In spite of increasing threats to computer system security, most local government IT departments have been concentrating on barricading the doors while leaving the windows wide open.
Every year, security becomes an increasingly larger budget item for local government IT departments. It started
modestly enough with sub $100 virus software; we then proceeded to install firewalls costing in excess of $20,000.
Over the past few years, the need for security oriented systems has exploded to the point where we now find ourselves outfitted with “”mail walls,”” spam blockers, enterprise virus scanners, pop-up blockers and a plethora of other application specific security software.
Most IT departments however have all but ignored a security hole that any really determined hacker could drive a truck through.
That hole is typically in the physical security of their IT infrastructure plant.
Physical security is a term that auditors use to refer to the non-electronic aspects of security. This includes such mundane items as a separate room for the servers with a door that securely locks, fire alarms, automatic fire suppressions systems (such as halon) and intrusion alarms.
When the need for a “”computer room”” first arose, most local governments had to create such a space in City Hall structures that had little or no appropriate space available.
It’s not too unusual to see computer rooms in the basement with the pipes and boilers. Many local governments have computer rooms with at least one glass window in it and in quite a few cases the window is on an exterior wall.
It’s extremely unusual to find a computer room with anything more than two sheets of drywall separating the general office from millions of dollars worth of equipment and information.
The folks at the Canada Customs and Revenue Agency (CCRA) found out the hard way why physical security is something important to think about. In September, thieves broke into their regional office in Laval, Que. and made off with a file server containing the personal financial information of more than 120,000 taxpayers.
In this case the server wasn’t even located in the computer room at the time of the theft. The thief broke a ground floor window and made off with the server in spite of the presence of an alarm system.
While many of you out there may be “”tut-tutting”” at their negligence it’s likely that your own server would fare no better even if it was in its normal “”computer room”” home. While honest folks tend to think of drywall and glass as immovable barriers, most thieves know that it only takes a well placed kick or a thrown brick to create a makeshift “”door”” where a wall or window used to be. They also know that police give automated alarms a low response priority when compared to the steady stream of human calls to 911 that are constantly keeping them busy.
Typically, it’s safe to assume a 20 minute response time from the point at which the alarm is first triggered to when the police first arrive.
Local governments throughout Canada have experienced the theft of some computer equipment (usually desktop or laptop systems) but compared to most organizations they have been lucky. RCMP crime experts tell us that this is because thieves generally assume that governments all have the kind of super security equipment that they see in movies.
The pace of crime in our urban centers is increasing however and thieves will soon discover that most government computer rooms are an easy target.
Before this happens we need to take a lesson from the CCRA’s experience and tighten up our physical security.
The test is easy. If you can imagine it taking less than 20 minutes to defeat the physical security of your computer room then you haven’t done enough.
Do you have any glass windows in the computer room? Is the door hollow, wooden or set in a frame made of wood?
Does the door have a passage style lock (keyhole set into the handle)? Are the walls made of drywall?
Do the walls stop at the suspended ceiling? If you can answer yes to any of these questions then in all likelihood your server will be long gone by the time police respond to your automated alarm system.
Along with that server goes the personal information of potentially hundreds of employees and thousands of your community’s taxpayers.
Will you be able to look those people in the eye and tell them as the CCRA did, that you thought you had it covered?