THE TATA POWER COMPANY LIMITED Information Security ......Placement § Tata Power Intranet . The...

THE TATA POWER COMPANY LIMITED

Information Security Policies and Procedures

July 2014

Physical and Environment Security Procedure

All information contained in this document is proprietary and intended solely for INTERNAL use by

The Tata Power Company Limited’s Employees

The Tata Power Company Limited Physical and Environment Security Procedure Document ID: Tata Power/ISPP/ Procedure

Tata Power - Internal of 21

Document Control

Document properties

Document name: Physical and Environmental Security Procedure

Document version: 3.0

Document owner: Chief - Information & Communications Technology and Head - Technology

Review frequency: Annual (December every year)

Authorization

Prepared by Reviewed by Agreed by Approved by

Name:

Name:

Name:

Name:

Signature:

Signature:

Signature:

Signature:

Date : Date : Date : Date :

Version history

Version Issue date Effective date Prepared by Approved by Description

1.0 Jul 2008 Mr. G Kingslin Mr. G Rajagopalan

Final Release

2.0 Dec 2011 Mr. Rakesh Shah

Mr. U K Ghatak Review and Release

3.0 Jul 2014 Mr. S K Damle Mr. P K Dutta Review and Release

Distribution list

§ Information Security Steering Committee

§ Information and Communications Technology (ICT) Team

§ Corporate Security Team

§ Fire and Safety Team

§ Administration Team

Placement

§ Tata Power Intranet



Table of Reference

Sr. No.

Section Number(s) Reference Document Title Document

Type

1. 1.3.5.1 PES - Visitor Access Register Template

2. 1.3.5.1 PES - Visitor Laptop-Media Register Template

3. 1.4.4 PES - Physical Access Request Form Template

4. 1.19.2.4 PES - Media Destruction Register Template

5. 1.20.5.3 PES - Media Movement Register Template

6. 1.20.5.3 PES - Media Inventory Register Template



Table of Contents

1. PHYSICAL AND ENVIRONMENT SECURITY ........................................................................................... 5

1.1 OBJECTIVE ............................................................................................................................................ 5

1.2 PHYSICAL SECURITY PERIMETER ..................................................................................................... 5

1.3 ENTRY RESTRICTIONS FOR PREMISES ............................................................................................ 5

1.4 ACCESS TO SERVER ROOM ............................................................................................................... 7

1.5 WORKING IN SECURE AREAS............................................................................................................. 7

1.6 PUBLIC ACCESS, DELIVERY AND LOADING AREAS ........................................................................ 8

1.7 EQUIPMENT SITTING AND PROTECTION .......................................................................................... 8

1.8 SECURITY OF ELECTRONIC OFFICE EQUIPMENT ........................................................................... 9

1.9 PHYSICAL SECURITY OF DESKTOPS AND LAPTOPS ...................................................................... 9

1.10 PHYSICAL SECURITY OF NETWORK EQUIPMENT ......................................................................... 10

1.11 PHYSICAL ACCESS TO SCADA SYSTEMS ....................................................................................... 10

1.12 SUPPORTING UTILITIES .................................................................................................................... 10

1.13 CABLING SECURITY ........................................................................................................................... 10

1.14 MAINTENANCE OF ELECTRONIC OFFICE EQUIPMENT ................................................................. 11

1.15 MAINTENANCE OF ELECTRONIC EQUIPMENT AT DATA CENTRE ............................................... 11

1.16 IT HARDWARE MANAGEMENT .......................................................................................................... 12

1.17 NON-IT EQUIPMENT (OFFICE-EQUIPMENT) MANAGEMENT ......................................................... 13

1.18 SECURITY OF EQUIPMENT OFF-PREMISES ................................................................................... 13

1.19 DISPOSAL OF MEDIA .......................................................................................................................... 14

1.20 REMOVAL OF ASSETS IN AND OUT OF PREMISES ....................................................................... 15

1.21 ENVIRONMENTAL SECURITY STANDARDS .................................................................................... 16



1. Physical and Environment Security 1.1 Objective

1.1.1 The objective of this procedure is to:

1.1.1.1 Assist in defining secure zones within the Company

1.1.1.2 Define controls be implemented for secure zones hosting critical and sensitive information, IT infrastructure and operational technology equipment.

1.2 Physical Security Perimeter

1.2.1 A Physical security perimeter shall exist around secure areas, and be clearly defined and appropriately labeled.

1.2.2 The perimeter surrounding a secure area shall be physically sound to prevent break-ins. In case the barrier contains any other outlets including fire doors, apart from the one used normally for access, deployment of suitable intruder detection system(s) like door alarms.

1.2.3

1.2.4 The selection and design of a secure area shall take into account the possibility of physical and environmental threats from neighbouring premises. Refer to Emergency preparedness plans for your respective locations

1.2.5 Hazardous or combustible materials shall be stored securely at a safe distance from secure areas

1.2.6 Fallback equipment and back up media of high risk IT resources in any secure area shall preferably not be kept in the same secure area.

