Physical security


Prepare for disasters

Protect ICT systems and equipment from disasters.

Including ICT in your business continuity plans

Your organisation’s disaster recovery and business continuity plans should include availability requirements for information held in ICT equipment.

The impact of the information not being available will influence the measures you take to protect ICT equipment against environmental and human threats.

For more information, refer to section 4.7 of HB 292-2006: A Practitioner's Guide to Business Continuity Management.

Preserving ICT equipment

ICT equipment may require a controlled atmosphere to:

  • ensure the integrity of the information held within it
  • prevent failure of the equipment and potential loss of information.

Controlling the atmosphere may include controlling:

  • temperature
  • humidity
  • air quality — for example, smoke and dust
  • water
  • light.

 Make sure you meet the requirements identified by the manufacturer when you apply atmosphere controls.

Advice on preserving electronic information for the future is available online from Archives New Zealand.

Using uninterruptible and auxiliary power supplies

If your ICT systems are unexpectedly shutdown, you may lose information. An uninterruptible power supply (UPS) may allow you to turn off systems in a controlled manner or provide power until power to your ICT system is restored.

Any UPS you use should provide at least enough power to allow:

  • the controlled shutdown of ICT systems
  • the start-up of an auxiliary power supply.

ICT equipment also needs protection from power surges (relatively lengthy increases in voltage), and power sags and spikes (short, very large increases in voltage). Most UPSs also give some protection from surges and sags.

As most environmental systems rely on mains electricity, an auxiliary power supply may help you  maintain environmental controls.

Auxiliary power supplies should be maintained in line with the manufacturer's directions.

Assessing risks from disasters

Your organisation should identify any environmental or human-induced threats humans to their ICT equipment in their security risk assessment.

As ICT systems may be more sensitive to environmental factors, you may need extra risk mitigation measures, over and above those used to protect people and physical assets from harm.

Protecting against flooding

Water is one of the major threats to any system that uses electricity, including ICT systems.

Site server rooms should be protected against flooding. Flooding may be from external sources (for example, swollen rivers) or internal sources (for example, burst pipes).

If you’re considering locating any server rooms in basements, assess the risk of flooding from internal or external sources.

Protecting against fire

ICT equipment can be damaged through direct exposure to flames, from the effects of smoke (poor air quality), and increases in temperature in the general environment.

Another concern is the potential for flooding during fire-fighting operations. You may be able to use alternatives to water-based sprinkler systems, such as CO2, or other gaseous agents in critical ICT facilities. Base your decision to use alternatives on your risk assessment.

Using back-up ICT systems

Back-up ICT systems can provide a recovery point if your primary ICT systems fail. Back-up systems can form part of your business continuity and disaster recovery plans.

Any back-up system should be, as far as possible, fully independent of the supporting infrastructure used for the primary system so that if the primary ICT system fails, the back-up system does not also fail.

Back-up ICT systems should be regularly tested to ensure their continued operation.

You may use off-site or commercial back-up facilities. Consider dual redundancy. That is, using two back-up facilities for business-critical information and ICT systems.

Ensure that any commercial ICT facilities you use meet all the mandatory security requirements for protecting New Zealand Government information.

If you use a commercial back-up facility, consider the aggregation of information held in the facility, not just your own information, when you work out the levels of physical and logical security needed at the facility.

Information on including security requirements in contracts for outsourced functions is available in Supply chain security.

Page last modified: 14/11/2022