S 1.73 Protecting a computer centre from unauthorised entry

Initiation responsibility: IT Security Officer, Head of IT, Building Services Manager

Implementation responsibility: Building Services Manager

A computer centre is an important central unit and is therefore a functional unit with special requirements for protection against unauthorised access.

The safeguards S 2.6 Granting of site access authorisations and S 2.17 Entry regulations and controls are an indispensable basis for protecting a computer centre against unauthorised access. Rules alone are not enough to provide such protection. Additional safeguards must be implemented to ensure the rules are followed.

The control of access to areas of the building with lower protection requirements is usually limited to checking authorisation based on ownership (of a card, for example) or knowledge (of a PIN, for example). The significantly higher protection requirements of a computer centre for protection against unauthorised access means stronger access control mechanisms are necessary as a consequence.

The first step to gaining stronger control is to consider querying a combination of at least two of the three criteria of ownership, knowledge, and biometric characteristics. From today's perspective, it is not recommended to use biometric procedures alone in non-monitored areas as the only method of controlling access to security areas. Querying a combination of two criteria guarantees with sufficient certainty that the criteria used actually apply to the person being queried.

All visitors must be assigned to one or more persons who will be responsible for them during their visit and who will monitor them the whole time. Allowing persons who are authorised to enter the computer centre to simply take additional persons such as visitors along with them into areas with access protection, which is acceptable for normal areas, is not acceptable for a computer centre. It is necessary to clearly identify and record every person who enters a computer centre. For visitors, this means that all visitors must be provided with some form of ownership issued specifically to each visitor, for example a visitor's pass. The lack of a second criterion can be compensated for by linking each visitor pass in the system to the person responsible for the corresponding visitor.

A record of every person who enters the computer centre must be created, and this applies to authorised personnel as well as to persons with temporary access authorisation. For example, all access to the computer centre by outsiders could be documented in a visitors' book. A visitors' book cannot be used to control access by unauthorised persons, but only to document this access. A book placed in the computer centre and in which visitors are allowed to enter their personal information without being directly controlled by someone with authorisation is of no value in terms of a strong access control method.

A mantrap can be installed to prevent authorised persons from bringing other persons into the controlled area. If this is not possible, then corresponding organisational and technical regulations must be implemented to aid access control. Technical support can be provided by an anti-passback function. When an anti-passback function is used, every person who gains access to an area by fulfilling the corresponding criteria must check out again upon leaving the area. Anyone who does not check out and then attempts to gain entry again will be denied access because they are registered as being present in the site access control system and therefore cannot possibly enter the area a second time. In the same manner, anyone who enters the area with someone else but who did not provide any identification will be detected upon leaving the area. As a result, it may be impossible to open the exit door or a corresponding warning stating that the access rules must be followed could be announced.

An anti-passback function not only helps to teach employees not to take persons along with them into protected areas, but can also keep track of who has entered the area and who has already left it. This information can provide a significant advantage when handling security incidents.

The anti-passback exit function can be restricted to querying a single criterion. The visitor's pass could be used as such a criterion, for example.

Review questions:

• Are at least two authentication criteria always queried when someone wants to access a computer centre?
• Has it been ensured that every single visitor needs to pass through the access control system?
• Is every visitor assigned someone to be responsible for them and does this person monitor these visitors at all times?
• Has an anti-passback function been implemented?
• Are there mechanisms or rules that prevent authorised persons from taking unauthorized persons with them into the computer centre?