Objectives The students should be able to: Define power failures: blackout, brownout, sags, spike & surges, electromagnetic interference (EMI) Define protections against power failures: surge protector, universal power supply (UPS), alternate power generators Define and describe mediums for Fire Suppression System: dry pipe, charged, FM200, Argonite Define physical access controls: biometric door locks, bolting, deadman doors Describe the relationship between deadman door and piggybacking Define and describe security awareness, security training, security education, segregation of duties CISA Review Manual 2009
Remember Data Criticality Classification? Critical $$$$: Cannot be performed manually. Tolerance to interruption is very low Vital $$: Can be performed manually for very short time Sensitive $: Can be performed manually for a period of time, but may cost more in staff Nonsensitive ¢: Can be performed manually for an extended period of time with little additional cost and minimal recovery effort
CISA Review Manual 2009 … and Sensitivity Classification? (Example) Confidential: Strategic Plan Private: Salary & Health Info Internal: Product Plans Public Product Users Manual near Release Internal
CISA Review Manual 2009 Defense in Depth: Physical access controls with Guards Which controls are Preventive? Reactive? Corrective?
CISA Review Manual 2009 Physical Issues and Controls Mobile Computing Power Protection Fire Suppression Door Locks & Security IPF Environment
CISA Review Manual 2009 Power Protection Systems Blackout: Total loss of power Brownout: Reduced, nonstandard power levels may cause damage Sags, spikes & surges: Temporary changes in power level (sag=drop) may cause damage Electromagnetic Interference (EMI): Fluctuations in power due to electrical storms or electrical equipment may cause computer crash or damage < x ms Surge Protector < 30 minutes UPS: Universal Power Supply Alternate Power Generators Hours or days
CISA Review Manual 2009 Computer Room Equipped with… Water Detector: Placed under raised floors Risk of electric shock; training necessary Location of water detectors marked on floor Manual Fire Alarm: Placed throughout facility Smoke Detectors: Above & below ceiling tiles, below room floor Emergency Power-Off Switch: Turn off power to all equipment Fire Extinguishers: At strategic locations Tagged & inspected annually Alarms should sound locally, at monitored guard station, and preferably fire dept.
CISA Review Manual 2009 IPF Environment Computer room on middle floor Fire department inspects room annually Fire-resistant walls, floor, ceiling, furniture, electrical panel & conduit Two-hour fire resistance rating for walls Emergency Power-off switch: Panel in and outside room Redundant power lines reduce risk of environmental hazards Surge protectors & UPS No smoking, food or water in IPF Audit: Observe some, request documentation, may test batteries, handheld fire extinguishers, ensure fire suppression system is to code
CISA Review Manual 2009 Fire Suppression Systems water sprinkler gas enviro- friendly dangerous Halon Carbon Dioxide Fire Suppression Charged Dry pipe FM-200 Argonite Water sprinkler systems cause water damage when dispersed. Charged pipes contain water and can break or leak. Gas systems do not damage equipment during fire. Dangerous systems replace oxygen with another gas, and need lead time for people to exit. Halon was banned due to damage to ozone layer. FM-200 cools equipment down, lowering combustion probability. Enviro-friendly is safer to humans, does not damage equipment.
CISA Review Manual 2009 Door Lock Systems Door Locks Bolting Combi- nation ElectronicBiometric Which systems… Enable electronic logging to track who entered at which times? Can prevent entry by time of day to particular persons? Are prone to error, theft, or impersonation? Are expensive to install & maintain? Which system do you think is best? key eye
CISA Review Manual 2009 Deadman Doors Double set of doors: only one can be open at a time One person permitted in holding area Reduces risk of piggybacking: unauthorized person follows authorized person into restricted area
Computers in Public Places Logical Protections Imaged computers No client storage for programs and/or data Antivirus / antispyware Protects users from each other Web filters Avoid pornography, violence, adult content Login/passwords If privileged clientele allowed Firewall protection from rest of organization Physical Locks
CISA Review Manual 2009 Mobile Computing Engrave a serial number and company name/logo on laptop using engraver or tamper-resistant tags Back up critical/sensitive data Use cable locking system Encrypt sensitive files Allocate passwords to individual files Consider if password forgotten or person leaves company…? Establish a theft response team for when a laptop is stolen. Report loss of laptop to police Determine effect of lost or compromised data on company, clients, third parties
CISA Review Manual 2009 Device Security PDAs Approved & registered Configuration: controlled, licensed, & tested S/W Encryption Antivirus Training & Due Care (including camera use) Easily misplaced Flash & Mini Hard Drive Banned and USB disabled OR Encrypt all data
Workbook: Physical Security Room Classifications Sensitivity Class. DescriptionSpecial Treatment Confidential Room contains Confidential info. storage or server Guard key entry. Badge must be visible. Visitors must be escorted Privileged Room contains computer equipment or controlled substances Computers are physically secured using cable locking system Doors locked between 5 PM and 7 AM, and weekends unless class in session.
