Operational security controls

Operational controls that maintain the security and integrity of ID system facilities, data centers, and equipment are paramount to protecting personal data. Data breaches can come from multiple internal and external sources, including employees who fail to follow security procedures, hackers who gain access to inadequately-protected databases, and thieves who steal unsecured portable devices. In order to reduce these threats, ID system operators should employ state-of-the-art measures to reasonably prevent, detect, mitigate and respond to third party attacks, unauthorized access, and malicious or fraudulent use.

There are many international standards aimed improving data center management, security, and access control, including ISO/IEC 27001 (information security management systems), ISO/IEC 22301 (business continuity management), and ISO/IEC 55000 (asset management). In particular, ISO/IEC 27001 focuses on developing an information security management system (ISMS) that provides a systematic approach to securing sensitive information by applying a risk management process to people, processes, and IT systems.

Many organizations choose to gain ISO/IEC 27001 accreditation as proof of compliance; however, it may be more useful to take the standard as a baseline for information security management, alongside any other relevant standards such as the Payment Card Industry Data Security Standard (PCI DSS).

Operational controls must address both physical and virtual security. Virtual protections include:

  • Access control (Identity Access Management on all work stations);

  • Firewalls; and

  • Intrusion Detection Systems (IDS).

For physical assets, any security management strategy should also seek to implement measures that address the following concerns and questions, further described in Table 23:

  • Building and asset security. Visitors to any physical data centers, card-personalization centers, or other ID facilities and assets should be required to gain access through a rigorous building security process and, once admitted, be restricted to specific areas, assets, or systems based on their role and purpose.

  • Policies and processes. Policies and processes related to access control are only effective if they well understood and regularly practiced by staff. Security training should be provided to all staff on an ongoing basis.

  • Staff. Security is a concern for everyone, particularly staff within ID facilities. Staff should be knowledgeable, vigilant and able to understand organizational objectives with regards to security.

  • Contractors. Where contractors or suppliers (e.g., engineers, cleaning staff, etc.) are regularly working within ID facilities, their credentials should be checked to ensure that the risk of a breach is mitigated.

Even with adequate safeguards or oversight, it is impossible to make a digital system completely immune from a breach. In the event that breaches do occur, breach notification laws generally require data controllers to inform individuals and/or authorities that a breach has occurred (see Table 23).

Table 23. High-level checklist for the physical security of ID systems

  Key Questions
Building & asset security
  • Are there a wide range of access controls in place including?

  • Are access controls configured to utilize multi-factor authentication?

  • Are data center areas housing server infrastructure windowless and with a minimum safe number of entry points?

  • Are the server racks and cages in the data center unmarked and anonymous?

  • Are server racks and cages locked with access strictly controlled and monitored?

  • Is CCTV monitoring used in sensitive areas of the data center 24x7, and if so is this monitoring carried out by an onsite network operations center (NOC)?

  • Do security staff have the capability to protect themselves in the event of an attack on the data center and react accordingly?

  • Is there the capability to directly alert the police in the case of unauthorized access?

Policies & Processes
  • Are there processes in place to grant and remove access to facilities and individual resources (e.g. server racks) for both internal and external personnel?

  • Are user commands such as logins, file opens, downloads and file saves monitored for aberrations in pattern? Are “events” transferred to analysts for real-time assessment and response?

  • Is a record kept of all access to the data center and retained securely for a specified period of time?

  • Are data center staff, visitors and contactors only granted access to sensitive areas, racks and cages based on stated and verified need?

  • Are all visitors to the data center accompanied by staff unless otherwise authorized?

  • Is it easy to visually identify staff, visitors, and contractors based on the type of ID badge that they wear in the data center?

  • Are ID badges assigned and managed under a suitable policy and operated by a capable authority (e.g. a NOC)?

  • Is the installation, removal or maintenance of equipment in the data center controlled and monitored?

  • Do staff receive regular training on security procedures and requirements?

  • Are there staff on site who can answer a full range of auditors’ questions and produce certifications, should they be required?

  • Are they able to share general advice around data center security and compliance?

  • Are senior security personnel based at the data center itself rather than a remote site?

  • Are data center staff required to undergo background checks where necessary?

  • Are they sensitive to the ID system’s confidentiality requirements (e.g. not disclosing personal information)?

  • Where suppliers are allowed to enter the data center unaccompanied, will ID holders be informed about which suppliers have access?

  • Are ID holders able to access basic information on contractor agreements, authorization levels, and any policies and processes in place to control and monitor contractor activity within the data center?

  • Are contractors accredited or vetted to any required standards?