Chapter 7 Physical Environmental Security Program and Policies

Chapter 7: Physical & Environmental Security Program and Policies Principles and Practices Updated 02/2018 by Sari Stern Greene

Objectives q q q Define the concept of physical security and how it relates to information security Evaluate the security requirements of facilities, offices, and equipment Understand the environmental risks posed to physical structures, areas within those structures, and equipment Enumerate the vulnerabilities related to reusing and disposing of equipment Recognize the risk posed by the loss or theft of mobile devices and media Develop policies designed to ensure the physical environmental security of information, information systems, and information processing and storage facilities Copyright 2014 Pearson Education, Inc. 2

Introduction n Security professionals often focus on technical controls and can overlook the importance of physical controls n Early Computer Age (Easy system protection): q n Locked labs, heavy computers and only few were granted access to information Today: q Transportable computers, employees/workers and limited privacy Copyright 2014 Pearson Education, Inc. many 3

Understanding the Secure Facility Layered Defense Model n If an intruder bypasses one layer of controls, the next layer should provide additional defense and detection capabilities n Both physical and psychological q q The appearance of security is deterrent E. g. Medieval castles: q q built of stone, on a high hill, with guards, and one entry way all designed to ward of intruders. Copyright 2014 Pearson Education, Inc. 4

How to Secure the Site n Physical protection is required for informationprocessing facilities: q q n A closet of one server A complex of buildings with thousands of computers In addressing site physical security, we must consider: q q Theft Malicious destruction Accidental damage Damage that results from natural disasters Copyright 2014 Pearson Education, Inc. 5

How to Secure the Site cont. n The design of a secure site starts with the location n Evaluating location-based threats: q q q n Political stability Susceptibility to terrorism Crime rate in the area Roadways and flight paths Utility stability Vulnerability to natural disasters Critical information processing facilities should be inconspicuous and unremarkable Copyright 2014 Pearson Education, Inc. 6

How to Secure the Site Cont. n The physical perimeter can be protected using: 1. Obstacles: n n 2. Detection systems: n 3. Berms, Fences, Gates, and Bollards Illuminated entrances, exits, pathways, and parking areas Cameras, closed-circuit TV, alarms, motion sensors, and security guards Response system: n Locking gates and doors, personnel notification and direct communication with police Copyright 2014 Pearson Education, Inc. 7

How Is Physical Access Controlled? n Physical entry and exit controls: Depending on the site and level of security required, available access controls (camera, locks, etc. ) can be selected from q q Authorizing Entry (building access) Securing Offices, Rooms, and Facilities (within the building) q Working in Secure Areas q Ensuring clear desks and screens Copyright 2014 Pearson Education, Inc. 8

Authorizing Entry n Access control rules should be designed for: q q q n Employees Third-party (contractors/partners/vendors) Visitors Physical entry/access controls (rules): q q Authorized users should be authorized prior to gaining access to protected area Visitors should be identified, labeled, and authorized prior to gaining access to protected area Copyright 2014 Pearson Education, Inc. 9

Authorizing Entry cont. n Physical entry/access controls (rules): q q Visitors should be required to wear identification that can be evaluated from a distance, such as a badge Identification should start as soon as a person attempts to gain entry Copyright 2014 Pearson Education, Inc. 10

Securing Offices, Rooms, and Facilities n Workspaces should be classified based on the level of protection required q n Classification system should address q q q n Some internal rooms and offices as well as parts of individual rooms (cabinets and closets) may also require different levels of protection personnel security Information system security Documents security Secure design controls within the building include q Alarm, monitored activity, and unbreakable windows etc. Copyright 2014 Pearson Education, Inc. 11

Working in Secure Areas n It is not enough to just physically secure an area but, close attention should be paid to q q n The area should be q q n who is allowed to access the area what they are allowed to do continually monitored access control lists should be review frequently Based on the circumstances devices are restricted from entering certain areas q cameras, smartphones, tablets, and USB drives Copyright 2014 Pearson Education, Inc. 12

Ensuring Clear Desks and Screens n Companies have a responsibilities to protect physical and digital information (during the workday and non-business hours) n Protected or confidential documents should never be viewable to unauthorized personnel q q Document should be locked in file rooms, desk drawers and cabinets when not in use Copiers, scanners, and fax machines should be located in nonpublic areas and require the use of codes Copyright 2014 Pearson Education, Inc. 13

Protecting Equipment n Both company and employee-owned equipment should be protected n Hardware assets must be protected from: q Power surges: Prolonged increase in voltage q Power spikes: momentary increase in voltage q Blackouts: Prolonged periods of power loss q Fault: momentary loss if power q Sag: Momentary periods of low voltage q Brownout: Prolonged period of low voltage Copyright 2014 Pearson Education, Inc. 14

Protecting Equipment Cont. n Protective devices can be installed to help protect the area and assets such as q q q n Voltage regulators Isolation transformers Line filters No power, No processing q Reduce power consumption, for example by purchasing Energy Star certified devices Copyright 2014 Pearson Education, Inc. 15

How Dangerous Is Fire? n Three elements of fire protection: 1. Fire prevention controls q Hazard assessments, inspections, and following construction codes 2. Fire detection q Smoke, heat, and flame activated (detection devices) 3. Fire containment and suppression q Responding to the fire based on its specific classification § § Class A (materials: wood, paper) Class B (liquids: oils, gas) Class C (electrical equipment) Class D (metals) Copyright 2014 Pearson Education, Inc. 16

What About Disposal? n Removing data from drives q q Formatting a hard drive or deleting files does not mean that the data located on that drive cannot be retrieved Two methods for permanently removing data from drives before their disposal: § § n Disk wiping (overwriting the hard drive with 0 and 1) Degaussing (exposing the hard drive to high magnetic field) Destroying materials n Making devices/media unreadable and unusable through destruction (crushing, shredding or drilling through devices) Copyright 2014 Pearson Education, Inc. 17

Summary n The physical perimeter of the company must be secured. n Some internal rooms and offices must be identified as needing more security controls than others. These controls must be deployed. n Environmental threats such as power loss or a fire must be taken into account and the proper hardware must be placed. n A clean screen and desk policy is important to protect the confidentiality of company-owned data. n It is important to permanently remove data before recycling or disposing of a device. Copyright 2014 Pearson Education, Inc. 18