S 2.1 General building
Description
Buildings are the outer frame for the performance of business processes. A building surrounds the stationary workplaces, the processed information as well as the installed IT, and correspondingly grants external protection of the aforementioned. Often, infrastructure installations of the building allow for performance of business processes and IT operation in the first place. So, the building itself, i.e. walls, ceilings, floors, roof, windows and doors, but also utilities throughout the building, such as electricity, water, gas, heating, pneumatic dispatch etc. should be considered.
Consideration is made for a building that is used by one or several organisational units of an institution. These may also have differing security requirements. Furthermore, all considerations must include the fact that a building can and should almost always be entered by persons not belonging to the institution (citizens, customers, suppliers).
If a building is used differently by various parties, then design and equipment of the building should meet the use concept of the building. An optimal environment should be ensured for the persons working in the building. Entry of unauthorised persons should be prevented for areas where they may compromise security, and the technology installed in the building should be operated in a safe and efficient manner.
This module describes the safeguards to be taken by an institution to ensure optimal use of a building regarding information security. Although the requirements on the kind of measures are also based on the type and size of the institution, the recommendations of this module can also be applied to the considerations of large properties with several buildings or the use of individual building parts in multi-party houses.
Threat scenario
The following typical threats to the IT-Grundschutz of a building are assumed to exist:
Force Majeure
T 1.3 | Lightning |
T 1.4 | Fire |
T 1.5 | Water |
T 1.12 | Problems caused by big public events |
Organisational Shortcomings
T 2.1 | Lack of, or insufficient, rules |
T 2.6 | Unauthorised admission to rooms requiring protection |
T 2.105 | Violation of statutory regulations and contractual agreements |
Human Error
T 3.85 | Impairment of fire protection compartmentalisations |
Technical Failure
T 4.1 | Disruption of power supply |
T 4.2 | Failure of internal supply networks |
T 4.3 | Failure of existing safety devices |
T 4.88 | Electrical power supply unsuitable for EMC |
Deliberate Acts
T 5.3 | Unauthorised entry into a building |
T 5.4 | Theft |
T 5.5 | Vandalism |
T 5.6 | Attack |
Method recommendation
To secure the information system under consideration, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
This module considers technical and non-technical security aspects when planning and using typical buildings for companies and public agencies. This includes consideration of the whole life cycle of buildings, starting from creation of requirement specifications to conceptual design, arrangement and use to building alteration or moving out.
The cabling in a building is examined separately in module S 2.2 Cabling and S 2.12 IT cabling, and special rooms such as server rooms or archive rooms are examined in the corresponding modules of layer 2.
When using buildings for the business operation of public agencies or companies, it is necessary in terms of information security to follow different approaches for certain safeguards. For new construction of a building, the necessary safeguards can be already be taken for a large part in the planning phase.
However, if an existing building is used or leased, in which case additional expansion or reconstruction may be involved, the ability to implement adequate information security safeguards is often much more restricted.
Planning and design
The planned use of a building and the protection requirements for the business processes operated there define the design and the equipment of the building under security aspects. Starting with assessment of location and type of property, it must be verified that the building is appropriate for the intended purpose or can be designed appropriately.
Creation of a zone model (see S 1.79 Formation of security zones) that can be used as basis for planning of use of the building based on the protection requirement (see S 1.78 Security concept for use of building) is recommended for further planning or verification of an existing building. This is then used to derive the organisation of access authorisations as described in safeguard S 1.80 Access control system and authorisation management, the design and doors and windows, and the further safeguards for securing and monitoring.
When planning the room allocation, safeguards S 1.8 Room allocation,1.15 with due regard to fire loads as well as, when using an existing building, S 1.13 Layout of building parts requiring protection must be applied. Furthermore, it is also always required to determine the electrical power requirement expected for each room according to the planned use of the room (see S 1.3 Appropriate segmentation of circuits).
Purchasing
Both when selecting a location for a new construction and when assessing existing property, the safeguards S 1.16 Selection of a suitable site and S 2.334 Selection of an appropriate building must be considered.
Construction and preparation of a building for use
During the construction phase, all safeguards deemed necessary during the planning phase should be implemented. In all cases, safeguards S 1.1 Compliance with relevant standards and regulations and S 1.6 Compliance with fire-protection regulations must be applied during the construction phase. Safeguards S 1.2 Regulations governing access to distributors as well as S 2.14 Key management must be implemented at the latest when moving into a building. Likewise, site access rules and an access control concept according to S 2.17 Entry regulations and controls are necessary.
Building use
During the building use phase, the regular application of safeguard S 2.15 Fire safety inspection must be planned to ensure compliance with the applicable fire safety regulations. The application and regular monitoring of safeguard S 1.15 Closed windows and doors must be ensured so that only authorised persons are allowed into the building and as a basic precaution against break-ins.
Contingency Planning
To be prepared for an emergency, it is necessary to create an alert plan and conduct emergency drills at regular intervals. If this is not done, then you can expect bad decisions to be made and confusion as to what action to take during an emergency (see S 6.17 Alert plan and fire drills).
The bundle of security safeguards to be used for the "General building" module is presented in the following:
Planning and design
S 1.3 | (A) | Appropriate segmentation of circuits |
S 1.4 | (B) | Lightning protection devices |
S 1.5 | (Z) | Galvanic separation of external lines |
S 1.7 | (A) | Hand-held fire extinguishers |
S 1.8 | (A) | Room allocation, with due regard to fire loads |
S 1.10 | (Z) | Safe doors and windows |
S 1.11 | (A) | Plans detailing the location of supply lines |
S 1.12 | (A) | Avoidance of references to the location of building parts requiring protection |
S 1.14 | (Z) | Automatic water drainage |
S 1.19 | (Z) | Protection against entering and breaking |
S 1.50 | (C) | Smoke protection |
S 1.74 | (Z) | EMC-compliant power supply |
S 1.75 | (A) | Fire detection in buildings |
S 1.77 | (Z) | Air conditioning for humans |
S 1.78 | (C) | Security concept for use of building |
S 1.79 | (W) | Formation of security zones |
S 1.80 | (W) | Access control system and authorisation management |
Purchasing
S 1.16 | (A) | Selection of a suitable site |
S 2.334 | (Z) | Selection of an appropriate building |
Implementation
S 1.1 | (A) | Compliance with relevant standards and regulations |
S 1.2 | (A) | Regulations governing access to distributors |
S 1.6 | (A) | Compliance with fire-protection regulations |
S 1.17 | (Z) | Entrance control service |
S 1.51 | (A) | Fire load reduction |
S 2.17 | (A) | Entry regulations and controls |
S 2.21 | (A) | Ban on smoking |
S 2.212 | (B) | Organisational requirements regarding cleaning contractors |
Operation
S 1.15 | (A) | Closed windows and doors |
S 1.23 | (A) | Locked doors |
S 2.14 | (A) | Key management |
S 2.15 | (B) | Fire safety inspection |
S 2.391 | (B) | Timely provision of information to the fire safety engineer |
Disposal
S 2.308 | (Z) | Moving out of buildings |
Contingency Planning
S 6.17 | (A) | Alert plan and fire drills |