S 2.177 Security during relocation

Initiation responsibility: Head of IT

Implementation responsibility: Head of Organisation, Head of IT, Building Services Manager, IT Security Officer

When moving to a new location, a wide variety of different data media (e.g. paper, magnetic tapes, CD-ROMs, DVDs, removable hard drives) and IT systems must be transported back and forth in addition to the furniture. In this case, information, IT systems, and other material are taken out of the secure office environment and are transported by people who normally do not have any access rights. When moving to a new location, especially if larger parts of the organisation are affected by the relocation, it is impossible to rule out a certain amount of chaos or to have someone keeping an eye on every moving box at all times. Nevertheless, it is necessary to ensure that no sensitive data is lost, corrupted, or accessible to unauthorised persons during the relocation.

Information Security Management and the Data Protection Officer should be involved as early as possible in planning the relocation in order to define the general requirements to be defined from the point of view of information security:

• When planning a relocation, it must be specified in detail in advance who will move which items to be transported when and to which location (creation of a relocation concept). This should be done anyway as a matter of principle so that work can be resumed as smoothly as possible after the move.
• Depending on the protection requirements of the data, it is necessary to specify which transportation requirements must be met. For example, lockable transport containers should be used for more sensitive data (see S 2.44 Secure packaging of data media) or the data media should be encrypted before transportation.
• Data backups should be made every time before transporting IT systems. In addition to the terms described in S 6.35 Stipulating data backup procedures, it is especially important to remember that the data backups must not be transported together with the backed up IT systems. This ensures that it is impossible for all storage media to get damaged or lost at the same time.
• An instruction sheet (relocation handout) should be created for all employees affected containing exact descriptions of all the security safeguards to be implemented.

When moving to a new location, the transportation phase is not the only critical phase, but also the period shortly before and after. Experience has shown that many items are lost in these phases, because the standard security procedures such as site access control are not yet operational during these times. For this reason, certain minimum organisational requirements should be met during the relocation:

• Shipping papers should be issued for all materials to be transported with those papers detailing the following information:
  • whether the items require a particular form of transport (e.g. fragile objects, special transport for computers, etc.),
  • whether a particular type of packaging should be chosen (e.g. in case of data media with confidential information),
  • where the items should be taken to (exact specification of building, floor and room),
  • who is authorised to receive the transported items,
  • who collected and delivered the items (including name, date and time).
• The goods to be transported must be uniquely labelled so that they can be clearly identified, but also so that it is possible to trace the transportation route. The labels should not provide any clues as to the sensitivity of the contents of the data media. The type of labelling used should be selected in such a way that it cannot be easily copied or reproduced. The people preparing for the relocation could provide special adhesive labels for this purpose. Here it must be ensured that the labels can be removed from the items without leaving any sticky residue behind and without damaging and/or soiling the items to be relocated.
• People should not be allowed to come and go as they please during the relocation either. The moving companies contracted should provide the organisation with the personal data of the employees involved in the relocation. If any of the employees must be replaced suddenly (due to a holiday, illness, etc.), the organisation must promptly be provided with the name of the replacement. Using a list of the names of the people involved in the relocation, the gatekeeper or other internal employees can sporadically or continuously check IDs, depending on the location and on-site conditions. The external personnel involved in the move should wear clearly visible ID passes (possibly including their names) so that everyone knows who is authorised to enter the locations.
• The items to be transported, and especially the data media, must be stored securely before and after the relocation. Any rooms not involved in the relocation and where no employees will be located during this time, for example the rooms that have not been emptied and/or already filled, should be locked.

Upon completion of relocation, regular operations should be resumed as quickly as possible. The first thing to do is to restore infrastructural and organisational security in the new offices, e.g.:

• The full scope of the site access controls should be put back into operation,
• all fire loads should be removed from the hallways, which means the moving boxes should be placed in the new office rooms,
• the items to be relocated must be examined to ensure they are complete, fully functional, and have not been tampered with,
• every employee should immediately check the items to be relocated for completeness and create a list of lost items, if necessary. To this end, the employees could be provided with a form prepared in advance where they can enter the moving boxes already transported in a list. This allows a substitute to immediately detect and report any items missing in the shipment in case the colleague is absent due to holiday, illness, or urgent business. The employee to be substituted should receive a copy of the list so that he/she can report any discrepancies discovered later.

Particular care must be given to planning the relocation of all servers and network switching elements, because the entire network may be inoperable even if only one component fails.

Therefore, the central IT administration should take various precautions in advance to the relocation in order to ensure the relocation goes smoothly:

• Before starting the actual relocation phase, a plan of the user connection changes necessary should be made prematurely. Here it is especially important to analyse whether new equipment must be purchased to enable smooth modification of the employees' computer connections. It is also important for security reasons to know which changes to the communication behaviour between the IT systems will result from the relocation. Depending on the protection requirements of the work performed by an employee, it may become necessary to encrypt a network connection or to restrict access to certain databases, for example.
• Before an employee is relocated, it should be ensured that he/she is available in his new office using the local network and that his/her applications and services are ready to operate. Along with changes to the end devices (routing, software configuration, etc.), this may also require prompt changes to the servers in the LAN or even to the routers in the WAN. At this point, it may be necessary to set up new addresses or routes and to delete the old ones. It may also be necessary to purchase and configure new network components beforehand.
• When moving to a new location, it is often also necessary to set up user accounts on a new server for the employees affected by the relocation. It must be ensured that the necessary rights for and accesses to applications and protocols are set up. The security settings of the user environment also must conform to the user's security profile. Old user entries and end device access entries must be modified on the old system or deleted. However, the users should be allowed to access their own data areas during a transition period, but should also be informed that these areas will be deleted after a certain grace period. When this grace period expires, the data areas must be deleted by the administrator.

Special precautions must be taken when relocating the components of the computer centre, for example the data or communication servers. The following describes safeguards intended to guarantee the shortest possible downtimes of the components.

• If possible, a new server should be installed in advance and tested in the new room. If this is not possible, the old server should be preconfigured as much as possible and transferred after adequate notice only at a time when few accesses are to be expected. In this, the old configuration should always be backed up in advance.
• The server should be completely backed up prior to the relocation. If not already available, a bootable backup medium should be created as well. Sensitive parts of the server such as hard disks should be duplicated (as images) in case the original hard disks fail, and these images must be transported separately from the server. It must be ensured that the data backup and the image, as well as the server are secure during transport (e.g. using encryption, locked boxes, and/or security guards).
• Before relocation, it must be ensured that the infrastructure required for smooth server operation in the new rooms is available and has been tested. It must be ensured that the networks are available (power, LAN, and WAN networks) and that the components are relocated in the correct order. For example, it does not make much sense to relocate the internet web server first if the firewall with its communication routers will only be set up much later.
• Before relocation, it should be checked if there are any IT components to be transported requiring special environmental conditions during the relocation. For example, some controllers for larger (and expensive!) IT systems not only need to be operated in climate-controlled rooms, but also need to be kept in climate-controlled conditions during transport.

Furthermore, it should be ensured that the new telephone numbers are working as soon as the employees have moved in to their new offices. When relocating inside a building or to another location on the property, you should try to keep the old telephone numbers operating, at least for a certain transitional period. During the relocation, it must be possible to reach the employees by telephone both at the old location as well as at the new location so that they are available at any time in case of problems.

Review questions:

• Were security policies drawn up and/or updated in good time prior to a planned relocation?
• Have all employees been informed of which security safeguards they need to take before, during, and after the relocation?
• Were the items to be relocated checked immediately after relocation to ensure they arrived in full, undamaged, and/or unchanged?