1.3 Entry Restrictions for Premises

1.3.1 Access to sites and buildings shall be restricted to employees and authorized personnel only.

1.3.2 Appropriate physical access control system shall be deployed to help in the identification of personnel and maintain an audit trail of his or her access. Audits trails shall capture In-time, out-time, zone in which the personnel is currently expected to access, zone currently accessed by the user.

1.3.3 Server room access shall be limited to ICT Department personnel. The access restriction shall be enforced through the use of appropriate access control technologies.

1.3.4 Entry Restriction for Employees

1.3.4.1 The employees must have the ID card in person while visiting secure areas. Any employee using any such cards he or she is not authorized to shall be a violation of the Company’s Information Security Policy. All authorized holders of such cards shall keep these cards in a secure manner such that they shall not be used by anybody else.



1.3.4.2 Security guards on a 24-hour basis shall monitor the entrance to the premises. The guards shall challenge all the visitors and direct them to respective Tata Power employees located inside premises.

1.3.4.3 Access to secure areas shall be restricted with the use of appropriate access control technologies by its Administration/ Security Department /ICT Department. Wherever access cards with automatic logging system are not used for critical and sensitive areas only, it shall be mandatory that every entry and departure shall be maintained in a manually kept log register.

1.3.4.4 Issue of these access cards shall be strictly controlled and given only to such employees/ contractors/ third parties who shall require access to secure areas as a part of their regular official duty. The Company’s ICT team shall give such privileges on the recommendation of the concerned Department Heads.

1.3.4.5 The physical access control system shall log the employee name and time of entry.

1.3.4.6 The Head - Administration or personnel identified by the Head – Administration shall conduct a review the log of the appropriate access controls systems records on a fortnightly basis.

1.3.4.7 In case of failure of Access controls system, a visitor register shall be maintained for logging employee/ contractors/ third parties movement at all the entry and exit gates.

1.3.4.8 The visitor register shall indicate the name, date and in and out timings of user movement within the premises.

1.3.5 Entry Restrictions for Visitors

1.3.5.1 The management shall identify areas where outsiders shall not be permitted to enter unless the following are done:

§ Visitors shall be classified into vendors, suppliers, site-visitors, contractors, consultants, auditors, interview candidates.

§ The uninformed visitors (personal matters, site-visit etc.) shall obtain written permission from respective department head before entering into the premises.

§ The authorized employee of the concerned Department, who has routine access rights to such areas as a part of his or her normal official duty, shall accompany visitor.

§ Visitors shall obtain written permission from the Manager - IT Infrastructure before gaining access to the server room or the physical areas that store sensitive information or data. The visitors shall always be escorted during their visit to the physical areas that store sensitive information or data.

§ Regular vendors, suppliers shall be listed in independent registers and Administration department shall validate their name and identity before allowing them entry into premises. These parties shall be assigned semi-permanent passes or identification badges by the Administration department.

§ The security personnel shall frisk all visitors manually and their bags shall be checked to record the material carried by them into the visitor’s logbook. At the time of their departure, they shall be checked again to ensure that nothing (other than what had been logged) is being carried out.

§ Visitors shall sign-in, in the visitors’ logbook, which shall be with the security guard. The visitor’s log shall be retained for a minimum of 6 months and reviewed every week. (Refer: PES - Visitor Access Register)

§ Visitors carrying laptops, PDA’s, mobile phones with camera, USB drives, CDs, floppies need to enter the details of the same in the Visitor register. (Refer: PES - Visitor Laptop-Media Register)

§ Employees shall intimate the Manager - IT Infrastructure of expected visitors at server room/IDC well in advance. The Manager - IT Infrastructure shall in turn, inform the concerned employee about the arrival of the visitor in the office.



§ Visitors shall wear a visitor badge to inform personnel that a non-employee is in the premises.

§ All visitors shall be instructed to return the badge before leaving the premises.

§ The returnable badge not received within a month shall be reported to the concerned Department Head.

§ Visitors shall obtain prior written permission from the respective department to work on weekends and holidays.

1.4 Access to Server Room

1.4.1 Access to server room shall be restricted by a proximity card reader system or biometric access controls. The access shall be granted only to specified employees of the ICT Department. The Manager - IT Infrastructure shall authorize the access. The Manager – Information Security shall review the accesses granted to the various personnel on a quarterly basis.

1.4.2 Vendors need to access the server room for maintenance work for the IT equipment, infrastructure equipment and cleaning. The Supervisors or the Administration department team member shall escort such third parties to their work areas and will ensure supervision of the work done by the third parties. No third party shall be allowed inside critical and sensitive areas like the server room or the Control room for OT unless supervised by the Company’s ICT personnel or OT personnel respectively.

1.4.3 A security camera shall be installed in the server room and shall be monitored by dedicated Security personnel at periodic intervals and also randomly check the tapes to identify any suspicious activity during the day. This data shall be audited and correlated with other entries. Recorded tapes shall be stored for at least 30 days or as suggested by the local police department in-charge.

