IT Baseline Protection Manual S 2.177 Security during relocation
S 2.177 Security during relocation
Initiation responsibility: Head of IT Section
Implementation responsibility: Head of Organisation, Head of Site Technical Service; Head of IT Section; IT Security Management
Relocation of an office entails not only transporting furniture between sites but also moving quite different data media (e.g. hard copies, diskettes, magnetic tapes) and IT systems. While the move is going on, information, IT systems and other material is taken out of the secure office environment and transported by personnel who normally are not authorised to access it. Especially where a large part of the organisation is affected by the move, the risk of a certain amount of chaos can never be excluded and it is simply not possible to have every removal crate watched at all times Nevertheless, care must be taken that sensitive data does not get lost, damaged or fall into the hands of unauthorised persons during the move.
When planning the move, IT Security Management and the Data Privacy Officer should be involved as early as possible so that they can specify the IT security requirements.
When planning a move, details must be drawn up in advance of who will be moving with what cargo to which location and at what time. This is of course essential in order that work can be resumed as smoothly as possible after the office move has been completed.
The requirements which must be adhered to during transportation must be determined in accordance with the level of protection the data requires. For example, lockable transport containers should be used for more sensitive data (see S 2.44 Secure packaging of data media) or alternatively the data media should be encrypted prior to transportation.
Data backups should be made before any IT systems are moved. In addition to the parameters specified in S 6.35 Stipulating data backup procedures, care should be taken here to ensure that under no circumstances are the backups transported together with the IT systems backed up. This will ensure that it is not possible for all storage media to be damaged or go missing at the same time.
An instruction sheet which provides details of all the IT security measures to be taken should be prepared for all the employees concerned.
During a relocation, the actual removal is not the only critical phase: the periods immediately before and after the move are equally critical. Experience suggests that many items go missing in the phase immediately following the move before standard security procedures such as access control can be put in place. Certain organisational minimum requirements must therefore be satisfied during the removal as well:
Transport documents should be completed for all materials to be transported. These should make clear
whether the items require a particular form of transport (e.g. fragile objects, special transport for computers etc.),
where they are to be taken to,
the names of the authorised recipients,
the names of the persons who collected and delivered the items (together with the date and time).
The shipment itself must be marked in such a way that it can be uniquely identified and the transport route is also clear. However, labelling should not include any information regarding the sensitivity of the content. The labelling scheme should be designed so that it is not easy to copy. To achieve this, those planning the removal could provide special labels.
Again, comings and goings during a move should be subject to controls. The authorised removal companies should provide advance information regarding the identity of the staff they plan to use. Where staff are changed suddenly due to holidays, sickness etc., the names of stand-in staff should be notified promptly. Depending on the particular location and circumstances, the doormen or other company employees can then check the names of those seeking access against a list of names of those involved in the removal either sporadically or continuously. Any external contractors involved in the removal should be provided with identity passes which show clearly who has rights of access.
Shipments, especially data media, must be held securely both before and after the move. Any rooms in which removal activities are not taking place but which are not supervised by staff, for example, rooms which have not yet been cleared or have already been cleared, should be locked.
Once the move has taken place, controlled operations should be resumed as quickly as possible. Priority should be given to the infrastructural and organisational security of the new offices, for example,
full access control measures should be resumed;
fire loads should be removed from corridors, i.e. removal crates should be taken to the new working areas;
shipments should be checked on delivery to ensure that they are complete, in working order and have not been manipulated.
Particular care should be taken when planning the relocation of any servers and network switching elements, as failure of one component alone could be sufficient to put the entire network out of action.
Prior to a move, the central IT administration should therefore take a number of precautions to ensure that everything goes smoothly:
Before the relocation phase gets under way, a plan covering any necessary changes in user connections should be prepared in good time. In particular, an analysis should be performed as to whether any new equipment is necessary to ensure the smooth changeover of the computer connections of staff. For security reasons it is also important to know what changes will occur in the communication behaviour of the IT systems as a result of the move. Depending on the level of protection required for the work of different members of staff, it can be necessary, for example, to encrypt a network connection or to prohibit access to certain data stocks.
Before an employee relocates, care should be taken to ensure that he can be reached over the local network in his new office and that his applications and services are working. This may require changes not only to the terminal device (routing, software configuration etc.), but also early changes on the server side in the LAN or even to routers in the WAN. It may be necessary here to set up new addresses or routes and/or to delete old ones. It may be necessary to procure and install new network components in advance.
During a relocation it is often also necessary to set up user accounts on a new server for the staff who are moving offices. Steps must be taken to ensure that the required access rights and access to applications and protocols have been configured. The security settings of the user environment must be retained in accordance with the relevant security profile. Old user entries and terminal device access entries must be modified on the old system or deleted. Nevertheless, users should continue to have access to user-specific data areas for a transition period, albeit with the proviso that the appropriate delete operation must be performed after a defined period. Once this period has expired, deletion must be effected by the administrator.
Special precautions must be taken where components of the computer centre, such as data or communications servers, are being moved. The measures described below are aimed at minimising component downtime:
If possible, a new server should be installed in advance and tested in the new premises. If this is not possible, then the old server should be preconfigured as far as possible and only be adjusted at a time when access demands may be expected to be low and after issuing sufficient prior notice. The old configuration should always be backed up prior to commencing such work.
The server should be backed up completely before the move. A bootable backup medium should be created if this is not already available. Sensitive parts of the server such as hard disks should always be duplicated (image backup) in case the original fails, and should be transported separately from the server. Care should be taken to ensure that the data backup, the image copy and the server are all secure during transportation (e.g. using encryption, locked box, security guard).
Prior to the move, steps should be taken to ensure that the infrastructure needed for error-free server operation is available in the new premises and has been tested. It is not just a question of availability of the network (power supply, LAN, WAN) but it is important also that the components are moved in the correct sequence. For example, there is little point in having the Internet Web server moved first when the firewall with its communications router will not be set up until considerably later.
Prior to the move, a check should be made to see whether the IT components to be transported include any which require special environmental conditions during the move. For example, some large and expensive IT systems have controllers which not only have to be operated in air-conditioned premises but need to be air-conditioned during transportation as well.
Steps must also be taken to ensure that the new telephone numbers are already working by the time staff have moved into their new offices. Where the move is within a single city, if possible the old telephone numbers should be retained for at least a transition period. During the move telephone access must be possible both in the old premises and in the new location so that in the event of any problems staff are contactable at all times.
Additional controls:
Have security guidelines been prepared in good time before a planned move?
Have all staff been informed of the IT security measures which are to be taken prior to, during and after the move?