Thoughts on premise security.

Michael T. Halligan michael at halligan.org
Fri Oct 17 15:50:41 PDT 2003


I'm building a secured call center for a customer of mine, and security
is our top concern due to the sensitive nature of the data our callcenter
reps will be dealing with.  The office is less than ideal, but workable,
for this type of environment. It's less than ideal because it's not a 
100% sealed off from the rest of the company, there will be 2 executives,
2 programmers, and myself on a part-time basis in the office as well. Eventually
as we expand the call center will be moved into an office that will have a mantrap
and security guard to inspect everybody before they enter and exit, but for now
there are compromises to be made.

Here are some of the steps I'm taking to ensure the best security I ca,
let me know if you've got any ideas.

1. None of the callcenter people can bring anything in and out of the building
except lunch.  Lunch is to be carried in clear plastic bags we're assigning
to them, and which will be inspected every time they enter or exit the premise.

2. Nobody in the callcenter gets a PC on their desk.  They get a wyes terminal
connected to a citrix server, which allows them to do their work.  The usb ports
on the wyse terminals have been physically disconnected on the inside, as well
as glue-gunned. Tamper-proof security tape has been put on all seams of the
terminal.

3. The call center application, citrix server, and dumb terminals, are all physically
connected to a switch that nothing else connects to. No internet access.

4. Only the ceo, coo, and myself will have access to the combination for the safe
where the keys to the pcs and keys to the wiring closet/server room. a log must
be filledout every time the electronic safe is opened, and every time the datacenter
is entered.

5. The pcs for corporate staff all have tamper proof tape covering all the seams, locked
cases, chained to desks. 

6. Cameras on every doorways, recorded onto a hard drive, backed up weekly and stored for
7 years at an offsite secured storage company.

7. Address of office is not advertised anywhere, all mail goes to a post office box.

8. All corporate email goes to a relay at the datacenter, which then relays mail to
the office. All outgoing mail has headers rewritten so that the ips of our corporate
office are not advertised.

9. All phonecalls are recorded, indexed by case number (callcenter advocate must enter
in a case # within first 60 seconds of an incoming call or call is disconnected, outgoing
calls must be entered with a case number before they can be made.), and archived for 7 years.

10. For programmers to push code onto app server, they do a build, put it on a cd, give it
to me, and I walk it into the datacenter and install the build. All the cds are archived
and signed by the programmer & myself.

11. Janitorial staff gets background checked and bonded, as well as supervised while they
work.

12. All employees are very thorougly background checked.

13.  Biometrics & card scanners on every door.

14. Copier requires case #. 

15. All faxes and emails sent and received are sent through one central "communications station"
where the controller has to approve everything, and often have a lawyer approve everything
as well.

16. Windows are sealed and shaded with film.

17. All possible eavesdropping spots we could find have been soundproofed (pretty intense.. basically
all walls got hit with stehocopes while pople talked at loud volumes to make sure there was no way
to listen through doors/hallways).

18. Everything except mailserver gets shut down at 6pm via a password protected reboot switch that
can only be accessed by ceo, coo, director of ops, and myself.  

19. Telephones cannot be used until user has both authenticated via rsa onto their terminal, and 
entered a password to turn their telephone on. 

So that's tthe basics anyways. I'm doing everything here from specs, purchasing, implementation of all
corporate, call center, and web/colo work, so I'm doing my best to cover all of the bases. They
basically said "be as paranoid as you can", so I'm trying that. Any other good paranoias I've missed?



-------------------
Michael T. Halligan
Chief Geek
Halligan Infrastructure Designs.
http://www.halligan.org/
2250 Jerrold Ave #11
San Francisco, CA 94124-1012
(415) 724.7998 - Mobile




More information about the Baylisa mailing list