1.4.4 The Server room access register shall provide details of the visitors who have visited the server room and the equipment accessed by them. In addition, the logbook shall contain the details of the activity performed by visitors and shall be countersigned by the accompanying the Company’s ICT personnel. (Refer: PES - Physical Access Request Form)

1.4.5 All the critical and sensitive areas like server room or OT control room logs shall be retained for a minimum of 30 days or as suggested by the Local police department.

1.4.6 Protection against external and environmental threats Refer: Environmental Security Standards

1.5 Working in Secure Areas

1.5.1 The Company’s personnel shall only be aware of the existence of any activities taking place within, a secure area on a need to know basis.

1.5.2 Unsupervised working in secure areas shall be avoided.

1.5.3 Vacant secure areas shall be physically locked and periodically checked.



1.5.4 A security camera shall be installed in the entire floor space covering the entire working area and shall be monitored by dedicated security personnel at all times. The data shall be audited and correlated with other entries. Recorded tapes shall be stored for at least three months.

1.5.5 Photographic, video, audio or other recording equipment, such as cameras in mobile devices will not be allowed in secure areas unless authorized by the Information Security Steering Committee/ Departmental Head In writing.

1.5.6 Open areas, or vacant areas, which are not in use, shall be locked down or randomly checked for any illegal activities.

1.6 Public Access, Delivery and Loading Areas

1.6.1 Access to a delivery and loading area from outside of the building shall be restricted to identified and authorized personnel. Security personnel shall check credentials of vendors or suppliers before allowing them to enter into the premises..

1.6.2 The delivery area shall be designed so that supplies can be unloaded without delivery personnel gaining access to other parts of the building.

1.6.3 The external doors of a delivery and loading area shall be secured when the internal doors are opened.

1.6.4 Incoming material shall be scanned by the security personnel before entering the premises and inspected for potential threats before this material is moved from the delivery and loading area to the point of use.

1.6.5 Incoming material shall be registered in accordance with asset management procedures on entry to the site.

1.6.6 Incoming and outgoing shipments shall be physically segregated, where possible.

1.6.7 Access to public areas delivery and loading areas shall be monitored by security personnel during delivery and loading processes.

1.6.8 Security cameras shall be installed covering all the public areas, delivery and loading areas.

1.7 Equipment Sitting and Protection

1.7.1 Information processing facilities handling sensitive data shall be positioned and the viewing angle restricted to reduce the risk of information being viewed by unauthorized persons during their use, and storage facilities secured to avoid unauthorized access.

1.7.2 All Control Rooms shall be housed in separate isolated areas, with access granted only to specific, named individuals on a need basis by the concerned Department Authority/ Administration Department.

1.7.3 Items requiring special protection shall be isolated to reduce the general level of protection required.



1.7.4 Suitable floor structuring including lighting, power and water damage safety requirements shall be considered given the nature of the operations.

1.7.5 Guidelines for eating, drinking and smoking in proximity to information processing facilities shall be established. (Refer: Environmental Security Standards)

1.8 Security of Electronic Office Equipment

1.8.1 Electronic office equipment includes faxes, printers and EPABX. These shall be physically secured, as they are sources of receipt or processing of data in a physical or voice format. The security considerations are as follows:

1.8.1.1 The faxes and printers shall be placed in a secured area. Access to both shall be restricted to ensure that no visitor can gain easy access without notice of the staff. Supervisors responsible for the fax and printer shall ensure the physical access security and take necessary precautions. This equipment shall be protected from heat, pollution and other environmental hazards.

1.8.1.2 The EPABX shall be located in a secure area. It forms one of the main means of communication for the company. It shall be protected from unauthorized access and other environmental hazards.

1.8.1.3 Regardless of ownership, management shall authorize the use of any information processing equipment outside the organization’s premises.

1.8.1.4 Equipment and media taken off the premises shall not be left unattended in public places; portable computers shall be carried as hand luggage and disguised where possible when traveling.

1.8.1.5 Adequate insurance cover shall be in place to protect equipment off-site.

1.9 Physical Security of Desktops and Laptops

1.9.1 IT users assigned to every desktop and Laptop shall be responsible for ensuring their physical security–

1.9.2 All desktops shall be provided with UPS for protection against loss or fluctuation of power.

1.9.3 All the portable devices including laptops shall be encrypted using proven disk encryption technologies.

1.9.4 The respective users shall ensure desktop and laptop security against fire, water and pollution damage

1.9.5 Their responsibilities include taking all possible steps to ensure safety hardware and the information stored within and inform the Administration team in case any event is noted.

1.9.6 Laptops shall be locked to the desk using Kensington locks or kept in lock and key when the user needs to step out of office premises.

1.9.7 All the user sessions shall be locked when not on desk using operating system’s lock feature

1.9.8 All the spare systems and spare computer peripherals shall be locked using a lock and key or secured by zip tag fasteners to restrict unauthorized access to computing hardware



1.10 Physical Security of Network Equipment

1.10.1 Network equipment located throughout the premises shall be placed in locked cabinets and shall be protected from fire, heat, dust and water.

