Physical Security Management Guidelines

advertisement
Physical Security Management Guidelines
Physical security of ICT equipment, systems and
facilities
Approved
27 October 2011
Version 1.0
© Commonwealth of Australia 2011
All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia
(http://creativecommons.org/licenses/by/3.0/au/deed.en ) licence.
For the avoidance of doubt, this means this licence only applies to material as set out in this document.
The details of the relevant licence conditions are available on the Creative Commons website (accessible
using the links provided) as is the full legal code for the CC BY 3.0 AU licence
(http://creativecommons.org/licenses/by/3.0/legalcode ).
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the It's an Honour
(http://www.itsanhonour.gov.au/coat-arms/index.cfm) website.
Contact us
Inquiries regarding the licence and any use of this document are welcome at:
Business Law Branch
Attorney-General’s Department
3-5 National Cct
BARTON ACT 2600
Telephone: (02) 6141 6666
copyright@ag.gov.au
Document details
Security classification
Unclassified
Dissemination limiting marking
Publicly available
Date of security classification review
July 2013
Authority
Protective Security Policy Committee
Author
Protective Security Policy Section
Attorney-General’s Department
Document status
Approved by PSPC 27 October 2011
i
Table of Contents
1.
Introduction ............................................................................................................................... 1
1.1
Purpose ......................................................................................................................................... 1
1.2
Audience ....................................................................................................................................... 1
1.3
Scope............................................................................................................................................. 1
1.3.1 Use of specific terms in these guidelines .............................................................................. 1
2.
3.
Background ................................................................................................................................ 3
2.1
Why were the guidelines developed? .......................................................................................... 3
2.2
Relationship to other documents ................................................................................................. 3
2.3
How are the guidelines structured? ............................................................................................. 4
Physical security of ICT equipment .............................................................................................. 5
3.1
Storage of ICT equipment when not in use .................................................................................. 5
3.2
Security of ICT equipment that cannot be kept in security containers or rooms when not in use
...................................................................................................................................................... 5
3.2.1 Equipment with solid state drives or hybrid hard drives ...................................................... 6
3.3
Auditing of ICT equipment ............................................................................................................ 6
3.3.1 Tamper evident seals ............................................................................................................ 6
4.
5.
Physical security of ICT system equipment .................................................................................. 7
4.1
Physical security of servers and network devices......................................................................... 7
4.2
Network Infrastructure ................................................................................................................. 7
4.3
Deployable ICT systems ................................................................................................................ 8
4.4
ICT system gateway devices ......................................................................................................... 8
Physical security of ICT facilities .................................................................................................. 9
5.1
Accreditation of ICT facilities ........................................................................................................ 9
5.1.1 TOP SECRET or codeword information ICT facilities ............................................................. 9
5.2
Access control to ICT facilities and equipment within ICT facilities............................................ 11
5.2.1 Technical surveillance counter-measures ........................................................................... 11
5.3
Outsourced ICT facilities ............................................................................................................. 11
5.3.1 Gateway facilities ................................................................................................................ 11
5.3.2 Datacentres ......................................................................................................................... 12
6.
Protection of information and ICT equipment against environmental or man-made threats ....... 13
6.1
Preservation of ICT equipment ................................................................................................... 13
6.1.1 Uninterruptable and auxiliary power supplies .................................................................... 13
6.2
Protection from environmental or man-made disasters ............................................................ 14
6.2.1 Flooding ............................................................................................................................... 14
6.2.2 Fire....................................................................................................................................... 14
6.3
Backup ICT systems ..................................................................................................................... 14
ii
Amendments
No.
Location
Amendment
iii
1.
Introduction
1.1
Purpose
The Australian Government physical security management guidelines–Physical security of ICT
(information and communications technology) equipment, systems and facilities provide guidance to
achieve a consistent approach to determining physical security controls for ICT equipment, systems
and facilities holding Australian Government information.
1.2
Audience
These guidelines are intended for:

Australian Government security management staff

Australian Government ICT security management staff

contractors to the Australian Government providing physical security advice and services

providers of facilities for Australian Government ICT services and functions, and

any other body or person responsible for the security of Australian Government people,
information or physical assets.
1.3
Scope
These guidelines relate to physical security measures of ICT equipment, systems and facilities within:

