Feature story from Serbia: Physical security of IT infrastructure - reliable operation of information systems and data protection
Ensuring the physical security of IT infrastructure is a critical aspect of overall information security, in order to ensure the reliable operation of information systems and the protection of data contained therein. Physical protection includes measures that prevent unauthorized access, damage, theft or destruction of hardware and software infrastructure. Through examples of various public sector entities in the Republic of Serbia, we present challenges, practices and recommendations related to the physical protection of IT infrastructure.
Legal framework and obligations of auditees
Ensuring the physical security of information systems is regulated by a series of regulations in the Republic of Serbia, including the Law on Information Security and the Regulation on the Security of Information and Communication Systems. According to Article 7 of the Law, operators of ICT systems of particular importance are responsible for undertaking physical protection measures of ICT systems, including the protection of facilities, premises and areas where equipment is located and where data is processed. According to Article 8, operators are obliged to adopt ICT Systems Security Enactment, which includes the definition of physical protection measures. This includes access control to the premises, video surveillance and measures against unauthorized access, as well as ensuring security in the event of natural disasters and other threats.
The Regulation on the notification procedure for incidents in information and communication systems of particular importance defines groups of incidents that operators of ICT systems of particular importance are obliged to report to the competent Center for Prevention of Security Risks in ICT Systems (CERT). Regarding incidents relating to physical and technical security, operators of ICT systems of particular importance are obliged to report theft of hardware components, fires and floods.
State of affairs in public sector entities
Based on the performed audits of the State Audit Institution, it can be concluded that the physical protection of the IT infrastructure is diverse, sometimes unsatisfactory. The unsatisfactory level of physical protection was determined in the Performance Audit "Management of the Information System of the Local Tax Administration", carried out in 2021, and in the Performance Audit "Information Systems in Public City Transport", carried out in 2023.
The Performance Audit Report “Management of Information System of the Local Tax Administration", among other things, notes that the physical protection of computers is provided only outside working hours, while during working hours it is necessary to protect users’ computers from unauthorized access. The auditees were recommended to supplement the enactments regulating information security issues by more closely regulating the appropriate technical, organizational and personnel measures necessary for safer work with the ISLPA (Information System of the Local Tax Administration) of all employees in public revenue authorities.
The Performance Audit Report "Information Systems in Urban Public Transport", highlighted the absence of a satisfactory process for approving and revoking access and the absence of a procedure for checking the physical protection of the server. It was also stated that the auditees have not adopted procedures or similar documents that regulate information security affairs in a detailed manner in terms of monitoring activities, auditing and supervision within the framework of information security management. The recommendation was to establish a process for approving and revoking access, as well as a procedure for checking the physical protection of servers rented by the bidder.
In the audits of larger entities, SAI noted that things were better in this area, but there were also findings related to the physical protection of the IT infrastructure.
In the Performance Audit Report "Effectiveness of the Social Card Information System in the Ministry of Labor, Employment, Veterans and Social Affairs", it was stated that the Ministry has not fully organized IT security in terms of providing appropriate organizational and personnel capacities. It was recommended to the Ministry to take measures to establish organizational and personnel information security, through strengthening of personnel capacities and training of employees in order to perform security protection of information systems.
In the Performance Audit Report "Management of the Information System of Public Enterprise Roads of Serbia", it was stated that no Disaster Recovery Plan was adopted for the IT system or subsystems due to the lack of a Business Continuity Plan, as well as that this auditee does not have a Business Continuity Plan for emergency situations. The auditee was recommended to adopt the mentioned plans, establish a mechanism of dynamic risk management by defining indicators for daily monitoring of the situation and to regularly report on the state of information security.
Physical security of IT infrastructure is a significant part of information security and requires constant attention and investment. The practice of public sector entities in the Republic of Serbia shows that there is an awareness of the importance of physical protection, but that it is necessary to improve measures and introduce clear procedures and rules that will ensure adequate protection from physical threats and enable business continuity and data security in all conditions.