We've been doing a few data centre audits as of late, and most entities seem to think just because they have CCTV at their co-location data centres, they meet the compliance requirements of PCI DSS.
You'll note from wording that access control systems need to be MONITORED. Â If you've a data centre with a few hundred cameras and one security guard in an ops room look at screens, then it's likely your CCTV control is NOT being correctly monitored.
The idea of monitoring is to observe CCTV 24/7, and correlate activity on cameras with access control logs and check the people on view are actually supposed to be there, and aren't interfering with equipment they shouldn't be.
PCI DSS control 9.1.1.a states that cameras/and or access control systems must be in place.
PCI DSS control 9.1.1.c states that cameras/and or access control systems must be monitored. Â The RoC reporting instructions go one step further and say that data from cameras/and or access control systems must be reviewed and correlated with other entries.
This is about closing the loop, and converging security controls. Â For example, if a camera detects somebody in a sensitive area, this should be correlated back to access control systems. Â Did the somebody also check in/out a key for a rack, or use the right badge to get in? Â Did the somebody tailgate? Â Has the correct authorisation been sought and documented/signed-off? Â Does a change control / RFC exist for whatever the somebody was doing there?
Just sticking up a camera and pointing it at a rack does not meet PCI DSS.
Some readers might be wondering why we're bothering to discuss such a minor control, after all, co-location data centres are highly guarded, secure areas that never get breached, and all other customers in the co-location facility are in the same boat, and can be trusted.
Or can they?
All you need to access a co-location facility is not social engineering, a gun, exquisite knowledge of back doors and access control mechanisms, but a rack. Â One can buy rack space without an identity check, a CRB check or any form of identification. Â This gets you access to a co-location facility. Â With a spot of information gathering from your keen salesman, you will get a rack in the same facility as your target.
Now unless you have CCTV and/or access control systems that directly monitor your co-located racks, then you're simply never going to know who has been in them, and what they've done.
..and remember, with physical access to information systems, criminals can pretty much do whatever they want.