Australian Government agencies, or

other entities handling Australian Government official information.
In the absence of specific advice in these guidelines agencies should refer to SAI Global - AS/NZS
ISO/IEC 27002:2006 Information Technology–Security techniques–Code of practice for information
security management, Section 9 – Physical and environmental security.
Note: Where legislative requirements prescribe higher controls than those identified in these
guidelines the legislative controls take precedence and are to be applied.
Agencies are to protect any information provided by another government in accordance with
international agreements, see PSPF Governance Arrangements–4.10 International security
agreements.
These guidelines include advice on the Australian Government’s expectations for the protection of
Australian information by foreign governments.
1.3.1 Use of specific terms in these guidelines
In these guidelines the use of the terms:

‘need to’ refers to a legislative requirement that agencies must meet

‘are required to’ or ‘is required to’ refers to a control:
-
to which agencies cannot give a policy exception, or
-
used in other protective security documents that set controls.
1

‘are to’ or ‘is to’ are directions required to support compliance with the mandatory
requirements of the physical security core policy, and

‘should’ refers to better practice, agencies are expected to apply better practice unless there is
a reason based on their risk assessment to apply alternative controls.
For details on policy exceptions see the PSPF - Australian Government physical security management
protocol (section 1.4).
The following terms are also used in these guidelines:

Aggregation—compilations of official information that may require a higher level of protection
than their component parts. This is because the combination generates a greater value, and the
consequence of compromise, loss of integrity, or unavailability creates an increase in the
business impact level.

Availability—the ability of an agency to make information available to conduct its normal
business within a predetermined maximum acceptable outage based on the criticality of the
information, see Australian Standard HB 292-2006 A practitioner’s guide to business continuity
management section 4.7 for further information.

ICT equipment—any device that can process, store or communicate electronic information—for
example, computers, multifunction devices, landline and mobile phones, digital cameras,
electronic storage media and other radio devices.
-
ICT system equipment—a subset of ICT equipment that is used to maintain an ICT system—
for example, servers, communications network devices such as PABX, gateways and network
infrastructure such as cabling and patch panels—this equipment is normally continuously
operational.

ICT facility—a building, a floor of a building or a designated space on the floor of a building used
to house or process large quantities of data; for example, server and gateway rooms,
datacentres, back up repositories, storage areas for ICT equipment, and communications and
patch rooms.

ICT system— a related set of hardware and software used for the processing, storage or
communication of information and the governance framework in which it operates.

Network infrastructure—the infrastructure used to carry information between workstations
and servers or other network devices. For example: cabling, junction boxes, patch panels, fibre
distribution panels and structured wiring enclosures.

Security container or room—Security Construction and Equipment Committee (SCEC) approved
A, B or C class container or room, see PSPF - Australian Government physical security
management guidelines–Security zones and risk mitigation control measures Section 5.13 and
5.14.
2
2.
Background
2.1
Why were the guidelines developed?
The Australian Government physical security management guidelines–Physical security of ICT
equipment, systems and facilities provide a consistent and structured approach to determining:


the level of control required to:
-
meet the assessed risk
-
give suitable protection to information
-
provide assurance to other agencies for information sharing, and
the types of controls that are suitable.
The guidelines will:

establish consistent terminology for physical security of ICT equipment, systems and facilities
holding Australian Government official information, and

give agencies a framework for the assurance needed to share information.
These guidelines recognise that the predominant risks to electronic information (whether held in ICT
equipment, systems or facilities) are from:

external cyber attack—the minimum mandatory logical controls to counter cyber attacks are
detailed in the ISM, and

trusted insiders—including, but not limited to disgruntled or inexperienced users, contractors,
and administrators.
The theft or loss of ICT equipment is another risk to electronic information.
The controls identified in the ISM are used to mitigate threats to confidentiality, integrity and
availability of information held on ICT equipment. Physical security measures also mitigate these
risks by restricting access to people with a genuine need to know.
Agencies should develop procedures to minimise the risk of oversight of information on their ICT
equipment.
2.2
Relationship to other documents
These guidelines support the implementation of the Protective Security Policy Framework (PSPF).
They are part of a suite of documents that aid agencies to meet their physical security requirements.
In particular, they support and should be read in conjunction with the:

PSPF - Australian Government physical security management protocol, in particular Section 8

PSPF - Australian Government physical security management guidelines–Security zones and risk
mitigation control measures

PSPF - Australian Government protective Security governance guidelines–Business impact levels

