you neighbours and liaising with them can help you to understand their threat profile and assess whether additional mitigation measures may help to defend against the threats that they bring.
Assessing the geographic location of your facility will help to decide what types of measures could prevent you from becoming effected by others. It may also impact your decision making when look at a new site.
3. Do your security measures actually work as designed?
Once security measures are implemented, it is often an ongoing battle to make sure that Business As Usual adheres to the design intent for the system and to make sure that it works to optimum standards.
A Threat, Vulnerability and Risk Assessment (TVRA) forms the basis for detailed design and the recommendations made within it help to form accurate operational requirements. By using TVRA to initiate security design it ensures that the security measures that you adopt will work in line with the overall strategy now and in the future
4. How do you manage and ensure that you are prepared for the dynamic risk that is out there?
Security procedures are a crucial element to the wider security strategy and are put in place to reinforce the application of defensive measures. But do your procedures effectively address the risks that you face today?
As the threat profile evolves it is essential to adapt procedures in line with changes as they occur. Creating a benchmark from which the threat profile can be monitored will allow for continued evaluation
5. What Type of Response can be expected from law enforcement?
When emergency procedures are designed there is often a point at which the incident is planned to be handed over to law enforcement and emergency services, but how quick will this happen?
Without a clear understanding of an expected response time it becomes difficult to establish an effective emergency plan. This creates added complication when selecting effective countermeasures and resilience as the period of delay/denial will be hard to determine.
6. What are your critical assets?
In its simplest form an asset can be defined as ‘something of value to the organisation’.
The criticality of an asset is dependent on its relative value to the organisation; for example, in the Data Centre environment your power supply could be classed as a key critical asset, because without power you cannot conduct your operations.
Identifying your key critical assets will help to determine which security measures to adopt, and, more importantly, will allow you to determine your security budget.
7. What type of data is held in your Data Centre? – E.g. Government/Commercially sensitive etc.
Determining what type of data you store will aid in selecting the security systems, processes and procedures that you adopt. This can include the number of access control layers required, the resolution and recording retention of your CCTV system, and the level of pre-employment screening that is undertaken….and this is just the start.
The importance of understanding the types of data that you store will reach beyond your own enterprise as it will also affect the inherent risk to some of the other clients that take up your service.
8. How are incidents reported, assessed and addressed for improvement?
When an incident occurs how do you learn from it? Does your workforce know how to report it to the right department? And what do you do to ensure that the same thing doesn’t happen again?
Too often incidents go unreported and the exposure of your systems either grows or, at the very least, remains unprotected and vulnerable. Without regular ongoing security threat and vulnerability assessments your facility becomes totally reliant on individuals reporting all incidents.
Regular assessment and the use of reporting procedures that are well communicated will work to help you minimise vulnerability and exposure.
9. How do you know what the threats to your business are?
In order to determine the threats to your facility you will need to understand the environment and context in which it exists. Often the mere existence of certain assets can create or attract a threat. Target attractiveness can be a good place to start, especially when considering the threat of terrorism, but what else can add value to this process?
Whatever method or model you choose, it is essential that threats are considered, evaluated, mitigated and re-assessed on a regular basis.
10. How often is the TVRA undertaken?
You may already have undertaken a TVRA at your facility – perhaps it was conducted prior to construction or before you occupied the location – but how often should you repeat the process?
The threat landscape is constantly changing and evolving as new technology is developed, and as the methods and tactics used by the adversary are changed, refined and enhanced. So, the threats and risks which were identified when you first conducted TVRA may well have moved on meaning that you could potentially be exposed.
Below are just a few examples of when the threat, vulnerability and risk of your facility may require re-assessment:
- Making a change to your business processes
- Expanding, building upon, or reducing your facilty
- Changing essential service providers