S 1.58 Technical and organisational requirements for server rooms

Initiation responsibility: Top Management

Implementation responsibility: Information Security Management

A server room should be designed as a closed and secure area. The room should be equipped with access doors and windows that can be secured as well as possible, because all access options must be monitored (see also S 1.10 Safe doors and windows). Access should be protected by high-quality access control mechanisms. When planning a server room and/or selecting suitable premises, the potential threats posed by the environment should be minimised to the greatest extent possible. Countermeasures for potential threats such as water ingress on flat roofs or in the basement must be taken as well as for sources of electromagnetic interference such as mobile phone transmission towers or three-phase power generators.

During planning, it should be ensured that the pipe routes for the supply pipes in the building, for example for water or gas (see S 1.24 Avoidance of water pipes), are not installed in the immediate vicinity or run through sensitive areas of the server room.

In many cases, high availability requirements are placed on the IT components operated in server rooms. These requirements can be taken into account by designing redundancy into the infrastructural and technical equipment (see safeguard S 1.52 Redundancy, modularity, and scalability in the technical infrastructure).

A server room is a security-relevant area, and only the administrators of the IT systems installed there should have access to the server room. It must be ensured that the site access controls for such a security area ensure that the organisation's own employees and even more importantly the temporary employees, e.g. those performing maintenance work in the server room, do not have any access to systems not in their area of responsibility.

IT systems supported by external employees should be installed in separate rooms. Furthermore, installing IT systems with differing protection requirements or from different areas in separate server rooms must be considered in order to ensure a small group of persons authorised to access the room.

The server room should by no means contain any devices or equipment requiring the room to be accessed by a large group of users, i.e. fax devices or copiers, for example. Combustible materials such as printing paper should not be stored in a server room either.

It should be prohibited to take portable IT systems, mobile telephones, or cameras into a server room when such systems are not under the control of the respective organisation. In general, operating mobile telephones should be prohibited in computer centres, since they can seriously interfere with the operation of the IT systems. Exceptions to this rule must be approved (see S 2.188 Security guidelines and rules for the use of mobile phones).

Review questions:

• Does the server room form a separate security area?
• Are all accesses to a server room controlled?
• Have threats caused by environmental influences been generally avoided when selecting the premises for a server room?
• Are the doors, windows, and walls of the server room characterised by appropriate intrusion, smoke, and fire protection?
• Has it been taken into consideration during planning that the routes of the supply lines must not be run in the direct vicinity or even through sensitive areas of the server room?
• Have the infrastructural and technical facilities for ensuring high availability during maintenance or error been designed sufficiently redundantly?
• Are there organisational requirements for server rooms?