INF.1 General Building

Description

Introduction

A building encloses all stationary workplaces, the information processed therein, and the installed information technology. It thus provides protection against external influences. Therefore, not only the structure itself — walls, ceilings, floors, roof, windows, and doors — must be considered, but also all building-wide infrastructure and supply facilities such as electricity, water, gas, heating, and cooling.

The scope covers a building used by one or more organizational units of an institution. These units may have different security requirements. In addition, all planning must factor in that a building is almost always entered by non-institutional persons such as visitors, customers, or delivery personnel. When a building is used by different parties, the design, fit-out, and usage concept must be coherent. An optimal environment for the people working there must be ensured. Unauthorized persons must not gain access to areas where they could compromise security. The technology installed in the building must also be operated safely and efficiently.

Objective

This building block describes the requirements that must be met to protect a building optimally from an information security perspective. The measures resulting from these requirements depend on the type and size of the institution as well as the type and size of the building. Requirements from this building block can also be applied to large premises with multiple buildings or to the use of individual sections in multi-tenant buildings.

Scope and Modeling

The building block INF.1 General Building is to be applied once for each building.

This building block addresses technical and non-technical security aspects in the planning and use of typical buildings for companies and government agencies. The entire lifecycle of buildings is considered from an information security perspective, from the creation of a requirements catalogue through design, fit-out, use, and on to renovations or vacating the premises.

Cabling within a building is addressed separately in the building block INF.12 Cabling; special rooms such as server rooms or archive rooms are covered by the respective building blocks in the INF Infrastructure layer.

Handling of external personnel is governed by the building block ORP.1 Organisation.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block INF.1 General Building.

Fire

Buildings and their contents can be severely damaged by fire, and people can be seriously injured or killed. In addition to damage caused directly by the fire, consequential damage must also be considered. Restoring fire-damaged areas to operation typically takes weeks or even months. A very significant danger in a fire is toxic smoke. Most casualties therefore result from smoke inhalation. Smoke can also cause severe damage to equipment and IT systems.

When PVC burns, chlorine gases are produced which, together with humidity and extinguishing water, form hydrochloric acid. If the hydrochloric acid vapors are distributed via the air conditioning system, they can damage sensitive electronic devices located in parts of the building far from the fire.

Lightning

During a thunderstorm, lightning strikes are the greatest danger to buildings and information technology. Lightning can reach currents of up to 200,000 amperes at voltages of several hundred thousand volts. This enormous electrical energy is released and dissipated within 50 to 100 microseconds. A lightning strike of this magnitude occurring at a distance of approximately two kilometers will still induce voltage spikes on electrical cables in the building that can destroy sensitive electronic devices. These indirect damages increase the closer the lightning strikes to the building.

When lightning strikes a building directly, the dynamic energy of the strike can cause extensive damage — for example, to the roof and facade, as well as fire damage or overvoltage damage to electrical equipment.

Water

Water can enter from outside, for example through rain, flooding, or inundation, or from inside through defective water-carrying pipes, and can damage a building and its contents.

Natural Hazards and Disasters

Depending on its location, a building is exposed to varying degrees of risk from natural hazards and disasters. Causes of natural disasters can include seismic, climatic, or volcanic phenomena such as earthquakes, flooding, landslides, tsunamis, avalanches, or volcanic eruptions. Examples of extreme meteorological events include severe storms, hurricanes, or heavy rainfall.

Environmental Hazards

Buildings can also be damaged by events in their immediate surroundings, for example if toxic substances are released. Rescue operations, road closures, or evacuations may also result in the building being only partially usable or completely unusable.

Unauthorized Access

If unauthorized persons gain access to a building or individual rooms, this can give rise to various other threats. Unauthorized persons can cause damage either through deliberate acts such as theft or manipulation of information, IT systems, or IT components, or through inadvertent misconduct, for example due to a lack of specialized knowledge.

Non-obvious manipulations can cause far greater damage than direct destruction. Physical damage can result from the unauthorized intrusion itself. Windows and doors are forced open and damaged in the process. Repairing or replacing them typically requires time and financial resources during which they cannot provide or can only partially provide their protective function.