1.11 Physical access to SCADA Systems

1.11.1 Installations of power generation controllers or SCADA systems shall be deemed as high-risk areas.

1.11.2 All the access areas where power generation controllers are maintained shall be kept under lock at all times

1.11.3 Only authorized users shall be granted access to the installations of controllers and access to other employees, contractors shall be restricted.

1.11.4 Authorized personnel shall escort any vendors who visit such critical sites for maintenance work..

1.11.5 Authorized personnel for carrying out work at such critical installation sites shall be issued work permits.

1.11.6 Security cameras shall be installed at various locations within such critical sites to monitor personnel movement. Camera logs shall be maintained and reviewed at regular intervals.

1.12 Supporting Utilities

1.12.1 Refer Environmental Security Standards.

1.13 Cabling Security

1.13.1 Power and telecommunications cables carrying data, controlling cables or supporting information services shall be protected from interception or damage. The following shall be considered:

1.13.1.1 Power and telecommunications lines into the premises and server room shall be either underground or adequately protected.

1.13.1.2 Network cabling shall be protected from unauthorized interception or damage, by using conduits.

1.13.1.3 Power cables shall be segregated from communications cables to prevent interference.

1.13.1.4 Power and network cables shall be adequately separated from each other to prevent any electrical interference.

1.13.1.5 SCADA systems shall be implemented on a network other than data traffic network for monitoring power generation controller systems.



1.14 Maintenance of Electronic Office Equipment

1.14.1 All equipment shall be maintained in accordance with the supplier’s recommended service intervals and specifications. -

1.14.2 Only authorized maintenance personnel shall carry out repairs and service equipment.

1.14.3 Records of all suspected or actual faults, preventive and corrective maintenance shall be kept.

1.14.4 Appropriate controls shall be implemented when equipment is scheduled for maintenance, taking into account whether personnel on site or external to the organization perform the maintenance; where necessary; sensitive information shall be cleared from the equipment or the maintenance personnel shall be sufficiently cleared.

1.14.5 All requirements imposed by insurance policies shall be complied.

1.15 Maintenance of Electronic equipment at Data Centre

1.15.1 Areas that contain critical information systems shall be designated as ‘Top Secret’ security zones

1.15.2 Top Secret security zone is an area to which access is limited to authorized personnel only. It shall be indicted by a defined and clearly marked perimeter. It shall be continuously monitored at all times. The ICT Security team shall implement controls for accessing ‘Top Secret’ security zones. Details of access shall be recorded and audited on continuous basis. Examples include Data Centre hosting production systems, Disaster Recovery sites, etc.

1.15.3 ‘Top Secret’ Mandatory Security Controls

1.15.3.1 Security personnel shall be deployed round the clock at the entry/exit gate of the ‘Top Secret’ zone

It is recommended that the doors of ‘Top Secret’ zone should be made with opaque material or with limited visibility glass panels to restrict view from outside.

1.15.3.2 Security personnel shall identify authorized personnel who shall be allowed to visit the ‘Top Secret’ zone. Any visitor who wishes to visit this ‘Top Secret’ zone shall first be explicitly approved by Manager – IT Security

The authorized individual shall escort the visitor all times during the visit to such ‘Top Secret’ zone.

1.15.3.3 Access privileges to ‘Top Secret’ zones shall be removed immediately, once they are no longer required

1.15.3.4 Security personnel shall ensure visitors/ third party users/ vendors are not carrying any bags, laptops, media, cables, USB devices, pen drives, camera mobile devices, or any such material inside the ‘Top Secret’ zone unless authorized Manager – Information Security.

1.15.3.5 Security Department shall not allow video, audio or other recording equipment, including cameras in portable devices, in Top Secret zone

1.15.3.6 Periodic surprise checks or mystery visitor checks shall be conducted on data center agencies to ensure safety procedures are complied. Failure to any of the controls by data center agencies shall be escalated according to the escalation matrix of the data center.



1.15.3.7 Period safety audit shall be conducted and physical access logs shall be requested from the data center and reviewed at regular intervals. This logs shall be analyzed along with the authorized form approved by the Manager – Information

1.15.3.8 The data center shall track all the equipment movement within and outside the ‘Top Secret’, to mitigate the risk of unauthorized removal of equipment

1.15.3.9 All the server racks hosting critical information systems shall be under CCTV coverage area, which shall be recorded by the third party data center. The CCTV camera logs shall be maintained and provided to the company on request for monitoring data center activities in event any identified threats.

1.15.3.10 CCTV cameras shall also be installed at entry /exit gates of the restricted zone to monitor the movement of all personnel

1.16 IT Hardware Management

1.16.1 System Administrators are responsible for Managing Servers and workstations and Network team is responsible managing network equipment.

1.16.2 Preventive maintenance

1.16.3 Preventive maintenance is an important activity that needs to be carried out on IT hardware to ensure continuous availability of all the servers and network equipment.

1.16.4 Preventive maintenance schedule shall be prepared to log and track the maintenance for various equipment.

1.16.5 The preventive maintenance schedule shall also include preventive maintenance for equipment placed at critical installation sites or high-risk sites.