PSPF - Australian Government information management protocol, and

Defence Signals Directorate (DSD) publication the Australian Government information security
manual (ISM)
3
2.3
How are the guidelines structured?
These guidelines are broadly divided into the following sections:


physical security of:
-
ICT equipment
-
ICT systems
-
ICT facilities, and
protection of information and ICT equipment from environmental or man-made threats.
4
3.
Physical security of ICT equipment
The primary purpose of ICT equipment is to facilitate the processing storage and communication of
agency information electronically.
ICT equipment that requires protection includes any device which can store information
electronically, such as:

computers—desktop, laptop or tablet

photocopiers, multi function devices (MFDs) and printers

fax machines

mobile telephones

digital cameras

personal electronic devices, and

storage media–for example, portable hard drives, USB sticks, CDs, DVDs, RFID tags and systems.
The level of protection that should be given to ICT equipment is based on the higher of:

business impact level that would result from the compromise, loss of integrity or unavailability
of the aggregate of electronic information held on the equipment, or

the loss/ unavailability of the ICT equipment itself.

See the PSPF - Australian Government protective security governance guidelines–Business
impact levels.
3.1
Storage of ICT equipment when not in use
When ICT equipment is stored in dedicated Physical security of ICT facilities the physical security
controls should meet those detailed in Table 1–Storage requirements for electronic information in
ICT facilities.
Where ICT equipment is not stored in dedicated ICT facilities agencies should apply the physical
security controls detailed in the PSPF - Australian Government physical security management
guidelines–Security zones and risk mitigation control measures.
The physical security controls used are to meet either the requirements of Table 1 or the guidelines
as appropriate, or exceed those required when justified by the agency security risk assessment.
Where agencies cannot meet the above requirement they are to seek advice from DSD on additional
logical or technological solutions that may be available to lower the risks to electronic information
when the equipment is not in use. (See below.)
3.2
Security of ICT equipment that cannot be kept in security containers or
rooms when not in use
Agencies may not be able to secure some electronic equipment in security containers or rooms
when not in use–for example, desktop computers, printers, MFDs.
In some circumstances agencies may be able to fit removable non-volatile media (hard-drives) that
can then be secured in an appropriate security container when not in use.
5
In cases where the non-volatile media cannot be removed agencies should determine the Zone
where the equipment can be kept based on the risks of obtaining information, and the sensitivity of
the information attainable, from the equipment. Agencies should seek further advice from DSD on
additional logical or technological solutions that may be available to lower the risks to electronic
information.
Agencies should assess the risk when equipment cannot be secured when not in use, where its
compromise could cause loss of integrity or availability of the information held by or accessible
through that equipment. Where the business impact of the compromise, loss of integrity or
unavailability of the information is very high or extreme, the equipment is to be stored in a Zone
Three or above area unless additional logical controls are applied to lower the risks when not in use
to a level acceptable to the agency.
Where the business impact of the compromise, loss of integrity or unavailability of the information is
catastrophic, the equipment is to be stored in a Zone Five area unless additional logical controls are
applied to lower the risks when not in use to a level acceptable to the information originator.
The logical controls described in the ISM do not constitute sanitisation and reclassification of ICT
media. Therefore, the media retains its classification for the purposes of reuse, reclassification,
declassification, sanitisation, destruction and disposal as specified in the ISM.
3.2.1 Equipment with solid state drives or hybrid hard drives
Solid state drives and hybrid hard drives cannot be made safe through normal wiping processes
when switched off. Agencies wishing to use equipment fitted with solid state drives or hybrid hard
drives should seek advice from DSD on other methods of securing these types of equipment–for
example, encryption.
3.3
Auditing of ICT equipment
For asset control of ICT equipment, agencies should:

record the location and authorised custodian, and

periodically audit.
The period between audits should be based on the agency’s risk assessment with higher risk items
audited on a more regular basis.
Agencies should, based on their risk assessment, consider visually inspecting ICT equipment as part
of their asset control audit to ensure that non-approved devices have not been installed.
Agencies are to have procedures for employees to report the loss of ICT equipment.
3.3.1 Tamper evident seals
Agencies may seal access to ICT equipment using Security Construction and Equipment Committee
(SCEC) approved tamper evident wafer seals suitable for application to hard surfaces. The use of
seals may give a visual indication of unauthorised access into the equipment if the seals are removed
or broken.
Agencies should refer to the SCEC Security Equipment Catalogue when selecting wafer seals.
6
4.
Physical security of ICT system equipment
In addition to the ICT equipment mentioned in Section 3, ICT system equipment that needs physical
security includes:

servers—including dedicated devices and laptops used as servers

other communications network devices—for example, PABX

the supporting network infrastructure—for example, cabling, patch panels, and

gateway devices—for example routers, network access devices.
4.1
Physical security of servers and network devices
Servers and network devices are to be located in security rooms/containers. The level of
room/container used should be determined by the business impact of the compromise, loss of
integrity or unavailability of the aggregated information accessible from the servers and network
devices.
Agencies should keep servers and communication network devices in dedicated Physical security of
ICT facilities.
Agencies are required to apply the controls identified in the PSPF - Australian Government physical
security management guidelines–Security zones and risk mitigation control measures to protect the
information on the servers and network devices not held in dedicated ICT facilities.
4.2
Network Infrastructure
Agency information is communicated through network infrastructure.
Where DSD approved encryption is applied the requirements for physical security of network
infrastructure can be lowered. Agencies should protect network infrastructure using a mixture of
physical security measures and encryption.
Agencies are to use Security Zones suitable for the highest business impact of the compromise, loss
of integrity or unavailability of information being communicated over the network infrastructure. As
it may not be possible to secure all network infrastructure in security containers/rooms agencies are
also to meet any system encryption requirements in the ISM.
Agencies should determine the level of container required for patch panels, fibre distribution panels
and structured wiring enclosures based on:

the business impact of the information passing over the connections, and

any other controls in place to protect the information.
Panels should at a minimum be in locked containers/rooms to prevent tampering.
Agencies lose control of their information when it is communicated over unsecured public network
infrastructure or over infrastructure in unsecured areas as they can have no assurance of the
physical security of the infrastructure or logical security of the information.
Agencies are required to use the encryption standards identified in the ISM for information
transmitted over public network infrastructure when the compromise, loss of integrity or
7
unavailability of the information would have a business impact of high or above. The encryption will
sufficiently protect the information to allow it to be transmitted on an unclassified network.
Encryption is normally applied at an agency gateway.
Agencies are also required to apply the encryption standards identified in the ISM to protect
information on their network infrastructure in unsecured areas.
4.3
Deployable ICT systems
Agencies may have difficulty in applying suitable physical security measures when using deployable
ICT systems, particularly if deployed into high risk environments. Agencies that use deployable
systems are required to seek advice from DSD on suitable logical controls to help mitigate any risks
they identify.
4.4
ICT system gateway devices
In addition to the logical controls required in the ISM, agencies are to use physical security measures
for their ICT system gateway devices to mitigate the higher business impact from:

the loss of the devices, or
 the compromise of the aggregated information arising from physical access to the devices.
Agencies using shared gateways are to apply controls to the gateway appropriate to the highest level
of information passing through the gateway.
Agencies are to prevent unauthorised access to gateway devices. It is recommended that these
devices be located in dedicated Physical security of ICT facilities.
8
5.
Physical security of ICT facilities
Agencies may use dedicated ICT facilities to house ICT systems, components of their ICT Systems or
ICT equipment. These facilities include, but are not limited to:

server and gateway rooms

datacentres

backup repositories

storage areas for ICT equipment that hold official information, and

communications and patch rooms.
Agencies should pay particular attention to the security of any access points to an ICT facility—for
example, cabling and ducting.
5.1
Accreditation of ICT facilities
ICT facilities are required to be within accredited Security Zones, as detailed in the PSPF - Australian
Government physical security management guidelines–Security zones and risk mitigation control
measures, appropriate for the aggregation of the information held.
Also agencies should house ICT facilities in Security Zones dedicated to these ICT facilities, separate
to other agency functions.
Where an agency outsources its ICT facilities, or uses shared facilities, the agency is required to
ensure their information is held in a Security Zone appropriate for the aggregation of information,
see Outsourced ICT facilities.
Containers used to house ICT equipment in an ICT facility may be at a lower level when the ICT
facility is a separate Security Zone within an existing Security Zone that is suitable for the
aggregation of the information held. See Table 1–Storage requirements for electronic information in
ICT facilities.
5.1.1 TOP SECRET or codeword information ICT facilities
All TOP SECRET or codeword information ICT facilities are to be in a separate Zone Five within a Zone
Five work area, both of which are to be certified by ASIO-T4. TOP SECRET ICT facilities are to have
either a separate zone on the agency EACS and SCEC approved Type 1 SAS, or have their own SCEC
approved Type 1 SAS. In addition agencies are required to have DSD to certify all TOP SECRET ICT
systems.
9
Table 1–Storage requirements for electronic information in ICT facilities
The physical security containers/rooms required for holding ICT equipment can sometimes be
lowered according to the following table when ICT facilities are located in an additional Security
Zone within the work area Security Zone. Zone One is not to be used for ICT facilities with an
aggregation of information with a business impact level of high or above. The table below details
the impact of applying the ‘Security-in-Depth’ principle and provides the revised physical security
standard required.
Business impact level of Security Zone of
aggregations of electronic the agency’s work
information
area
Security container Additional Security Security container or
or room1 ordinarily Zone within work room1 required for ICT
required
area for ICT facility equipment
Catastrophic business
impact level
Zone Five (Must be Class B
certified by ASIOT4)
Zone Five (Must be Class C
certified by ASIOT4)
Extreme business impact
level
Zone Four
Zone Four or above Lockable commercial
cabinets
Class C
Zone Two
Zone Three
Very high business impact Zone Four
level
Zone Three
Zone Two
High business impact level Zone Three or
above
Zone Two
Medium business impact
level or below
Class B
Class C
Zone Four or above Lockable commercial
cabinets
Zone Three
Class C
Zone Two
Class B
Class C
recommended
Zone Two or above Lockable commercial
cabinets
Class C
Zone Three or
above
Lockable commercial
cabinets
Zone Two
Class C
Class B
Zone Four or above Lockable commercial
cabinets
Zone Three
Class C
Zone Two
Class B
Lockable
commercial
cabinets
No additional zone Lockable commercial
required
cabinets
Class C
Zone Three or
above
Lockable commercial
cabinets
Zone Two
Class C
Zone Two
Lockable
commercial
cabinets
No additional zone Lockable commercial
required
cabinets
Zone One
Class C
Zone Two or above Lockable commercial
cabinets
Note: 1.
Lockable commercial cabinets should be used within security rooms to give additional access
control to individual pieces of equipment.
10
5.2
Access control to ICT facilities and equipment within ICT facilities
Agencies are to control access to ICT facilities in accordance with the PSPF - Australian Government
physical security guidelines–Security Zones and risk mitigation measures, Section 5.5—Access control
and Section 5.7—Visitor control.
Access to agency ICT facilities holding information, the compromise, loss of integrity or unavailability
of which has a lower than catastrophic business impact level should be controlled by:

a dedicated section of the security alarm system (SAS), or electronic access control system
(EACS) where used, or
 a person provided with a list of people with a ‘need to know’ or ‘need to go’ into the ICT facility.
Agencies are to keep ICT facilities, and security containers within ICT facilities holding ICT equipment,
secured when the facilities are not occupied.
Agencies may, if warranted by their risk assessment, use ‘no-lone-zones’ or ‘dual authentification’ as
an additional control for ICT facilities.
5.2.1 Technical surveillance counter-measures
Agencies are to have a Technical Surveillance Counter Measures (TSCM) inspection undertaken for
all TOP SECRET and Codeword ICT facilities where regular TS discussions are held within the facility.
A TSCM inspection may also be required to provide a high level of assurance that hardware and
cabling infrastructure within an ICT facility has not been compromised.
Where an agency does not regularly require its ICT facilities to handle TOP SECRET information, the
requirement for a TSCM inspection, and the interval between inspections, should be based on the
agency’s risk assessment, see the PSPF - Australian Government physical security guidelines–Security
Zones and risk mitigation measures, Section 5.15.4—Technical surveillance counter measures and
audio security.
Agency security advisers should seek further advice from ASIO-T4 - t4ps@t4.gov.au.
5.3
Outsourced ICT facilities
Agencies are to ensure that outsourced ICT facilities meet any controls identified in these guidelines
for the protection of the aggregation of information held in the facilities. Information on the
inclusion of security requirements in contracts for outsourced functions is available in the PSPF Australian Government governance guidelines–Security in outsourced services and functions.
5.3.1 Gateway facilities
ASIO-T4 will certify the physical security measures in DSD certified commercial gateway facilities
intended for use by multiple Australian Government agencies as listed in the AGIMO Internet
Gateway Reduction Program before being used operationally.
Agencies are to seek ASIO-T4 advice on the certification requirements of the physical security
measures of any other commercial gateway facilities holding Australian Government official
information where the compromise of the confidentiality, loss of integrity or unavailability of the
information will have a catastrophic business impact level before being used operationally.
11
Gateway devices are to be given protection commensurate with the business impact of the
compromise of the aggregate of the information protected by the devices.
5.3.2 Datacentres
Agencies are to seek ASIO-T4 advice on the certification requirements of the physical security
measures of commercial datacentres holding Australian Government official information where the
compromise of the confidentiality, loss of integrity or unavailability of the information will have a
catastrophic business impact level before being used operationally.
Agencies using datacentres are to assess the aggregation of all official information that is held in the
datacentre. Agencies employing a shared datacentre arrangement are to liaise with all other
agencies using the same datacentre to assess the business impact of the loss of integrity or
unavailability of the aggregate of the combined information before being used operationally.
Data storage devices are to be given protection commensurate with the business impact of the
compromise of the aggregate of the information stored on the devices.
Datacentres are selected not only for their ability to provide security of information, but also for
their ability to provide continuous availability to information. ANSI/TIA-942 Telecommunications
Infrastructure Standard for Data Centers provides four tiers of availability in datacentres.
Datacentres that comply with the Standard are available more than 99% of the time.
12
6.
Protection of information and ICT equipment against
environmental or man-made threats
Some information held on ICT systems will be required by agencies to enable a return to normal
service after an incident. Agencies should determine the availability requirements for their
information as part of their disaster recovery and business continuity plans. The impact of the
information not being available will influence the measures taken to protect ICT equipment against
environmental and man-made threats.
For further information see:

PSPF – Governance – Business continuity management, and

SAI Global - HB 292-2006 A practitioner’s guide to business continuity management, section 4.7.
6.1
Preservation of ICT equipment
ICT equipment may require a controlled atmosphere to ensure the integrity of the information held
on the equipment. ICT equipment holding information may also require a controlled environment to
prevent failure of the equipment and potential loss of information. This may include, but not limited
to, controlling:

temperature

humidity

air quality—for example smoke and dust

water, or

light.
Agencies should apply controls to meet any ICT equipment manufacturer’s identified requirements.
Advice on preserving electronic information for the future is available from the National Archives of
Australia.
6.1.1 Uninterruptable and auxiliary power supplies
Agencies may lose information if ICT systems are unexpectedly shutdown. An uninterruptable
power supply (UPS) will allow the agency to turn off systems in a controlled manner or provide
power until power to the ICT system is restored.
Any UPS used by an agency should provide at least enough power to allow:

the controlled shutdown of ICT systems, or

the startup of an auxiliary power supply.
ICT equipment also needs protection from power surges (relatively lengthy increases in voltage),
power sags and spikes (short very large increases in voltage). Most UPS also give some protection
from surges and sags.
As most environmental systems rely on mains electricity an auxiliary power supply may assist in
maintaining environmental controls. Auxiliary power supplies should be maintained in accordance
with the manufacturer’s directions.
13
6.2
Protection from environmental or man-made disasters
Agencies should identify any threats from environmental or man-made disasters to their ICT
equipment in their security risk assessment. As ICT systems may be more sensitive to environmental
factors additional risk mitigation measures, over and above those used to protect people and
physical assets from harm, may be needed.
6.2.1 Flooding
Water is one of the major threats to any system that uses electricity, including ICT systems.
Agencies should site server rooms so that they are protected from flooding. Flooding may be from
external sources—for example swollen rivers, or internal sources—for example burst pipes.
Agencies considering locating server rooms in basements should assess the risk of flooding from
external or internal sources.
6.2.2 Fire
Agencies should also protect ICT equipment from fire. ICT equipment can be damaged either
through direct exposure to flames, or the effects of smoke (poor air quality) and increases in
temperature in the general environment.
An additional concern to ICT equipment during building fires is the potential for flooding during fire
fighting operations. An agency may be able to use alternatives to water-based sprinkler systems,
such as CO2 or other gaseous agents, in critical ICT facilities. An agency’s decision to use alternatives
should be based on the agency’s own risk assessment.
6.3
Backup ICT systems
Backup ICT systems can provide an agency with a recover point if their primary ICT systems fail,
which can form part of an agency’s business continuity and disaster recovery plans. Any backup
systems should be, as far as possible, fully independent of the supporting infrastructure used for the
primary system so that in case of a failure of the primary ICT system the secondary ICT system does
not also fail.
Backup ICT systems should be regularly tested to ensure their continued operation.
Agencies may use off-site or commercial backup facilities. Agencies should consider dual
redundancy—that is using two backup facilities, for business critical information and ICT systems.
Agencies are required to ensure any commercial ICT facilities they use meet all the security
requirements of the PSPF and ISM to protect Australian Government information. An agency that
uses a commercial back up facility should consider the aggregation of information held in the facility,
not just the agency’s information, when determining the levels of physical and logical security
needed at the facility.
Information on the inclusion of security requirements in contracts for outsourced functions is
available in the PSPF - Australian Government governance guidelines–Security in outsourced
functions.
14
Download