Physical and environmental
We often think of information security threats in terms of nasty computer viruses and threat actors. But let's not forget our IT infrastructure also needs protecting from more basic environmental hazards such as fire, flooding, sabotage and power cuts.
To fulfil your responsibility to safeguard University information, you must:
- Ensure that any IT facilities within your division, department or faculty have appropriate environmental and physical security arrangements in place
- Obtain assurances, where third parties have responsibility for hosting or processing University information on your behalf, that appropriate arrangements are in place
IT facilities in your division, department or faculty, such as server rooms and data centres, are essential for the provision of IT services to the University. It is important, therefore, to factor the following safety features into your design and management of them:
- Protection against natural or man-made disasters such as fire and floods: raised flooring, fire suppression systems, and air conditioning and ventilation systems
- Protection against power failure: Uninterruptable Power Supply (UPS) for systems that require continuous power, such as core infrastructure including file servers and network equipment. Power line surge protection equipment should be used where UPS is not
- Protection against tampering: power and network cables channelled where they are less likely to be affected by future construction projects, normal traffic (people or vehicles), heavy runoffs from roads, and grit/snow removal equipment. Cables providing infrastructure support should also not be exposed and accessible to passers-by, especially in public areas. Installing cabling within walls, ceilings, or within covered trunking and out of easy reach can help reduce tampering and the possibility of intercepted network traffic or loss of service
Critical infrastructure equipment should have emergency contact details written on it so the appropriate personnel can be notified in the event of damage to the equipment or surrounding environment.
Key supporting services, such as UPS or fire suppression, should be periodically tested by qualified personnel or appropriate third parties.
The Information Security team can advise on appropriate environmental controls for your IT facility.
IT facilities are also subject to the University Physical Security Policy that requires appropriate physical security arrangements to be in place. Security Services | Estates Services (ox.ac.uk) can advise on the implementation and monitoring of physical security controls.
Where third parties are hosting or processing University information on your behalf you must obtain assurances that their IT facilities have appropriate environmental and physical security controls in place. See Third party security for more information.
It is University policy that you must:
- Implement appropriate security controls to protect all IT facilities used by your division, department or faculty to host or process University information