1.16.6 Typical maintenance activities may consist of the following:

1.16.6.1 Check hard drive capacity, optimize any local hard drives to defragment files and scan the surface for bad sectors

1.16.6.2 Cleaning up of temp files and backed up log files

1.16.6.3 Regular housekeeping including a dust-free environment, removal of debris from immediate area etc. and the regular checks for integrity of cable installations, including attachment of cable ends, coiling of excess cable lengths, orderly cable runs, and cleanliness of connections

1.16.6.4 Assurance of Uninterruptible Power Supply (UPS), including maintenance of battery installations, cleanliness of power cord junctions and contacts, cleanliness and integrity of grounding straps and conduits, checks of case ground integrity, etc.

1.16.6.5 Ensure effectiveness of physical installations including tightness of rack mounting bolts and screws, slide hardware, and ancillary connections.

1.16.6.6 The Company’s Manager - IT Infrastructure shall carry out all such checks at least once in every quarter.

§ Maintenance activities may vary depending upon the type of hardware and vendor. System Administrators and Network Administrators shall identify maintenance activities required for all IT hardware and prepare a Preventive Maintenance Schedule. It could be a weekly or monthly schedule.



§ For some of the hardware as part of the AMC, vendors may provide preventive maintenance. The vendor maintenance schedule shall be added to the Company’s maintenance schedule.

§ System Administrators and Network Administrators shall carry out maintenance activity based on the Preventive Maintenance Schedule prepared

§ Head – IT Operations shall review the maintenance activities carried out by the Facility Management Team on a monthly basis.

§ Manager - IT Infrastructure shall ensure that the vendors and administrators regularly conduct the preventive maintenance as per the schedule.

§ For all maintenance activities the Administrators shall ensure that:

1.16.6.7 Preventative maintenance schedule and maintenance activities do not disrupt or affect in anyway critical or sensitive applications.

1.16.6.8 Maintenance activities are not scheduled during critical periods of data processing or other IT activities such as back up or restoration.

1.16.6.9 All parties are notified before any maintenance activity shall be carried out.

1.17 Non-IT Equipment (Office-Equipment) Management

1.17.1 Fax Machines, Photocopiers, Printers, etc. are important equipment for managing day-to-day operations in the Company. The following procedures shall be followed to ensure that the equipment is working properly continuously.

1.17.1.1 All users of the office equipment shall be adequately trained to ensure that they use them appropriately. They shall operate the equipment as per the guidelines provided by the vendor of the specific equipment

1.17.1.2 Ensure that AMC for photocopiers or other equipment are in place.

1.17.1.3 Representatives of the respective Departments shall check the Fax machines, Photocopiers and key printers to ensure that they are working in good condition. If the cartridges are about to empty, ensure that spare cartridge is in place so that they can be replaced at any point of time that day.

1.17.1.4 Representatives of the respective Departments shall prepare a maintenance schedule considering the AMC available for the equipment.

1.17.1.5 Department Head shall review the maintenance schedule and maintenance reports on a monthly basis.

1.18 Security of Equipment off-premises

1.18.1 Management shall authorize the use of any Company owned information processing equipment outside the organization’s premises. The same shall be logged and authorized for a specific period only.

1.18.2 Equipment and media taken off the premises shall not be left unattended in public places.

1.18.3 Any equipment or media that has to be taken off premises shall be encrypted using file or disk encryption technology.

1.18.4 Portable computers (laptops) shall be carried as hand luggage and disguised where possible when traveling.



1.18.5 Manufacturers’ manual for protecting equipment shall be observed or at least be handy at all times.

1.18.6 Adequate insurance cover shall be in place to protect equipment off-site.

1.18.7 Any equipment or media that necessitate it to carry away or bring into the premises shall be logged into a material movement register.

1.19 Disposal of media

1.19.1 Media shall be disposed of securely and safely when no longer required. Sensitive information may be leaked to outside persons through careless disposal of media. Formal procedures for the secure disposal of media shall be established to minimize this risk. The following are the end of life conditions for media disposal

1.19.1.1 Media that cannot be erased or no longer required by the concerned department (for example: permanent media such as CD/DVD ROMs)

1.19.1.2 The media is physically damaged or broken beyond repair.

1.19.1.3 Cost of the media for the repair to too high

1.19.1.4 Outdated technology

1.19.1.5 Replacement by upgrade technology

1.19.1.6 Media has exceeded the maximum number of times of reuse (for example, USB drives allows limited number of data read-writes)

1.19.2 The following guidelines shall be considered for secure media disposal:

1.19.2.1 Media containing sensitive information and licensed software shall be stored and disposed of securely and safely, e.g. by incineration or shredding/ degaussing or rigorous formatting or physical destruction.

1.19.2.2 The following list identifies items that require secure disposal:

§ Paper documents.

§ Voice or other recordings.

§ Output reports.

§ Magnetic tapes.

§ Removable disks or cassettes.

§ Optical storage media (all forms and including all manufacturer software distribution media).

§ Program listings.

§ Test data.

§ System documentation.

