Hardware Risk

What kinds of risks do you associate with your network hardware outside of “security” / i.e. physical access? Do your auditors take any focus outside your physical “security” controls protecting hardware, in terms of hardware control, if so can you let me know some examples of what? Do these risks match up with those associated with physical security issues, in terms of likelihood/impact?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Physical access to equipment should be a consideration. Auditors will often insist on viewing the logged access to server rooms.
pma111Author Commented:
Thanks, but I was kind of asking for risks associated with hardware above and beyond, or in addition to physical security controls, i guess firmware, capacity, support, redundancy etc - that kind of thing
It kinds of depends what your business is but I'll generalize one some things for you.
If you are a hospital or are subject to HIPAA or PCI regulations then there will be additional items.
If you are a member of any stock exchange, there will be additional items.
I'm not really sure how each is weighted but physical security (or lack thereof) can impact most of the items below.  We go as far as 802.1x L2 port lockdown, in whcih logs are kept on the radius server....you've got to have logs to back everyting up./

some questions
Business continuity - is there a plan, who manages the plan, whats the test scenario, etc
If you do offsite transport of backups - how is that data secured during transport and wherever it is housed.
Are employee records safeguarded?  What are the controls in place to protect this personal information?  What is the policy/procedure if there is a data breach?
Is there an information security policy document, who owns it and how is change management of it governed?  How are the IT staff trained on it?

The defense ate me up on this and the ex-employee thief got me good.  Ticked me off!  Wasn't an auditor it was an employee stealing data, which made me realize where I was lacking when it went to court is:

Evidence collection procedure
chain of custody, this really ticked me off, I mean we're not that big....But the defense said that because when the hard drive left my office and went to the forensics site that I had no shipper to prove it and no chain of custody document from when my guy removed it from the computer....ARRGH!  Just a simple word doc with time/date, who, sign here, serial # of drive, that sort of BS.
How is misuse of company data monitored?  Do you keep logon logs?  Do you keep printer logs?  (Fortunately I did - this person printed 1000's of print jobs one weekend as well as plugged in a couple external hard drives).  Do you monitor and store web traffic?  I knew this person went to an online storage site because of my websense logs.  

THe auditors tend to get really carried away on how you know who logged in to what server.  Like if all 3 of your guys have the domain.admin password then that is bad.  Each must have seperate logins for whatever their job role is.  That role must be defined as well, in writing.....

How fun, I do not envy you.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.