Implementation of physical security measures on the Selectel side
The list of physical security measures to be taken when placing the infrastructure in A data centers is determined by Order No. 17 of the FSTEC of Russia dated February 11, 2013 and Order No. 21 of the FSTEC of Russia dated February 18, 2013.
Selectel implements some of the physical security measures that are in its area of responsibility in accordance with Annex 2 to the Terms of Use.
| Content of measures to ensure the security of personal data | Implemented in Selectel | |
|---|---|---|
| ZTS.2. | Organization of a controlled area within which stationary technical means, processing information, and information protection means are permanently located, as well as means to ensure the functioning of the | Organized a controlled area with permanent housing: |
| ZTS.3. | Control and management of physical access to technical means, information protection means, means of ensuring the functioning of the information system, as well as to the premises and facilities in which they are installed, excluding unauthorized physical access to information processing means, information protection means and means of ensuring the functioning of the information system, to the premises and facilities in which they are installed | We control physical access to technical means, means of information protection, means of ensuring
functioning: |
| ZTS.4 | Placement of information output (display) devices, excluding its unauthorized viewing | Do not use information output and display devices |
| ZTS.5 | Protection against external influences (environmental influences, instability of power supply, conditioning and other external factors) | Located in data centers that are Tier III compliant. They provide: |
| UPD.3. | Management (filtering, routing, connection control, unidirectional transmission and other control methods) of information flows between devices, information system segments, as well as between information systems | We provide the service with the condition of connecting the server through a dedicated firewall. Application of firewall screen allows the user to fulfill the requirement of information flow management |
| UPD.4. | Separation of powers (roles) of users, administrators and persons ensuring the functioning of information system | Separated the roles of information security administrators and support staff and described them in the company's internal documentation |
| UPD.5. | Assignment of minimum necessary rights and privileges to users, administrators and persons providing functioning of the information system | Assigned minimum required rights and privileges according to job responsibilities and described job duties and roles in internal company documentation |
| VMS.17. | Partitioning the information system into segments (information system segmentation) and ensuring protection of perimeters of information system segments | We provide the service with the condition of connecting the server through a dedicated firewall. Application of firewall screen allows the user to fulfill the requirement to divide the information system into segments and provide protection of the segment perimeter. |
| ZNI.1. | Accounting for machine-readable data carriers | Keeping track of server hard disks |
| ZNI.2. | Managing access to machine storage media | Manage access to machine storage media: |
| ZNI.8. | Destruction (erasure) of information on machine media during their transfer between users, to third-party organizations for repair or disposal, as well as destruction (erasure) control | Destroy information on machine-readable media: |
| RSB.1 | Determination of security events to be recorded and their retention periods | Defined recordable physical security events and their retention periods |
| RSB.2 | Determination of the composition and content of information on security events to be recorded | Determined the composition and content of information on recorded physical security events and described in internal company documentation |
| RSB.3 | Collecting, recording and storing security event information for a specified retention time | Collect, record, and store physical security event information for a set
time. |
| RSB.5 | Monitoring (viewing, analyzing) the results of security event registration and responding to them | Review and analyze the results of physical security event logging and response. |
| RSB.7 | Protecting security event information | Protecting physical security event information: |
| CCT.1 | Use of fault-tolerant technical means | We use fault-tolerant hardware in our data center infrastructure: |
| CCT.2. | Redundancy of technical means, software, information transmission channels, means of ensuring functioning of information system | We apply redundant technical means, information transmission channels and means of ensuring operation.
The entire data center infrastructure is reserved. |
| CCT.3. | Control of failure-free operation of technical means, detection and localization of failures, taking measures to restore failed means and their testing | Control the uptime of the data center infrastructure: |
| CCT.7 | Control over the state and quality of provision of computing resources (capacities) by the authorized person, including information transfer | Monitor the status and quality of resource delivery with: |
| INZ.1. | Identify those responsible for identifying and responding to incidents | Identified a list of those responsible for identifying and responding to physical security incidents |
| INC.2. | Detection, identification and recording of incidents | Find, identify and record physical security incidents |
| INZ.3. | Timely informing the persons responsible for incident detection and response about the occurrence of incidents in the information system by users and administrators | Staff who are involved in the provision and operation of the service report physical security incidents to those in charge in a timely manner |
| INZ.4. | Incident analysis, including identification of sources and causes of incidents and assessment of their consequences | In the case of a physical security incident, analyze sources and causes of occurrence, assess consequences |
| INZ.5. | Taking measures to eliminate the consequences of incidents | In the event of a physical security incident, we take remedial action |
| INZ.6. | Planning and taking measures to prevent the recurrence of incidents | In the event of a physical security incident, plan and take measures to prevent a second occurrence |
| UKF.1. | Identification of persons who are authorized to make changes to the configuration of the information system and information protection system | Defined a list of employees who can make changes to the configuration |
| UCF.2. | Management of changes in the configuration of the information system and information protection system | Described the process for managing configuration changes in the company's internal documentation |
| UCF.3. | Analyzing the potential impact of planned changes in the configuration of the information system and the information protection system on information security and coordinating changes in the configuration of the information system with the official responsible for ensuring information security | Analyze the potential impact of planned changes on information security and coordinate changes with the security officer. |
| UCF.4. | Documentation of information (data) on changes in the configuration of the information system and the system of protection of information | Document information about the changes: |