1.19.2.3 Disposal of sensitive items shall be logged in order to maintain an audit trail.

1.19.2.4 When accumulating media for disposal, consideration shall be given to the aggregation effect, which may cause a large quantity of unclassified information to become more sensitive than a small quantity of classified information. (Refer: PES - Media Destruction Register)



1.19.3 The company may appoint an external agency for secure disposal of media. Following consideration shall be ensured for secure disposal of media.

1.19.3.1 The company shall identify ensure procedures adopted by the external agency ensure safe disposal of media with no data recovery.

1.19.3.2 The external agency shall accept to the terms and conditions of the company and agree to the confidentiality clauses indicated in the agreement/contract.

1.19.3.3 The company shall ensure that it has the right to audit the external agencies procedure for media disposal and shall conduct surprise checks to ensure the compliance of secure disposal procedures.

1.20 Removal of assets in and out of premises

1.20.1 Any entry or removal of sensitive information to or from the premises (temporarily or permanently) either physically or electronically shall undergo the prior approval process of the Department Head.

1.20.2 The Department Head concerned shall approve information transfer using emails, faxes, hardcopies, floppy diskettes and verbal communication of confidential and sensitive information. Photocopying of confidential and sensitive documents shall require the same approval process.

1.20.3 Information entry/removal using any other storage media like CDs, Hard disks, DLT tapes and emails containing sensitive information shall have the prior approval of the Department Head concerned.

1.20.4 There shall be random frisking of bags of employees/contractors by the security personnel, except the ones as decided by the Information Security Steering Committee when they are leaving the office premises to avoid the theft of assets. These can be reviewed with the assistance of CCTV recordings.

1.20.5 Material Going Out

1.20.5.1 All movement of material in and out of the premises shall be controlled by security. All outgoing material needs to be accompanied by a gate-pass, which shall be authorized by the nominated representative of each department.

1.20.5.2 Security personnel shall check the material including IT assets against the gate-pass and enter the details in a register.

1.20.5.3 Department Head shall review the register/gate passbook on a weekly basis. In case return of asset is delayed by a week, the delay shall be pointed out to the Administration team and explanations shall be obtained from the vendor. (Refer: PES - Media Movement Register and PES - Media Inventory Register)

1.20.6 Material Coming In

1.20.6.1 Security personnel shall enquire about the nature of material, which is being brought in, and record the details in a register maintained to record the receipts.

1.20.6.2 The concerned employee shall be informed of the receipt of the material.

1.20.6.3 The concerned employee shall conduct an initial inspection and acknowledge the receipt of the material.



1.20.6.4 The concerned employee shall also sign in the register to acknowledge receipt of material. The Administration team shall review the register on a weekly basis.

1.21 Environmental Security Standards

1.21.1 Power Supply

1.21.1.1 Power supply is critical for uninterrupted functioning of the company. The power supply arrangements are as follows:

§ Local Power Supply

o Electricity supply from the local power providers is regular. This shall terminate at a local transformer to regulate the power that is available to the Operations area, which shall not exceed 220-250V. Further, within the server room the voltages maintained should all be regulated to suit the servers as per the vendor recommendations. Circuit breakers of appropriate capacity shall be installed to protect the hardware against increase in power voltage.

§ Uninterruptible Power Supply (UPS)

o A dedicated UPS (Uninterruptible Power System) with maintenance-free batteries (which shall be replaced regularly depending on vendor specifications) shall be maintained for server room and servers. The UPS shall ideally reside in dust free environment and outside of server room. There shall be adequate space around the UPS for maintenance purposes. The UPS shall be adequate to provide for voltages at the same level as the regular supply and there shall be no glitches in the process of the UPS taking over the electricity supply as these glitches can severely harm the machines.

o A chart showing the operational guidelines for the UPS shall be prominently displayed in the room where the UPS is housed.

o The UPS and the generator shall be tested regularly to ensure the smooth functioning of the power supply to the server room.

§ Generator

o Generator shall be automated to start up as soon as the electricity supply from the local power supplier is cut off.

§ Testing

o The UPS and the generator shall be tested regularly to ensure the smooth functioning of the power supply to the server room.

1.21.2 Heat & Air Pollution

1.21.2.1 The whole premises shall have air-conditioning facilities to prevent dust, heat and air pollution affecting IT equipment.

§ Temperature

o The server room shall have dedicated air-conditioning equipment with the temperature maintained below 20 degrees Centigrade.

§ Humidity

o The humidity level in the server room shall not cross 50%. A humidity monitoring system or a de-humidifier shall be placed in the Server room.

1.21.3 Dust



1.21.3.1 A dust free environment shall be maintained by ensuring a high level of maintenance in the server room.

1.21.4 Fire Safety

1.21.4.1 Server Room: - The server room shall ideally be fitted with inert gas based fire extinguisher. After detection of fire, alarm shall be sounded for 30 seconds and the extinguisher shall automatically start operating. The 30-second interval shall be for staff in the server room to evacuate the room. Fireproof doors shall protect the server room as a safeguard from outside fire.

1.21.4.2 Fire Alarms: - The whole premises shall be fitted with automatic fire alarms. There shall be manual alarms located at strategic places in the building, which can be started, by any employee who notices fire, which the fire detectors have failed to detect.

