Data centers are fair game for policies, too

When we think of security policies, visions of “acceptable use” and “passwords” often come to mind. But policies are much more than that – especially considering the complexities associated with data centers. Policies outline this is how we do things around here regardless of the specific topic. When it comes to information security and managing data center-related risks, there are numerous policies that could apply:

• Access controls
• Audit logging
• Authentication
• Key management (you know, those old-fashioned physical keys you use to lock and unlock stuff in your data center)
• Media disposal
• Mobile device encryption
• Web security (for your CCTV management system, UPSs, KVMs, etc.)
• Wireless networks

You don’t necessarily need to create dedicated policies on these topics just for the data center. Instead, simply include the data center and related systems within the scope of the appropriate policy. This will keep your number of policies to a minimum and simplify policy management. Given all the headaches, politics and technical complexities of managing a data center, the last thing you need to do is create more stuff to keep up with. In a follow-up post, I’ll outline a security policy template that can work well in this situation.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.