S 2.334 Selection of an appropriate building

Initiation responsibility: Top Management, Head of Internal Services

Implementation responsibility: Internal Services

In addition to the site planning (see S 1.16 Selection of a suitable site), which examines the environment of a building, a building must be assessed with respect to its internal suitability. In general, it should already be checked during selection of the building whether the implementation of all safeguards relevant for the future use will then be actually possible.

For some of these safeguards, however, it is very difficult or even impossible to subsequently meet the prerequisites. Therefore, when selecting an existing building, this safeguard is intended to help to avoid problems that typically do not occur until later wherever possible in advance. It can also be helpful when planning a new building.

Depending on whether the building is bought or rented, individual aspects have a different relevance. From the perspective of information security, among other things, the following must be taken into account in terms of the condition of the building fabric:

• Does the structure (maximum load-bearing capacity of the ceiling, load-bearing walls) allow for setting up rooms with a high surface load (server room, computer centre, UPS, etc.) in places where they would be conveniently located for practical reasons and from the perspective of information security (see also S 1.13 Layout of building parts requiring protection and for a computer centre S 1.47 Separate fire zone)?
• Is it possible to use and to establish the existing or additionally required access ways (corridors, staircases, lifts) in such a way that safeguards such as S 2.17 Entry regulations and controls can be implemented in an appropriate manner?
• Do the access ways allow the separation of areas with high security requirements from those with low security requirements so that, for example, training rooms are located outside of sensitive areas such as the product development?
• Is it possible to also use existing or additionally required access ways (corridors, staircases, lifts) for transport of larger IT components? If this is not guaranteed, the recovery after hardware damage may be significantly delayed under certain circumstances.
• Are there any (building) constraints (right of way, preservation order, etc.) which could hinder the use of the building as needed? In particular, third-party rights of way must be observed here as these might collide with required areas with access protection.
• Is a room allocation possible that allows the implementation of the safeguards S 1.8 Room allocation, with due regard to fire loads and S 1.51 Fire load reduction?
• Can the safeguards S 1.3 Appropriate segmentation of circuits and S 1.39 Prevention of transient currents on shielding be implemented?
• Is an external lightning protection in place? If yes, does this have an influence on details of the implementation of the safeguards S 1.25 Overvoltage protection and S 1.39 Prevention of transient currents on shielding?

For rental properties, the following aspects need to be taken into account additionally:

• Does the tenant receive all the rights required for the appropriate renovation of the building? What are the rights and means of recourse reserved by the landlord?
• Do security systems have to be dismantled after the end of the tenancy? It must be ensured in the planning phase that required security safeguards are not avoided because of such additional costs.
• If the building is simultaneously used by third parties, it must be clarified to what extent this hinders or even prevents the implementation of safeguards.
• Will the tenant be given a say in a later granting of a new tenancy for parts of the building used by third parties? It can also be the case that a new co-tenant of the building must be considered more critical to security than the previous.
  
  Example: The personnel department of a small school-book publisher moves out and the next tenant setting up office there is a politically or socially highly controversial organisation.

The security requirements taken into account during selection of the building should be documented. In particular, any security risks and the safeguards implemented in order to prevent these or to reduce their effects should be documented.

Review questions:

• Have the existing threats and the required safeguards to prevent or to reduce damage been documented for each building?