Texas Security and Risk Management

5.0 Physical Security

Copyright(c), 1995 - Management Analytics - All Rights Reserved

All state information processing areas must be protected by physical controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operated at those locations.

5.1 Management Reviews

STANDARD. Management reviews of physical security measures shall be conducted annually, as well as whenever facilities or security procedures are significantly modified.

GUIDELINES. Issues addressed in these management reviews should include:

5.2 Review of Construction Plans

Plans for new computer facilities or modifications to existing facilities should be reviewed by the Facilities Construction & Space Management Division of the General Services Commission (GSC). That office may be contacted for a preliminary consultation. Plans for installing critical computing assets such as telecommunications or optical scanning equipment, which often are not housed in the computer room itself, should also be reviewed by the GSC.

5.3 Site Location

GUIDELINES. Security factors to be considered with respect to the location of information management facilities include:

5.4 Computer Room and Equipment Location Within a Building

GUIDELINES. General security guidelines with respect to the building within which the information management facility is housed include:

5.5 Access to Equipment and Facilities

Access to computers and telecommunications devices must be restricted to authorized personnel. Access can be limited to authorized personnel through the use of passwords, user identification codes, terminal locks, or locked rooms. Visits to a computing facility should be permitted only under the supervision of agency personnel. Access and movement of all personnel who are not employees of the agency should be controlled. Service personnel, telephone repair persons, and delivery personnel are not employees of the agency and should be escorted by agency staff at all times.

STANDARD. Physical access to central computer rooms shall be restricted to only authorized personnel. Authorized visitors shall be recorded and supervised.


5.6 Supplies


5.7 Construction


5.8 Electrical Considerations


5.9 Environmental Controls

One of the major causes of computer downtime is the failure to maintain proper controls over temperature, humidity, air movement, cleanliness, and power. Environmental controls should also provide for safety of personnel.

STANDARD. Employees and information resources shall be protected from environmental hazards. Designated employees shall be trained to monitor environmental control procedures and equipment and shall be trained in desired response in case of emergencies or equipment problems.


5.10 Air Conditioning

5.11 Links Outside Central Computer Rooms

STANDARD. Confidential or sensitive information, when handled or processed by terminals, communication switches, and network components outside the central computer room, shall receive the level of protection necessary to ensure its integrity and confidentiality. The required protection may be achieved by physical or logical controls, or a mix thereof.


5.12 Access Doors


5.13 Emergency Procedures

STANDARD. Emergency procedures shall be developed and regularly tested.


5.14 Fire Detection

GUIDELINES. Agencies should consider adoption of the National Fire Protection Association Standard 75 (NFPA 75), "Standard for the Protection of Electronic Computer/Data Processing Equipment". This standard sets forth minimum requirements for the protection of electronic computer/data processing equipment from damage by fire or its associated effects, i.e., smoke, corrosion, heat, water.

5.15 Fire Suppression


State agencies that plan to build new (or modify existing) computer facilities should consider installing dry stand pipe water sprinkler systems and not a halon-based fire suppression system. For information about water sprinklers and their use as a fire suppression device for computer facilities, refer to Datapro Research Corporation's Datapro Reports On Information Security, Volume 1, Physical Security (IS 40-49), Designing the Computer Room for Security, page IS40-050- 108, January, 1986.

The U.S. Environmental Protection Agency (EPA) has announced that it expects to require a 100 percent phaseout of halon in the United States. Halon is the chemical used in fire suppression equipment for many computer facilities. The phaseout is planned due to concerns that halon contributes to the depletion of the earth's protective ozone layer. While the phase-out is expected to occur over a ten year period, The EPA has not yet announced specific regulatory actions or a timetable for the phaseout.

5.16 Water Damage Precautions


5.17 General Housekeeping