Risks & Benefits of Network Connected Devices & Supporting Utilities
The standard for information security, ISO 27001, is unlike other management systems as it has an Annex of 114 controls that organisations need to implement or exclude with justifications.
It has a reputation for being an I.T standard, and although there are many technical aspects, the standard is actually intended to cover all types of information and threats to it.
So, the language of controls can vary from technical, to managerial, to outright unclear.
One control that bridges the IT and Facilities worlds is A11.2.2 Supporting Utilities. It is found under A11 for Physical Security, however, is most commonly applied to the IT environment, including data centres and server rooms.
Temperature Control for Server Rooms and Data Centres
IT equipment generates a lot of heat so cooling via Air Conditioning, or some other method, forms a key ‘supporting utility’, as without it the availability of IT systems can be compromised. This will usually appear on your ISO 27001 Risk Register.
In recent years some organisations have been obliged under the ESOS Regulations to find ways to ‘save energy’, and this causes many to look again at the optimal operating temperatures for the equipment in their estate.
In the past it’s been common practice to keep ambient temperatures at around 21 degrees, however, some organisations have reviewed the manufacturer’s guidance and found operating at 27 degrees to be equally effective, thus reducing the energy required to cool the environment. Read more about Server inlet temperature and humidity adjustments.
Resilient Uninterruptable Power Supply (UPS)
Resilient and reliable power is essential to keeping your IT estate ‘online’, so certainly an important “Supporting Utility”.
Traditionally IT departments have used UPS devices to keep key equipment running long enough to either shut down safely or wait for a backup generator to kick-in. This means not only monitoring the power supply for spikes, sags and surges but also regularly checking the health of the UPS batteries which deteriorate over time.
Disposing of redundant batteries can be difficult and is covered by several areas of UK Law. Manufacturers and larger distributors must offer a ‘take-back’ scheme, but as minimum organisations should take waste batteries to a proper waste facility for processing.
With the adoption of cloud computing, many of the risks around power supply and end-of-life batteries have moved to the cloud provider, rather than your in-house team.
It can be difficult to measure energy use within a multi-tenanted cloud environment, but the increased resilience helps to reduce risks you may have identified and strengthens the ‘Supporting Utilities’ Control in ISO 27001.
IoT & Other Utilities
You may identify other ‘utilities’ that are key to maintaining the resilience of your organisation, and these can also be addressed under control A11.2.2.
However, where devices are ‘connected’ or ‘smart’ driven by the growth or the Internet-of-Things (IoT), there are additional risks to consider. Anything connected to your network could expose a vulnerability and provide a backdoor to hackers.
Best practice would have all non-essential internet devices segregated from your corporate network, which includes equipment you might use for energy monitoring, door-bells/intercoms, digital visitor books; we’ve even heard of connected pest control traps.
The firmware on these devices may not be as robust as it could be and devices which are new to the market have not been exposed to real-world conditions long enough to encounter security threats for patching.
Supporting Utilities can play a key part in managing your IT infrastructure and other areas of your facilities. However, the more devices connected to your network, the bigger attack surface there is exposed, and mitigation such as network segregation should be considered.