Violations of Laws or Regulations

When a building is constructed, many laws and regulations must be observed, for example those relating to fire protection or other aspects of structural safety. Violations of these laws may go unnoticed for a long time but can have catastrophic consequences — for example, if fire barriers have not been installed as intended.

Inadequate Fire Barriers

Every building in which IT is operated contains a multitude of cables and pipes, such as fresh water and wastewater pipes, heating pipes, or cables for power supply or data transmission. It is inevitable that such pipe and cable runs must cross fire-protection walls and floor slabs. If no suitable fire barriers are installed at such points, fires and smoke may spread uncontrolled through them.

The high pace of change in IT also means that cables must repeatedly be rerouted across fire barriers. The correct way to do this depends directly on the type of barrier in place and can vary considerably. If changes to a fire barrier are not carried out in accordance with the specifications of the manufacturer, the barrier may fail in the event of a fire. The fire could then spread to areas that the barrier was intended to protect.

Power Failure

In the event of a power failure, entire buildings or parts thereof can become unusable. Not only obvious direct consumers of electricity such as IT or lighting are dependent on the power supply. All infrastructure facilities are today directly or indirectly dependent on electricity, e.g., elevators, air conditioning, alarm systems, security airlocks, automatic door closing systems, sprinkler systems, or telephone exchange systems. Even the water supply in upper or lower floors depends on electricity due to the pumps required.

Requirements

The following are the specific requirements of the building block INF.1 General Building. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.

Additional roles are defined in the IT-Grundschutz Compendium. They should be filled where meaningful and appropriate.

Exactly one role should be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a specific requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not imply anything about the number of persons filling these roles.

Basic Requirements

The following requirements MUST be met as a priority for this building block.

INF.1.A1 Planning of Building Security (B) [Planners]

Depending on the (planned) use of a building and the protection needs of the business processes operated therein, it MUST be determined how the building is to be secured. For a building, security aspects MUST in particular be considered with respect to protecting people in the building, protecting assets and IT — from fire protection and electrical systems through to access control. Security requirements from the various areas MUST be coordinated with one another.

INF.1.A2 Appropriate Division of Electrical Circuits (B)

It MUST be regularly checked whether the protection and dimensioning of the electrical circuits still meet actual needs.

INF.1.A3 Compliance with Fire Protection Regulations (B)

Existing fire protection regulations as well as building authority requirements MUST be complied with. Escape routes MUST be signposted as required and kept clear. It MUST be regularly checked that escape routes are usable and free of obstacles so that the building can be evacuated quickly in an emergency. The local fire brigade SHOULD be consulted during fire protection planning.

Unnecessary fire loads MUST be avoided.

There MUST be a fire protection officer or a person assigned to this role. This person MUST be appropriately trained.

INF.1.A4 Fire Detection in Buildings (B) [Planners]

Buildings MUST be equipped with a sufficient number of smoke detectors in accordance with the conditions of the building permit and the fire protection concept. If local alarming at the detector location is insufficient, all detectors MUST be connected to a fire alarm control panel (FACP). Upon smoke detection, an alarm MUST be triggered within the building. It MUST be ensured that all persons present in the building can perceive it. The functionality of all smoke detectors and all other components of a fire alarm system (FAS) MUST be regularly checked.

INF.1.A5 Portable Fire Extinguishers (B)

For immediate firefighting, portable fire extinguishers in the appropriate fire class (DIN EN 3 Portable fire extinguishers) MUST be available in the building in sufficient number and size. The portable fire extinguishers MUST be regularly inspected and maintained. Employees SHOULD be trained in the use of portable fire extinguishers. The training SHOULD be repeated at appropriate intervals.

INF.1.A6 Closed Windows and Doors (B) [Employees]

Windows and doors accessible from outside, such as from balconies or terraces, MUST be closed during times when a room is unoccupied. Rooms MUST be locked if confidential information is left there. A corresponding directive MUST exist for this. All employees SHOULD be required to comply with the directive. It MUST be regularly checked whether windows and interior and exterior doors are locked after the building is vacated. Fire and smoke protection doors MAY only be permanently held open if this is done using approved hold-open devices.

