Operations

CSSP: DOMAIN 5 OPERATIONS

Physical and Environmental Controls for the Datacenter
Logical Cloud Infrastructure
Risk Assessments of Physical and Logical Infrastructure

PHYSICAL AND ENVIRONMENTAL DESIGN

In establishing a physical security function within a cloud environment, the following must be considered:
The security needs for the equipment and services being protected
The human resources that are in place for physical security
How legacy physical security efforts have been managed and staffed prior to transition to cloud
The financial resources available for these efforts

PHYSICAL AND ENVIRONMENTAL DESIGN
CONTINUED

Physical security normally takes one of four forms in design and implementation
Environmental design
Mechanical, electronic and procedural controls
Detection and response procedures
Personnel identification, authentication, and access control

HUMAN RESOURCES CONTROLS

The purpose of the human resources physical control is to minimize the risk of the personnel closest to the data disrupting operations and compromising the cloud. Consider the following measures:
Roles and responsibilities
Background Agreements
Employment Agreement
Employment Termination
Separation of Duties
Job Rotation
Mandatory Vacations

PHYSICAL LOCATION OF THE CSP FACILITY

Check if the location of the facility falls under any active seismic zone and the risks thereof.
Facility should not be located in a geographic region which is prone to:
Flooding, landslides or other natural disasters
Political, ethnic, communal or social unrests
Easy and quick accessibility of the facility’s location

DOCUMENT REVIEW
Physical & Environmental Security Policy
User Account Termination Procedures
Contingency Plan
Incident Reporting & Response Plan
Emergency Response Plan
Facility Layout – emergency exits, positioning of CCTV cameras, secure entry points
Fire Exit Route Map & Fire Order Instructions
Emergency Evacuation Plan & Procedures
Crisis Communication Procedures
Emergency Contact Numbers
User Facility Access Review/Audit Records
Security Awareness Training documentation, presentation, handouts, etc

DOCUMENT REVIEW
CONTINUED
Security Awareness Attendance Records
Succession Planning for key executives
Technical Documents – electrical wiring diagrams, BMS, UPS, AHU details
Maintenance Schedule of Electrical, Generator & CCTV
List of Authorized Personnel allowed entry inside facility
Security Staff profiles – bio & background information
Background Check Reports of Security Staff (must be performed every year)
Annual Maintenance Contracts for key equipment & devices (focus on SLAs for equipment/devices downtime & restoration)

CSP ASSESSMENT
Check whether all the documents are updated and current. The documents must be reviewed by the CSP at least once in a year. Should include revision data and signoff
Further, the policy and procedure documents (that are suitable for employee viewing) should be made available through a common Intranet site where authorized employees of the CSP can access them anytime for reference.
Check whether the CSP has security awareness program in place. At the minimum, the CSP should ensure that employees are given adequate security awareness training at least once a year and receive sign off from them. Also, new employees joining the organization shall undergo a security orientation session as part of the induction program where key policies and procedures are to be covered. To make the program effective, a senior staff from the security team must conduct the session
If the CSP is compliant with global security standards like ISO 27001 ISMS or any other industry-specific standard :
Verify the compliance certificate and its validity.
Look for verifiable evidence of resources allocation – budget and manpower to sustain the compliance program.
Verify internal audit reports and evidence of remedial actions for thefindings.

PERIMETER SECURITY

Data Center
Administrative areas
Reception
Parking Area
Storage Area

Fire Exits
CCTV Command Center
AHU Room
Locker Room
UPS Room
Generator Room
Fuel Storage

SECURITY INFRASTRUCTURE

Secure Entry Points – Access control systems (proximity cards/biometric access)
Access Control System linked with fire control panel for emergency release
Emergency auto-release buttons near all access card readers
Motion-sensing alarms, thermal tracking devices
Fire Safety Equipment – Wet Riser, Hydrants, Hoses,
Smoke Detectors & Water Sprinklers
Fire Extinguishers

Fire Exits (must not be locked)
Panic Bars in fire exits
CCTV Cameras and DVR server (including backup timelines)
Door Closures and time-delay door alarms
Gas-based fire suppressants inside Data Centers
Paper Shredders near printers
Emergency Response Team Kit (ERT Kit)
Two-way Radio devices (Walkie-talkie handsets) for security staff
Duress Alarms underneath security desk and vantage (concealed) points

SECURITY GUARDS

Curbing tail-gating by employees.
Handle visitors and movement within the facility.
Handling phone calls.
Monitoring intrusion and fire alarm systems and dispatch personnel to respond to alarms.
Controlling movement of materials into and out of the building and enforcing property pass regulations.
Enforcing rules and regulations established for the building.
Patrolling inside facility.
CCTV monitoring.
Key control and management.
Frisking and checking housekeeping and maintenance personnel during entry and exit.
Emergency response procedures.
Escalating security-related issues to security manager.
Accepting and dispatching mail.
Escort unattended business visitors inside the office.

ENVIRONMENTAL CONTROLS

American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) Technical Committee 9.9 has created a set of guidelines for temperature and humidity ranges in the datacenter
Temperature between 64 and 80 degrees Fahrenheit
Humidity should be between 40 and 80 percent
Cable management strategy should be in place to minimize airflow obstructions caused by cable and wiring
Hot/Cold aisles should be established