Physical Workbook: Criticality Table CISA Review Manual 2009 Criticality Class. DescriptionSpecial Treatment (Controls related to Availability) CriticalRoom contains Critical computing resources, which cannot be performed manually. Availability controls include: Temperature control, UPS, smoke detector, fire suppressant. VitalRoom contains Vital computing resources, which can be performed manually for a short time. Availability controls include: surge protector, temperature control, fire extinguisher.
Workbook: Physical Security Allocation of Assets RoomSensitivity & Crit. Class Sensitive Assets or Info. Room Controls Rm 123Privileged, Vital Computer Lab: Computers, Printer Cable locking system Doors locked 9PM- 8AM by security Rm 125 Privileged, Vital Classroom: Computer & projector Cable locking system Teachers have keys to door. Rm 132Confidential, Critical Servers and critical/sensitive information Key-card entry logs personnel. Badges required.
Summary of Physical Controls Physical Access Control Walls, Doors, Locks Badges, smart cards Biometrics Security cameras & guards Fences, lighting, sensors Cable locking system Computer screen hoods Environmental Controls Backup power Air conditioning Fire suppressant Secure procedures Engraved serial numbers Locked files, desks Clean desk Paper shredders Locking screensaver Secure procedures: locked doors at night
Question A Fire Suppression system that is environmentally friendly, is not lethal, and does not damage equipment is: 1. Dry Pipe 2. Halon 3. Charged 4. FM-200
Question The best way to prevent piggybacking into secured areas is: 1. Deadman door 2. Bolting door 3. Guard 4. Camera
Question A surge protector is the best protection against 1. Electromagnetic interference 2. Loss of power for minutes 3. A blackout 4. Sags and spikes
Question To eliminate problems with incomplete transactions during a sudden power failure, Joe has decided that some form of temporary power supply is necessary to ensure a graceful shut down. The best option for Joe is: 1. UPS 2. Surge protector 3. Alternate power generator 4. Battery supply
CISA Review Manual 2009 Personnel Security Auditors check for both Physical and Personnel Security too…
Workbook: Personnel Security Personnel Threats ThreatRoleLiability or Cost if threat occurs Divulging private info EmployeeFERPA violation = loss of federal funds Grant abuseEmployee with grant Loss of funds from US granting agencies
CISA Review Manual 2009 Security Awareness & Training Training covers what is expected of employees Why is policy in place? How is policy enforced? Training may be implemented as: New employee orientation Company newsletters Determine effectiveness by interviewing employees
Awareness Function: Types of Security Training Awareness: Create security- conscious workforce Employees, partners & vendors Newsletters, surveys, quizzes, video training, forums, posters Training: Necessary skills for a particular position HR, legal, middle or top mgmt, IT, programmers Workshops, conferences Education: High level skills High-skilled professions: audit, security admin/mgmt, Risk mgmt… Organized and gradual development: teaching & coaching
Awareness Training Signed employment agreements, video, memos, s, posters, seminars and training classes A combination of parallel approaches Knowledge areas: Back-up work-related files Choosing passwords and avoiding exposure Avoiding and web viruses Recognizing social engineers Recognizing & reporting security incidents Securing electronic & paper media against theft & exposure Spotting malware that could lead to identity theft & desktop spying Metrics should be established to determine effectiveness of change in behavior and workforce attitude
CISA Review Manual 2009 Segregation of Duties OriginationVerification AuthorizationDistribution Double-checks Approves Acts on
Organizational Segregation of Duties Development System/ Network Admin Business Audit Security/ Compliance Quality Control advises delivers S/W to serves tests or ensures quality of S/W or production advises & monitors for security Ensures procedures are professionally done
IT Segregation of Duties Development Environment: Application programmer Systems programmer Production Environment Computer Operator System Administrator Network Administrator Help Desk Test Environment Quality Assurance Security Control Group Security Admin Requirements/Design Systems Analyst Database Administrator User End User Data Entry
Segregation of Duties Controls Transaction Authorization Custody of Assets Data owners responsibility is specific and documented Allocates authorization according to least-privilege and segregation of duties Security Administrator implements physical, system & application security Authorization forms User authorization tables: who can view/update/delete data at transaction or field level
Workbook: Personnel Security Personnel Controls ThreatRoleControl Divulging private info EmployeeFERPA training: annual quiz review, new employee training Grant abuseEmployee with grant Financial controls: employee and administrator and financial office check
Workbook: Personnel Security Responsibility of Security to Roles RoleResponsibility RegistrarEstablish FERPA training Data Owner: student scholastic and financial information Oversee FERPA adherence in Registration dept. Admin.Attend FERPA training Retain locked cabinets with student info Security Admin Monitor logs, enable/disable permissions, rebuild computers after malware infection, collect security metrics for incident response,...
