We have realized importance of restricting physical access in information security. The data processing facility requires special consideration in its design and location. Data processing equipment is a valuable asset that needs to be protected from environmental contamination, malicious personnel, theft, and physical damage. The data centre location should not draw any attention to its true contents. This will alleviate malicious interest by persons motivated to commit theft or vandalism. The facility should be constructed according to national fire-protection codes with a 2-hour fire-protection rating for floors, ceilings, doors, and walls.

Some locations in the building are not suitable for the computer room. Basements are a poor choice because they are susceptible to flooding. In 1960, computers were placed behind glass windows to showcase them as a status symbol. A series of riots in the mid-1960s made it apparent that computers needed to be rapidly moved into fortified rooms. The most expedient location was an unused basement with no windows. The standard over the past 50 years has been to place the data center on a middle floor in the building—preferably located between the second floor and one floor below the top floor.

Basements are a poor choice for data centers. Ground-level floors are not a good choice because they are easy to access by both thieves and attackers. A top floor is not recommended because of the likelihood of storm damage and roof leaks. A floor just below the top floor may be acceptable. The second layer of concrete between the floors provides additional protection from roof leaks. Opaque windows are considered acceptable in some environments if the windows are shatterproof and installed by using a sturdy mount equal to the window rating.

data center design

Access to the data center should be monitored and restricted. The same level of protection should be given to wiring closets because they contain related support equipment. Physical protection should be designed by using a 3D space consideration: Intruders should not be able to gain access from above, below, or through the side of the facility. The physical space inside the data processing facility should be environmentally controlled. The activity of neighboring organizations should be considered when establishing a computer facility. Locations adjacent to or on the final path to, an airport or a chemical works where explosive gases may be present, for example, should be avoided.

Source:  CISA® Study Guide Second Edition (chapter 7) by David L. Cannon

Picture taken from: Deerns

Related posts:

1. Environmental Controls: Safe Storage
2. Environmental Controls: Controlling Air, Fire and Water
3. Logical Protection: Technical Control
4. Category of Information Security
5. Logical Protection: Fundamental of Authentication