1.21.4.3 Stored pressure handheld fire extinguishers shall be used at office premises. Preferably, near the exits and placed at strategic locations within every floor of the workspace to ensure maximum fire safety in event of a fire breakout.

1.21.4.4 The fire extinguishers shall apply the use of clean agents or carbon dioxide gas to displace the fire. Clean fire extinguishers shall include one of the following chemical agents

§ Mixtures of inert gases, including Inergen and Argonite.

§ Gas suppression system is another design used to fight the electric fires with cubic cylinder

§ Novec 1230 fluid (also known as "dry water" or “Saffire fluid”), a fluoronated ketone that works by removing massive amounts of heat.

§ CO2, a clean gaseous agent that displaces oxygen. Highest rating for 7.7 kg (20 pound) portable CO2 extinguishers is 10B:C

1.21.4.5 For protection from fire following measures shall be taken:

§ The combustible material shall not be stored near the Information Assets.

§ There shall be no eating, drinking or smoking in the operational site. The work areas shall be kept clean at all times.

§ Automatic fire detection and fire suppression systems and audible alarms shall be installed wherever applicable.

§ Fire extinguishers shall be installed throughout the premises and their locations clearly marked with appropriate signs.

§ Periodic testing, inspection and maintenance of the fire equipment and systems shall be conducted.

§ Procedures for the safe evacuation of personnel in an emergency along with the escape directions shall be visibly posted throughout the premises. Periodic training and fire drills shall be conducted

1.21.4.6 Fire fighting methods:

§ When the heat of a fire is brought down, the minimum heat required to burn a fire is no more and the fire is arrested (caused by the absence of one contributory factor). Water is used to put out a fire in this manner. This method can be adopted in the case of burning wood, paper, etc.

§ A fire shall continue only if inflammable articles are around. Therefore, a fire can be brought under control, when such items are removed from the premises. If the burning item can be physically shifted (such as a gas cylinder), the fire can be brought under control. If it cannot be shifted, other inflammable items around shall be removed from the affected area

§ Firefighting equipment shall be located throughout the premises and employees shall be trained in its usage on a periodic basis.



§ Emergency exits: - Emergency exits or Evacuation Routes shall be clearly marked throughout the premises. They shall always be kept obstacle free. Fire drills shall be practiced on semiannual basis.

§ Reacting to fire contingencies:

§ As soon as a fire breaks out, fire alarm shall be activated promptly.

§ If unable to put out the fire, shout for help.

§ Inform the fire wardens and the Security Division immediately.

§ Consult the Fire Officers/Fire Wardens and act according to instructions issued by them.

1.21.4.7 When the fire alarm is activated

§ An emergency squad shall be readily available on the Ground Floor to respond for any contingencies such as fire, robbery and bomb threats. They shall promptly respond to the fire alarm.

§ First of all the Administration team shall check on the activation of the fire alarm.

§ Fire wardens shall be responsible for informing employees of the fire and guiding them during the fire.

§ The members of the staff shall lock up valuable documents and papers, in the drawers and vacate the premises.

§ These instructions shall vary according to the type of fire and the floor where it had occurred.

§ Fullest co-operation of employees is required. Employees and Customers within its premises shall remain calm and act according to instructions issued by the fire wardens.

1.21.4.8 Instructions to fire wardens:

§ Select employees shall be designated as fire wardens and provided training in fire fighting techniques.

§ Fire wardens are required to use the knowledge acquired in fire fighting procedures in the event of a sudden break out of fire.

§ If the situation is beyond the capacity to control, the fire alarm shall be activated. Maintain calmness around and make necessary arrangements to evacuate everyone from the floor. Sick people and those who are unable to move due to various reasons shall have to be removed to the Ground Floor or to safe areas by the Administration team.

§ Fire wardens shall check whether everyone has left before leaving the floor himself or herself.

§ Any missing persons shall be notified to the Security personnel.

1.21.4.9 Responsibility of the occupants of the premises:

§ Find out ways and means of saving lives.

§ Learn to activate the fire alarm.

§ Learn to manipulate the firefighting equipment.

1.21.4.10 The following shall be avoided:

§ The use of the elevator as a way of evacuation to save lives.

§ Shouting and creating a commotion. People shall become more and more restless this way.

§ Pausing to collect personal belongings.

1.21.4.11 Fire alarms operating on a break glass system, and pillar hydrants, shall be installed in the lobby area of every floor. In addition, the following firefighting equipment shall be available on every floor:

§ Hydro fire equipment



§ Carbon dioxide fire equipment

1.21.4.12 Smoke detectors shall be located on each floor and shall automatically trigger off the smoke alarm in the event that smoke is detected.

1.21.4.13 In addition to smoke detectors, water sprinklers may be installed in the basement areas and on all floors. The water sprinklers shall be automatically activated when heat in the vicinity causes the acid tube embedded within to burst.

1.21.4.14 Water storage tanks for the provision of water to the water sprinkler system and the pillar hydrant system shall be provided. Tube wells shall also be installed for use if required.

