Here is the issue: I have some people in information systems who believe the data center should not be de-magnetized in the event of a fire or fire alarm. They believe the data center door should remain locked. On the other hand, one of our administrators and the safety officer believe the data center doors should de-magnetized automatically when a fire or fire alarm occurs.
In terms of physical security, should remain the doors remain locked at all times or open in the event of an emergency?
I am not a physical security expert, nor can I cite a particular reference document. However, it is my opinion that the doors should be de-magnetized and not remain locked.
Lets go through the rationale for this choice.
First, you should not be worried about the destruction of your data, as you obviously have an off-site copy of everything (including equipment to process it on) as part of your disaster recovery or continuity of operations plan.
Second, your personnel security procedures should have screened out anyone that might take advantage of the fire alarm opportunity to steal or destroy your data. So, the main thing we are worried about is the possible injury or loss of life. If for some reason the fire department needed to rescue someone that was trapped in the computer room, wouldn't you want them to be able to get in?
Even at Department of Defense facilities that I have worked in, the rule was that if the fire alarms sounded, you were to leave the building as quickly as you could. You were not to stop and secure classified data before doing so. The security department would deal with any disclosure problems should they occur. Obviously some military procedures might be different (for instance a site being over run by the enemy would do emergency destruction before leaving), but for the most part, safety of personnel is the primary consideration.
So, to be brief, without any documents to back me up, I recommend allowing the doors to be unlock when the fire alarm sounds.
For more info on physical security and disaster recovery, visit these SearchSecurity.com resources:
This was first published in August 2004