T 2.6 Unauthorised admission to rooms requiring protection

All rooms in which information requiring protection is stored or processed or in which devices requiring protection are operated are considered to be rooms requiring protection for this reason. Examples of these types of rooms are office rooms, but also archives in which data media and files are stored centrally. This also includes the technology distribution rooms containing central components such as power distributors, network switching elements, and servers.

Unauthorised persons can cause damage deliberately (e.g. through manipulation or vandalism), but also inadvertently due to human error (due to a lack of skills or the knowledge required, for example). Even when there is apparently no immediate damage, operations can still be disrupted if it is necessary to examine how such an event was possible or whether or not damage occurred or data or devices were manipulated.

Intruders could have, for example, reset passwords, accessed the servers directly, or manipulated active network components. In addition, they could have stolen or altered sensitive information stored on paper or on data media.

Not only the rooms on the company premises must be protected against unauthorised access, but also the rooms in private homes used for company purposes. Safeguards against burglary (e.g. lockable window handles, security locks, and locking bolts and safety glass on entry doors) are often not implemented in home workplaces due to the cost. This results in less protection against break-ins at the telecommuter workplaces than at the company or government agency.

Examples:

• The entire central IT of a company was installed in a single Server room equipped with a restrictive and modern access authorisation system. In the summer, though, the company realised that the air conditioning capacity was not sufficient for handling the numerous IT systems. For this reason, the window and doors were opened wide on hot days to cool the room down. A short time later, a new server that had not yet been activated disappeared without a trace.
• An employee had set up an office at home in a separate room for telecommuting but did not always lock the door. Once, while the children were briefly unsupervised, they began playing in the unlocked home office. The children then used important documents to draw on. In addition, the openings on the computer were stuffed with toys and crackers, which lead to a total failure of the IT system.
• In one company, every employee was allowed to enter all of the printer rooms. This allowed an attacker to physically access a central printer and then reconfigure it. The new configuration copied all documents to be printed to the integrated hard disk of the printer and did not delete them after printing. Once the hard disk was full, the attacker replaced the full hard disk with an empty one and examined the full hard disk on his computer.
  
  Although the attacker was not employed in the development department, he was able in this manner to copy a number of important development documents without being noticed and then sell them to the competition before the source of the leak was found.
• A person substituting for a regular member of the cleaning staff who was on holiday took it upon herself to clean the computer centre even though she was not instructed to do so. She then opened the emergency exit, which was monitored by an alarm, and correspondingly triggered a false alarm.
• After a break-in in an office building, it initially appeared as if only the coffee cash box and two new laptops were missing. In spite of this, all files needed to be examined to check if important parts were missing, and all IT systems needed to be checked for unauthorised access.
• Access protection can also fail when present but insufficient. A good lock is worthless, for example, when the door itself is not strong enough and the hinges are not installed properly.