Secure your ICT facilities

Protect your ICT facilities and the information held within them.

ICT facilities that need physical security

Your organisation should have dedicated ICT facilities to house your ICT systems, components of your ICT systems, or ICT equipment. These facilities might include, but are not limited to:

• server and gateway rooms
• data centres
• back-up repositories
• storage areas for ICT equipment that hold official information
• communications and patch rooms.

Pay particular attention to the security of any access points to an ICT facility. For example, cabling and ducting.

Accreditation of ICT facilities

Your ICT facilities must be:

• within accredited security zones
• appropriate for the value of the aggregated (combined) information held within them
• in security zones dedicated to these ICT facilities and separate to other functions.

When you outsource your ICT facilities or use shared facilities, you must ensure your information is held in a security zone appropriate to the value of the aggregated information.

Managing information in outsourced and offshore arrangements for ICT gives you more information on the requirements you must meet.

Securing containers used to house ICT equipment

Containers used to house ICT equipment in an ICT facility may be at a lower level when the ICT facility is in a separate security zone within an existing security zone that is suitable for the aggregation of the information held.

Storage requirements for electronic information in ICT facilities tells you more.

Securing ICT facilities for information with TOP SECRET or compartmented markings

ICT facilities that hold information with TOP SECRET or compartmented markings must be in a separate zone 5 that is within a zone 5 work area, both of which must be certified by the New Zealand Security Intelligence Service (NZSIS).

ICT facilities for TOP SECRET information must have both:

• a separate zone on your organisation's electronic access control system (EACS) and
• an NZSIS-approved security alarm system (SAS).

The Government Communications Security Bureau (GCSB) must certify all ICT systems that hold TOP SECRET information.

Controlling access to ICT facilities and equipment

Your organisation must control access to ICT facilities in line with Security zones.

Access to ICT facilities holding information with a Business Impact Level (BIL) lower than catastrophic should be controlled by:

• a dedicated section of the SAS or EACS, where used
• a person provided with a list of people with a ‘need-to-know’ or need to go into the ICT facility.

Your organisation must keep ICT facilities secured when they are not occupied, including security containers within the facilities that hold ICT equipment.

When people need security clearances

Anyone who can access your ICT servers, work in areas that contain ICT servers, or work in areas where your ICT assets are stored must have a security clearance. The level of security clearance depends on the BIL of the aggregated information.

Refer to the Guide to personnel security for your organisation.

Your organisation should supervise access to ICT servers, restricting access to a need-to-know basis. 

Using technical surveillance countermeasures (TSCM)

If you have an ICT facility that holds information with TOP SECRET and compartmented markings and regular discussions at a TOP SECRET level are held within it, a technical surveillance countermeasures (TSCM) inspection is required.

A TSCM inspection may also be required to provide a high level of assurance that hardware and cabling infrastructure within an ICT facility has not been compromised.

When your organisation doesn’t require its ICT facilities to handle TOP SECRET information, base the requirement for a TSCM inspection and the interval between inspections on your risk assessment.

Refer to the Using technical surveillance countermeasures and audio security in Other physical security measures.

For more advice on TCSM inspections, contact the GCSB.

 

Page last modified: 12/06/2020