CANADA PROTECTING SERVERS AS A FIRST STEP IN ACHIEVING IT SECURITYITBusiness.ca2/4/2004 2:42:59 PM - Don't just assume you've got it covered. Personal information is at stake.

by Rob Carnegie


In spite of increasing threats to computer system security, most local government IT departments have been concentrating on barricading the doors while leaving the windows wide open.

Every year, security becomes an increasingly larger budget item for local government IT departments. It started
modestly enough with sub $100 virus software; we then proceeded to install firewalls costing in excess of $20,000.

Over the past few years, the need for security oriented systems has exploded to the point where we now find ourselves outfitted with "mail walls," spam blockers, enterprise virus scanners, pop-up blockers and a plethora of other application specific security software.

Most IT departments however have all but ignored a security hole that any really determined hacker could drive a truck through.

That hole is typically in the physical security of their IT infrastructure plant.

Physical security is a term that auditors use to refer to the non-electronic aspects of security. This includes such mundane items as a separate room for the servers with a door that securely locks, fire alarms, automatic fire suppressions systems (such as halon) and intrusion alarms.

When the need for a "computer room" first arose, most local governments had to create such a space in City Hall structures that had little or no appropriate space available.

It's not too unusual to see computer rooms in the basement with the pipes and boilers. Many local governments have computer rooms with at least one glass window in it and in quite a few cases the window is on an exterior wall.

It's extremely unusual to find a computer room with anything more than two sheets of drywall separating the general office from millions of dollars worth of equipment and information.

The folks at the Canada Customs and Revenue Agency (CCRA) found out the hard way why physical security is something important to think about. In September, thieves broke into their regional office in Laval, Que. and made off with a file server containing the personal financial information of more than 120,000 taxpayers.

In this case the server wasn't even located in the computer room at the time of the theft. The thief broke a ground floor window and made off with the server in spite of the presence of an alarm system.