S 2.95 Obtaining suitable protective cabinets

Initiation responsibility: IT Security Officer

Implementation responsibility: Purchasing Department

Protective cabinets can protect their contents against the effects of flames and against unauthorised access. It is necessary to clarify the protection goals to be reached using a protective cabinet first. The next step is to determine which contents need to be protected because the sensitivity of documents, data media, and valuables to temperature and humidity can vary greatly. Depending on the protective effect desired, the following information should be taken into account when selecting suitable protective cabinets:

• Protection against the effects of fire:
  
  Data storage cabinets designed according to EN 1047-1 are divided into the quality classes S60 and S120 based on the protection they offer against fire. S60 and S120 protective cabinets are tested by exposing them to fire for 60 or 120 minutes, respectively, in a standardised test to determine if they maintain a temperature that can be withstood by the data media they protect. Additional codes are used in the classification to designate the data media to be protected. The codes have the following meanings:
  • P = Paper documents
  • D = Data media with a maximum temperature threshold of up to 70°C (e.g. magnetic tapes, films)
  • DIS = Data media with a maximum temperature threshold of up to 50°C (e.g. diskettes, magnetic tape cassettes including all other data media)

The classes differ in terms of their insulation rating, whereby the DIS cabinets have the highest rating.

Class S60 data protection cabinets should provide adequate protection against fire for normal protection requirements. If the cabinet will be used as a server cabinet, then it is recommended to use data protection cabinets designed according to EN 1047-1 or data protection containers designed according to EN 1047-2 with an air conditioning system.

Protective cabinets used to provide protection against smoke and fire should provide a mechanism for automatically closing the doors in the event of a fire. The closing of the doors should be triggered locally by smoke detectors and/or externally by a signal from a fire alarm system (if available).

• Protection against unauthorised access:
  
  The deciding factor determining the level of protection provided against unauthorised access is the quality of the lock in addition to the mechanical strength of the protective cabinet.
  
  For normal protection requirements, safes designed according to EN 11431 "Secure storage units - requirements, classification and methods of test for resistance to burglary, Part 1: Safes, ATM safes, strongroom doors and strongrooms" or security cabinets designed according to EN 14450 "Secure storage units - Requirements, classification and methods of test for resistance to burglary - Secure safe cabinets" should be used. Security cabinets have lower resistance values than safes or strongrooms.
  
  If a combination of access protection and fire protection is required, then data protection cabinets should be used that meet the requirements of EN 1143-1 as well as the requirements of EN 1047-1 (referred to as duplex cabinets).

VDMA Standard Sheet 24990 "Safes and strongrooms" can be consulted to help assess the resistance values of various protective cabinets. This standard contains brief descriptions of the security features offered by protective cabinets.

When selecting protective cabinets, it is also necessary to take the permissible floor load, meaning the load-bearing ability of the floor at the site of installation, into account. In addition, it should be checked in advance how the protective cabinets can be transported to the installation site. This also includes checking the maximum load capacities of the lifts and the widths of the stairs, corridors, and doors.

After defining the selection criteria for the protection to be provided by the protective cabinet, the next step is to specify the accessories the cabinets need to be equipped with. To accomplish this, it should be specified which devices and which types of data media will be stored in the cabinet before purchasing the protective cabinet. The interior fittings of the protective cabinet must be selected according to this specification. It is generally difficult to retrofit a cabinet because this can have a negative impact on the protection offered by the cabinet and on its certification. This means room for expansion in the future should be allowed for during planning.

Server cabinets should provide space for a screen and additional peripheral devices such as tape drives as well as for the server and a keyboard so that administrative tasks can be performed on the cabinet. Emphasis should be placed on selecting equipment that is ergonomically designed so that administrative tasks can be performed comfortably on the server. For example, a drawer should be provided for the keyboard at the proper height so the administrator can work while seated. Depending on what the cabinet is used for, it may also be necessary to provide the cabinet with air conditioning and/or a UPS. The corresponding equipment should be installed in the cabinet in this case. If no air conditioning is planned, then adequate ventilation must be provided at a minimum. It is recommended to equip the cabinet with a local early fire detection system that cuts off electrical power to the devices (on the input and output sides of the UPS, provided that a UPS is available) in the event of a fire.

Backup data media and log printers should not be placed in the same cabinet. Backup data media will probably also be damaged in the event that the server is damaged. Recording the tasks performed on the server in a log also serves to monitor the administrator. It therefore does not make sense to allow the administrator access, or possibly even sole access, to the log printouts.

Review questions:

• Is sufficient protection against fire according to EN 1047 taken into account when obtaining protective cabinets?
• Do the server cabinets provide sufficient space for all additional peripheral devices?
• Does the server cabinet have adequate air conditioning?
• Does the server cabinet have adequate USP?
• Is it ensured that backup data media or log printers are not stored in the same cabinet as the server?