Implementation of physical security measures on the Selectel side
The list of physical security measures to be taken when placing the infrastructure in A data centers is defined by Order No. 17 of the FSTEC of Russia dated February 11, 2013 and Order No. 21 of the FSTEC of Russia dated February 18, 2013.
Areas of responsibility
Selectel
Selectel implements some of the physical security measures that are in its area of responsibility In accordance with Annex 2 to the Terms of Use.
Content of information security measures | Implemented in Selectel | |
---|---|---|
UPD.4 (with amplification) | Separation of powers (roles) of users, administrators and persons ensuring the functioning of the information system | Separated the roles of information security administrators and support staff and described them in the company's internal documentation |
UPD.5. | Assignment of minimum necessary rights and privileges to users, administrators and persons ensuring the functioning of the information system | Assigned minimum required rights and privileges according to job responsibilities and described job duties and roles in internal company documentation |
RSB.1 (with amplification) | Determination of security events to be recorded and their retention periods | The company's internal documentation defines recordable physical security events and their retention periods |
RSB.2 (with amplification) | Determination of the composition and content of information on security events to be recorded | The company's internal documentation defines the composition and content of information on physical security events to be recorded |
RSB.3 (with amplification) | Collecting, recording and storing security event information for a specified retention time | Collect, record, and store physical security event information for a set amount of time. |
RSB.5 (with reinforcement) | Monitoring (viewing, analyzing) the results of security event registration and responding to them | Review and analyze the results of physical security event logging and response. |
RSB.7 (with amplification) | Protecting security event information | Protecting physical security event information: |
CCT.1 | Use of fault-tolerant technical means | We use fault-tolerant hardware in our data center infrastructure: |
CCT.2. | Redundancy of technical means, software, information transmission channels, means of ensuring the functioning of the information system | We apply redundant technical means, information transmission channels and means of ensuring operation.
The entire data center infrastructure is reserved. |
CCT.3 (with amplification) | Control of failure-free operation of technical means, detection and localization of failures, taking measures to restore failed means and their testing | Controlling the uptime of data center infrastructure: |
CCT.7 | Control over the state and quality of provision of computing resources (capacities), including information transmission, by the authorized person | Provide condition monitoring and quality assurance of resources that are placed on engineering infrastructure resources |
ZTS.2. | Organization of a controlled area within which stationary technical means processing information and information protection means are permanently located, as well as means to ensure the functioning of the following | Organized a controlled area with permanent placement of engineering infrastructure components |
ZTS.3. | Control and management of physical access to technical means, information protection means, means of ensuring the functioning of the information system, as well as to the premises and facilities in which they are installed, excluding unauthorized physical access to information processing means, information protection means and means of ensuring the functioning of the information system, to the premises and facilities in which they are installed | We control physical access to infrastructure components and technical means hosted on its base: |
ZTS.5 | Protection against external influences (environmental influences, instability of power supply, conditioning and other external factors) | Located in data centers that meet Tier III requirements. They provide: |
INZ.1. | Identify those responsible for identifying and responding to incidents | Identified a list of those responsible for identifying and responding to physical security incidents |
INZ.2. | Detection, identification and recording of incidents | Find, identify and record physical security incidents |
INZ.3. | Timely informing the persons responsible for identifying and responding to incidents about the occurrence of incidents in the information system by users and administrators | Staff who are involved in the provision and operation of the service report physical security incidents to those responsible in a timely manner |
INZ.4. | Incident analysis, including identification of sources and causes of incidents, and assessment of their consequences | In the event of a physical security incident, analyze the sources and causes of the incident, and assess the consequences |
INZ.5. | Taking measures to eliminate the consequences of incidents | In the event of a physical security incident, we take remedial action |
INZ.6. | Planning and taking measures to prevent the recurrence of incidents | In the event of a physical security incident, plan and take action to prevent recurrence |
UKF.1. | Identification of persons authorized to make changes to the configuration of the information system and information protection system | Identified a list of employees who can make changes to the engineering infrastructure |
UCF.2. | Management of changes in the configuration of the information system and information protection system | Described the process for managing configuration changes in the company's internal documentation |
UCF.3. | Analysis of the potential impact of planned changes in the configuration of the information system and information protection system on information security and coordination of changes in the configuration of the information system with the official responsible for ensuring information security | Analyze the potential impact of the planned changes on information security and coordinate the changes with the security officer |
UCF.4. | Documentation of information (data) on changes in the configuration of the information system and information protection system | Document information on changes in the engineering infrastructure in accordance with the company's internal documents |
User
Using Selectel's Attested Data Center Segment service will allow you to implement some of the security measures in the area of responsibility client.
Content of information security measures | Implementation in the customer's area of responsibility | |
---|---|---|
UPD.3. | Management (filtering, routing, connection control, unidirectional transmission and other control methods) of information flows between devices, segments of the information system, as well as between information systems | We provide the service with the condition of server connection via dedicated firewall. The use of a firewall allows the user to fulfill the requirement to manage information flows |
VMS.17. | Partitioning the information system into segments (information system segmentation) and ensuring protection of perimeters of information system segments | We provide the service with the condition of server connection via dedicated firewall screen. The use of a firewall allows the user to fulfill the requirement to partition the information system into segments and provide perimeter protection for the segment's perimeter |
ZNI.1. | Accounting for machine-readable data carriers | Keep records of disks used in dedicated servers leased by the client |
ZNI.2. | Managing access to machine storage media | We manage access to premises where technical facilities, including machine data carriers, are located: |
ZNI.8. | Destruction (erasure) of information on machine media during their transfer between users, to third-party organizations for repair or disposal, as well as destruction (erasure) control | Destroy information on machine-readable media: |