1.21.4.15 On activation of the fire alarm, all lifts shall be grounded.

1.21.4.16 Each floor shall be divided into sections, and the fire alarm system shall detect and highlight the floor and section that triggered off the fire alarm. This information shall be used by security as an input to identify the exact location that triggered off the alarm.

1.21.4.17 If deemed necessary, all doors on the ground floor allowing the passage of people to and from the building shall be opened.

1.21.4.18 After investigating the cause of the alarm, fire wardens shall inform the occupants of the building the reasons for the fire and the action plans to ensure safety of the premises. These instructions shall be noted carefully and followed.

1.21.5 Earthquake Safety

1.21.5.1 Earthquake evacuation drills shall be conducted on a semiannual basis.

1.21.6 Lightening Safety

1.21.6.1 Lightning arrest conductors shall be installed on the top of the building.

1.21.7 Theft Safety

1.21.7.1 The serial numbers of the laptops shall be recorded during entry and exit of non-employees from the premises.

1.21.7.2 Assets shall be tagged and the material coming in and out shall be tracked.

1.21.7.3 All the safes shall be kept in rooms and areas, physical access to which is restricted. Keys to the safes shall be given to only a few individuals.

1.21.7.4 All unused access cards shall be kept under lock and key.

1.21.7.5 All information and data may be adequately labeled and based on the sensitivity, stored in separate safes or locations.

1.21.7.6 Burglar alarms shall be installed at the entrances of the premises.

1.21.8 Water Damage Safety (To be checked with Emergency Preparedness plans at different locations)

1.21.8.1 Protection from Floods: The premises shall have adequate flood and rainwater drains. The premises shall be continuously maintained to ensure that water seepage, if any, is detected and corrective action is initiated.



1.21.8.2 Location of Server Room: The operations area and the server room shall be located above the first floor. This reduces risk of damage by water seepage. Further all the walls of the server room shall be away from windows and shall ideally be isolated from any external atmospheric influence. The IT equipment in the server room shall be kept in waterproof cupboards.

1.21.8.3 Drainage System: The drainage system shall be such that water and drainpipes are located away from the server room.

1.21.9 Miscellaneous

1.21.9.1 Flooring: The flooring shall be at an ideal height of one foot from the ground and shall be tiled with anti-static material.

1.21.9.2 Switches: Switches and sockets shall all be grounded (provided with earthling) and provided with circuit breakers to avoid any untoward occurrences due to faulty wiring or short circuits.

1.21.9.3 Restriction to Ports in Conference Rooms and Visitor Rooms: All network ports in the conference rooms and visitors’ rooms shall be disabled. They shall be provided access only if there is a requirement of such an access.

1.21.9.4 Cleanliness: To avoid dust from entering the server room from the entrances, there shall be a strict instruction on leaving the shoes outside the server room with special rubber slippers provided for the server room. In addition, no food or eatables shall be allowed in the server room. Further, the surroundings of the Server shall be kept clean and no trash or dustbins shall be placed next to the Server.

1.21.9.5 Emergency Lamps: Self-activating emergency lamps shall be placed in the Operations area and any other location, as they may be required to handle abrupt power failures. In addition, alternate arrangements such as emergency lights, torches and ventilators shall be present.

1.21.9.6 Emergency Power-Off: Ensure the installation of emergency power off switches in strategic locations with adequate labeling and shielding to avoid accidental activation

1.21.10 Prevention from Electromagnetic Pulse (EMP)

1.21.10.1 An EMP is a short burst of electromagnetic energy spread over frequencies, which is particularly damaging to electronic equipments. EMP typically occurs in form of radiation, electric and magnetic pulse depending upon the source

1.21.10.2 Types of EMP that may affect electronic equipments and other electrical installations at critical locations

§ Lightning electromagnetic pulse (LEMP)

§ Electrostatic discharge (ESD)

§ Nuclear electromagnetic pulse (NEMP)

§ Non-nuclear electromagnetic pulse (NNEMP)

§ Switching action of electrical circuitry, including inductive loads such as relays, solenoids, or electric motors. Typically, these send a pulse of voltage and/or current down any electrical connections present, as well as radiating a pulse of energy. The amplitude is usually small and the signal treated as "noise" or "interference".

§ Continual switching actions of digital electronic circuitry

§ Electric motors

§ Petrol/Diesel operated engines that invoke EMPs through spark plugs



§ Power line surges

§ Coronal mass ejections (CME) or solar winds

1.21.10.3 Electronic equipments can be protected from EMP using a metal box/case designed to divert and soak up the EMP. The object placed in the metal box/case shall be insulated from the inside surface of the box/case. Such a setup shall prevent the object from being affected by the EMP travelling around the outside metal surface of the box/case.

1.21.10.4 Following are the requirements for protection with metal casings are:

§ The equipment inside the box shall not touch the metal container

§ The metal shield is continuous without any gaps between pieces or extra-large holes in it.

THE TATA POWER COMPANY LIMITED Information Security ......Placement § Tata Power Intranet . The...

Documents

Transcript of THE TATA POWER COMPANY LIMITED Information Security ......Placement § Tata Power Intranet . The...