Workbook: Personnel Security Requirements: Training, Documentation RoleRequirements: Training, Documentation RegistrarFERPA experience in hiring. Training every 3-5 years at national conference or workshop Employee handling student data University FERPA documentation, FERPA web page, annual quizzes, sign acceptable use policy
Personnel Issues Background checks can reduce fraud More secure position=more checking required A standard or procedure may be useful Training & signed contracts Track and document theft Minor incidents could add up to a major pattern problem can be monitored for potential problem employees Assuming policy is in place and employees are aware
Employee Hiring Document security responsibilities Screen candidates for sensitive positions Have signed agreements regarding Job responsibilities, conditions of employment Security responsibilities (incl. copyright) Confidentiality agreement Indicate corrective actions taken if security requirements not followed
CISA Review Manual 2009 Employee Termination Unless continued relationship expected: Return equipment Revoke access Return all access keys, ID cards and budgets Notify all staff and security personnel Arrange final pay Perform termination interview
Third Party Agreements Define information security policy Define procedures to implement policy Deploy controls to protect against malicious software Publish restrictions on copying/distributing information Implement procedures to determine whether assets were compromised Ensure return or destruction of data at end of job
Summary of Personnel Controls Segregation of Duties Mandatory vacations or job rotation Training and written policies and procedures Background checks Need to Know/Least Privilege Fraud reporting mechanism Transaction logs
Question Which of the following duties can be performed by one person in a well-controlled IS environment? 1. Software Developer and System Administration 2. Database administration and Data Entry 3. System Administrator and Quality Assurance 4. Quality Assurance and Software Developer
Question Which is MOST important for a successful security awareness program? 1. Technical training for security administrators 2. Aligning the training to organization requirements 3. Training management for security awareness 4. Using metrics to ensure that training is effective
Question To detect fraud, the BEST type of audit trail to log would be: 1. User session logs 2. Firewall incidents 3. Operating system incidents 4. Application transactions
HEALTH FIRST CASE STUDY Designing Physical Security Jamie Ramon MD Doctor Chris Ramon RD Dietician Terry Licensed Practicing Nurse Pat Software Consultant
Defining Room Classifications and Controls Sensitivity Classification DescriptionSpecial Treatment (Examples) ProprietaryRoom contains Propriety information storage. Room and all cabinets remained locked. ConfidentialRoom contains Confidential information storage. Workstation monitor has hood. PrivateRoom contains computer with access to sensitive data or room contains controlled substances. Room remains locked when not attended. No visitors are allowed in these areas unescorted PrivilegedRoom contains computer with access to sensitive data but public has access when escorted. PublicThe public is free to spend time in this room, without escort. Criticality Classification CriticalRoom contains Critical computing resources, which cannot be performed manually. VitalRoom contains Vital computing resources, which can be performed manually for a short time.
Physical Security Map Sensitivity Classification Color Key: Green: Public Yellow: Privileged Orange: Private Red: Confidential
Workbook: Physical Security Allocation of Assets RoomSensitive Assets or Information Room Controls Rm 123Computer Lab: Computers, Printer Cable locking system Doors locked 9PM- 8AM by security Rm 125Classroom: Computer & projector Cable locking system Teachers have keys to door. Rm 132Servers and critical/sensitive information Key-card entry logs personnel. Badges required.
Reference Slide #Slide TitleSource of Information 4Criticality ClassificationCISA: page 127 Exhibit Security: Defense in DepthCISM: page 60, 61 Exhibit Defense in Depth: Physical access controls with GuardsCISM: page 61 Exhibit Power Protection SystemsCISA: page 381, Computer Room Equipped withCISA: page Fire Suppression SystemsCISA: page Door Lock SystemsCISA: page Deadman DoorsCISA: page Mobile ComputingCISA: page 386, Device SecurityCISA: page 256, 256, Security Awareness & TrainingCISA: page 321, Segregation of DutiesCISA: page 117, Segregation of Duties ControlsCISA: page 119, Employee HiringCISA: page Employee TerminationCISA: page 106