Implementation of physical security measures on the Selectel side

The list of physical security measures that must be implemented when hosting infrastructure in a Certified Data Center segment is defined by FSTEC of Russia Order No. 17 of February 11, 2013, and FSTEC of Russia Order No. 21 of February 18, 2013.

Areas of responsibility

Selectel

Selectel implements a portion of the physical security measures that are within its area of responsibility, in accordance with Appendix 2 to the Terms of Use.

	Information security measure content	Implemented by Selectel
UPD.4 (with enhancements)	Separation of duties (roles) for users, administrators, and personnel responsible for the operation of the information system	We have separated the roles of information security administrators and staff responsible for operations, and described them in the company's internal documentation
UPD.5	Assignment of the minimum necessary rights and privileges to users, administrators, and personnel responsible for the operation of the information system	We have assigned the minimum necessary rights and privileges in accordance with job duties and have documented job descriptions and roles in the company's internal documentation
RSB.1 (with enhancements)	Definition of security events subject to registration and their retention periods	We have defined the physical security events to be logged and their retention periods in the company's internal documentation
RSB.2 (with enhancements)	Definition of the scope and content of information regarding security events subject to registration	We have defined the scope and content of information regarding physical security events to be logged in the company's internal documentation
RSB.3 (with enhancements)	Collection, recording, and storage of security event information for the established retention period	We collect, record, and store information about physical security events for the established duration. We provide centralized automated management of collection, recording, and information storage
RSB.5 (with enhancements)	Monitoring (review, analysis) of security event registration results and reaction to them	We review and analyze the results of physical security event registration and react to them. We have described monitoring rules and procedures in the company's internal documentation
RSB.7 (with enhancements)	Protection of security event information	We protect information about physical security events: - only designated personnel have access to audit logs and management functions; - audit logs are backed up
ODT.1	Use of fault-tolerant technical equipment	We use fault-tolerant technical equipment in the data center infrastructure: - we have determined the limit values for availability and reliability characteristics; - we have recorded the availability and reliability characteristic values in the terms of use; - we monitor current values of availability and reliability characteristics; - we replace components that reach their limit values
ODT.2	Redundancy of technical equipment, software, information transmission channels, and means of supporting information system operation	We use redundant technical equipment, transmission channels, and support facilities. The entire data center infrastructure is redundant. We have described redundancy rules and procedures in the company's internal documentation
ODT.3 (with enhancements)	Control of reliable operation of technical equipment, detection and localization of operational failures, taking measures to restore failed equipment, and testing them	We control the reliable operation of the data center infrastructure: - we detect and localize operational failures; - we take measures to restore failed equipment and test it
ODT.7	Monitoring the condition and quality of computing resources (capacities) provided by authorized persons, including information transmission	We ensure the monitoring of the status and quality of resources provided, which are hosted on engineering infrastructure resources
ZTS.2	Organization of a controlled zone within which stationary technical equipment processing information, information protection tools, and operational support facilities are permanently located	We have organized a controlled zone with the permanent location of engineering infrastructure components
ZTS.3	Control and management of physical access to technical equipment, information protection tools, operational support facilities, as well as to the premises and structures where they are installed, which prevent unauthorized physical access to information processing equipment, information protection tools, and information system operational support facilities, as well as to the premises and structures where they are installed	We control physical access to infrastructure components and technical equipment hosted on its base: - we have defined a list of authorized personnel; - we maintain a record of physical access; - we have described physical access management rules and procedures in the company's internal documentation
ZTS.5	Protection against external factors (environmental influences, power instability, air conditioning, and other external factors)	We locate our Certified Data Center segments in data centers that meet Tier III requirements. In them, we ensure: - prompt restoration of power supply and air conditioning systems; - compliance with fire safety measures; - compliance with equipment operating conditions and environmental conditions
INTS.1	Definition of personnel responsible for identify and responding to incidents	We have defined a list of personnel responsible for identifying and responding to physical security incidents
INTS.2	Detection, identification, and registration of incidents	We detect, identify, and register physical security incidents
INTS.3	Timely notification of personnel responsible for incident identification and response regarding incidents occurring in the information system by users and administrators	Employees who participate in the provision and operation of the service promptly inform those responsible about physical security incidents
INTS.4	Incident analysis, including determining sources and causes of incidents, as well as assessing their consequences	In the event of a physical security incident, we analyze the sources and causes and assess the consequences
INTS.5	Taking measures to eliminate incident consequences	In the event of a physical security incident, we take measures to eliminate the consequences
INTS.6	Planning and taking measures to prevent the recurrence of incidents	In the event of a physical security incident, we plan and take measures to prevent recurrence
UKF.1	Definition of personnel authorized to perform configuration changes in the information system and information protection system	We have defined a list of employees who can make changes to the engineering infrastructure
UKF.2	Configuration change management for the information system and information protection system	We have described the configuration change management process in the company's internal documentation
UKF.3	Analysis of the potential impact of planned configuration changes in the information system and information protection system on information security, and coordination of information system configuration changes with the official responsible for information security	We analyze the potential impact of planned changes on information security and coordinate the changes with the employee responsible for security
UKF.4	Documenting information (data) about changes in the configuration of the information system and information protection system	We document information about changes in the engineering infrastructure in accordance with the company's internal documents

User

Using the Selectel Certified Data Center segment service allows for the implementation of a portion of security measures within the client's area of responsibility.

	Information security measure content	Implementation within the client's area of responsibility
UPD.3	Management (filtering, routing, connection control, unidirectional transmission, and other methods of control) of information flows between devices, information system segments, and between information systems	We provide the service with the condition that the server is connected via a dedicated firewall. Using a firewall allows the user to meet the requirement for managing information flows
ZIS.17	Partitioning the information system into segments (segmenting the information system) and protecting the perimeters of the information system segments	We provide the service with the condition that the server is connected via a dedicated firewall. Using a firewall allows the user to meet the requirement for partitioning the information system into segments and ensuring the protection of the segment perimeter
ZNI.1	Accounting for machine-readable information media	We keep track of disks used in dedicated servers rented by the client
ZNI.2	Access management for machine-readable information media	We manage access to the premises where technical equipment is located, including machine-readable information media: - we have defined a list of employees who have physical access; - we have described access rules and procedures in the company's internal documentation
ZNI.8	Destruction (erasure) of information on machine-readable media when they are transferred between users, to third-party organizations for repair or disposal, as well as control of destruction (erasure)	We destroy information on machine-readable media: - upon cancellation of the service, using a method that makes it impossible to recover the information; - when a medium is decommissioned, using HDD and SSD disposal tools that ensure the disk and the information stored on it cannot be recovered. We have described the destruction and destruction control procedure in the company's internal documentation