INF.1.A7 Access Control and Monitoring (B) [Central Administration]

Access to security-sensitive building areas and rooms MUST be regulated and monitored. A concept for access control SHOULD exist. The number of persons authorized for access SHOULD be reduced to a minimum for each area. Additional persons MAY only be granted access after verifying that this is necessary. All access authorizations granted SHOULD be documented. Access control measures MUST be regularly reviewed for their effectiveness.

Access controls SHOULD also be maintained as far as possible during relocations.

INF.1.A8 No-Smoking Policy (B)

A no-smoking policy MUST be established for rooms containing IT or storage media where fires or contamination could cause extensive damage, such as server rooms, storage media archives, or document archives. It MUST be regularly checked that the introduction or toleration of smoking areas does not circumvent access protection.

INF.1.A10 Compliance with Relevant Standards and Regulations (B) [Construction company, Site management]

When planning, constructing, and renovating buildings, and when installing technical equipment, all relevant standards and regulations MUST be taken into account.

Standard Requirements

Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be met.

INF.1.A9 Security Concept for Building Use (S) [Planners]

A security concept for building use SHOULD exist. The security concept for the building SHOULD be aligned with the institution’s overall security concept. It SHOULD be documented and regularly updated.

Sensitive rooms or building sections SHOULD NOT be located in exposed or particularly at-risk areas.

An IT-related fire protection concept MUST be developed and implemented.

INF.1.A11 DISCONTINUED (S)

This requirement has been discontinued.

INF.1.A12 Key Management (S)

A key plan SHOULD exist for all keys in the building. The production, storage, management, and issuance of keys SHOULD be centrally regulated. Spare keys SHOULD be kept in reserve and secured, but stored accessibly for emergencies. Unissued keys SHOULD be stored securely. Every key issuance SHOULD be documented.

INF.1.A13 Regulations for Access to Distribution Panels (S)

Access to the distribution panels of all supply facilities in a building SHOULD be possible quickly when needed. Access to distribution panels SHOULD be restricted to a narrow group of authorized persons.

INF.1.A14 Lightning Protection Systems (S)

A lightning protection system SHOULD be installed in accordance with the applicable standard. A comprehensive lightning and surge protection concept SHOULD exist. The air-termination systems in buildings with extensive IT equipment SHOULD at minimum meet protection class II in accordance with DIN EN 62305 Lightning protection. The lightning protection system SHOULD be regularly inspected and maintained.

INF.1.A15 Site Plans of Supply Lines (S)

Up-to-date site plans of all supply lines SHOULD exist. It SHOULD be regulated who maintains and updates the site plans of all supply lines. The plans SHOULD be stored so that only authorized persons can access them, but they are quickly available when needed.

INF.1.A16 Avoiding Location References to Sensitive Building Areas (S)

Location references to sensitive areas SHOULD be avoided. Sensitive building areas SHOULD NOT be easily visible from outside.

INF.1.A17 Structural Smoke Protection (S) [Planners]

Structural smoke protection SHOULD be checked after installation and renovation work. It SHOULD be regularly checked whether the smoke protection components are still functioning.

INF.1.A18 Fire Protection Inspections (S)

Fire protection inspections SHOULD take place regularly, i.e., at least once or twice a year. Deficiencies identified during fire protection inspections SHOULD be remedied without delay.

INF.1.A19 Informing the Fire Protection Officer (S)

The fire protection officer SHOULD be informed about work on cable routes, corridors, escape routes, and evacuation routes. This person SHOULD monitor the proper execution of fire protection measures.

INF.1.A20 Alarm Plan and Fire Protection Drills (S)

An alarm plan SHOULD be drawn up for the measures to be taken in the event of fire. The alarm plan SHOULD be reviewed and updated at regular intervals. Fire protection drills SHOULD be conducted regularly.

INF.1.A27 Burglary Protection (S)

Adequate measures adapted to local conditions SHOULD be implemented for burglary protection. When planning, implementing, and operating burglary protection, it SHOULD be ensured that it is equivalent and continuous. It SHOULD be regularly reviewed by a qualified person. The burglary protection regulations SHOULD be made known to employees.

INF.1.A36 Regular Updates to Documentation (S)

Building documentation, e.g., architectural plans, cable tray plans, riser diagrams, escape route plans, and firefighter information maps, SHOULD always be kept up to date. It SHOULD be checked at least once every three years whether all relevant plans are still current and correct. Employees SHOULD be informed of any changes.

Requirements for High Protection Needs

The following are exemplary proposals for requirements for this building block that go beyond the level of protection representing the state of the art. The proposals SHOULD be considered when protection needs are elevated. The specific determination is made within an individual risk analysis.

INF.1.A21 DISCONTINUED (H)

This requirement has been discontinued.

INF.1.A22 Secure Doors and Windows (H)

Doors and windows SHOULD be selected based on the protection objectives of the area to be secured and the institution’s protection needs, classified according to the relevant standards. All room-enclosing security measures through windows, doors, and walls SHOULD be equivalent and appropriate with respect to intrusion, fire, and smoke. It SHOULD be regularly checked that security doors and windows are in working order.

INF.1.A23 Formation of Security Zones (H) [Planners]

Rooms with similar protection needs SHOULD be grouped into zones so that comparable risks can be treated uniformly and costs for required security measures can be reduced.

INF.1.A24 Automatic Drainage (H)

All areas at risk from water SHOULD be equipped with automatic drainage. It SHOULD be regularly checked whether the active and passive drainage systems are still functioning.

INF.1.A25 Appropriate Site Selection (H) [Top Management]

When planning and selecting a building site, it SHOULD be examined which environmental conditions could affect information security. An overview of site-specific threats SHOULD exist. These threats SHOULD be countered with additional compensating measures.

INF.1.A26 Reception or Security Service (H)

The tasks of the reception or security service SHOULD be clearly documented. The reception service SHOULD observe all movements of persons at the reception and at all other entrances and, depending on the security concept, monitor them. All employees and visitors SHOULD be able to identify themselves to the reception service. Visitors SHOULD be escorted to their hosts or collected at reception. The reception service SHOULD be informed in good time when access authorizations change.

INF.1.A28 DISCONTINUED (H)

This requirement has been discontinued.

INF.1.A29 DISCONTINUED (H)

This requirement has been discontinued.

INF.1.A30 Selection of a Suitable Building (H)

When selecting a suitable building, it SHOULD be verified that all security requirements relevant to the planned use can be implemented. For each building, the existing threats and the measures required to prevent or reduce damage SHOULD be documented in advance.

INF.1.A31 Vacating Buildings (H) [Central Administration]

Prior to vacating, an inventory of all objects relevant to information security for the move — such as hardware, software, storage media, folders, or documents — SHOULD be compiled. After vacating, all rooms SHOULD be searched for items left behind.

INF.1.A32 Fire Barrier Register (H)

A fire barrier register SHOULD be maintained. All types of barriers SHOULD be individually recorded therein. After work on fire barriers, the changes SHOULD be entered in the register no later than four weeks afterward.

INF.1.A33 DISCONTINUED (H)

This requirement has been discontinued.

INF.1.A34 Hazard Detection System (H)

There SHOULD be a hazard detection system appropriate to the premises and the risks. The hazard detection system SHOULD be regularly inspected and maintained. It MUST be ensured that those who receive hazard alerts are technically and organizationally capable of responding appropriately to the alarm.

INF.1.A35 Perimeter Protection (H) [Planners, Facility Management]

Depending on the protection needs of the building and the terrain, it SHOULD have perimeter protection. At minimum, the following components SHOULD be evaluated for their usefulness and feasibility:

• outer enclosure or fencing,
• security measures against unintentional crossing of a property boundary,
• security measures against intentional non-forcible crossing of the property boundary,
• measures to hinder intentional forcible crossing of the property boundary,
• open-area security measures,
• personnel and vehicle detection,
• evidence-gathering measures (e.g., video recording), and
• automatic alerting.

Additional Information

Good to Know

The International Organization for Standardization (ISO) provides requirements for the physical security and environmental security of buildings in standard ISO/IEC 27001:2013, Annex A.11.

The Information Security Forum (ISF) provides requirements for the physical security and environmental security of buildings in its standard “The Standard of Good Practice for Information Security” in chapter CF19.

The National Institute of Standards and Technology (NIST) has published NIST Special Publication 800-53 on “Assessing Security and Privacy Controls for Federal Information Systems and Organizations” as part of its Special Publications series, and provides requirements for the physical security and environmental security of buildings in Appendix C (Table C-11).