Presentation is loading. Please wait.

Presentation is loading. Please wait.

Physical & Personnel Security

Similar presentations

Presentation on theme: "Physical & Personnel Security"— Presentation transcript:

1 Physical & Personnel Security
Physical Security Personnel Security This material is taken mainly from CISA Review Manual 2011, Chapter The castle symbolizes Defense in Depth.

2 Acknowledgments Material is from:
CISA® Review Manual 2011, © 2010, ISACA. All rights reserved. Used by permission. CISM® Review Manual 2012, © 2011, ISACA. All rights reserved. Used by permission. Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Reviewers: Kahili Cheng Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant : Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation. CISA Review Manual 2009

3 Objectives The students should be able to:
Define power failures: blackout, brownout, sags, spike & surges, electromagnetic interference (EMI) Define protections against power failures: surge protector, universal power supply (UPS) , alternate power generators Define and describe mediums for Fire Suppression System: dry pipe, charged, FM200, Argonite Define physical access controls: biometric door locks, bolting, deadman doors Describe the relationship between deadman door and piggybacking Define and describe security awareness, security training, security education, segregation of duties CISA Review Manual 2009

4 Remember Data Criticality Classification?
Critical $$$$: Cannot be performed manually. Tolerance to interruption is very low Vital $$: Can be performed manually for very short time Sensitive $: Can be performed manually for a period of time, but may cost more in staff Nonsensitive ¢: Can be performed manually for an extended period of time with little additional cost and minimal recovery effort The criticality classification is concerned with whether the company can survive without automated (computerized) access to the data. These class names are common in industry. CISA Review Manual 2009

5 … and Sensitivity Classification? (Example)
The Sensitivity Classification is concerned with how much the organization wants to protect the info from release both within the organization and outside. The data classification shown above is an example, not an absolute. In other words, different companies will categorize their data differently. Internal CISA Review Manual 2009

6 Security: Defense in Depth
How did a castle protect from attacks? Notice that they had multiple layers of controls. We use the same concept of multiple layers for computer security. Here is an example list of controls that are implemented as part of layering, also known as “Defense in Depth”. The circle on the right is like an onion – to get to the center you have to go through many security layers. Border Router Perimeter firewall Internal firewall Intrusion Detection System Policies & Procedures & Audits Authentication Access Controls CISA Review Manual 2009

7 Defense in Depth: Physical access controls with Guards
Which controls are Preventive? Reactive? Corrective? Alarm system: Protects doors, windows. Video cameras: sophisticated activate on motion, record for playback Manual Logging: People (visitors) sign in Bonded personnel: Contract personnel are bonded Controlled Visitor Access: Employees must accompany visitors CISA Review Manual 2009

8 Physical Issues and Controls
Mobile Computing Power Protection Fire Suppression Door Locks & Security IPF Environment CISA Review Manual 2009

9 Power Protection Systems
< x ms < 30 minutes Hours or days Surge Protector UPS: Universal Power Supply Alternate Power Generators Blackout: Total loss of power Brownout: Reduced, nonstandard power levels may cause damage Sags, spikes & surges: Temporary changes in power level (sag=drop) may cause damage Electromagnetic Interference (EMI): Fluctuations in power due to electrical storms or electrical equipment may cause computer crash or damage Definitions – Surge Protector: Electric device reduces the risk of damage to equipment due to power spikes, sags, and surges. Voltage regulators makes sure the incoming electric is at a safe voltage, by increasing or decreasing the charge. A surge protector can be built into a Universal Power Supply (UPS) Universal Power Supply: Has either a battery or gas powered generator, which cleans the power entering the computer by making sure the wattage is consistent. Alternate Power Generator: Another source of power if power failure occurs. How long each power protection last: Surge Protector: Protects interruptions less then a few milliseconds. UPS: Protects interruptions from a few milliseconds to 30 minutes. Alternate Power Generator: Protects interruptions long term from a few milliseconds to several days. Depending on how long you expect the power failure to be, depending on what system you select. Source:  CISA® Review Manual 2011 © 2010, ISACA. All rights reserved. Used by permission. CISA Review Manual 2009

10 Computer Room Equipped with…
Water Detector: Placed under raised floors Risk of electric shock; training necessary Location of water detectors marked on floor Manual Fire Alarm: Placed throughout facility Smoke Detectors: Above & below ceiling tiles, below room floor Emergency Power-Off Switch: Turn off power to all equipment Fire Extinguishers: At strategic locations Tagged & inspected annually Alarms should sound locally, at monitored guard station, and preferably fire dept. A facility is shown above, with devices to ensure Availability. CISA Review Manual 2009

11 IPF Environment Computer room on middle floor
Fire department inspects room annually Fire-resistant walls, floor, ceiling, furniture, electrical panel & conduit Two-hour fire resistance rating for walls Emergency Power-off switch: Panel in and outside room Redundant power lines reduce risk of environmental hazards Surge protectors & UPS No smoking, food or water in IPF Audit: Observe some, request documentation, may test batteries, handheld fire extinguishers, ensure fire suppression system is to code IPF=Information Processing Facilities Computer room on middle floor: To high and fire department can’t get to it. Too low and susceptible to break-in or floods. CISA Review Manual 2009

12 Fire Suppression Systems
Water sprinkler systems cause water damage when dispersed. Charged pipes contain water and can break or leak. Gas systems do not damage equipment during fire. Dangerous systems replace oxygen with another gas, and need lead time for people to exit. Halon was banned due to damage to ozone layer. FM-200 cools equipment down, lowering combustion probability. Enviro-friendly is safer to humans, does not damage equipment. Charged water sprinkler Dry pipe Fire Suppression Halon gas dangerous Definitions: Charged: Water is always held in the charged pipes. This system helps water sprinkler systems, but are depended on pipes not leaking or breaking. Water damages can occur if pipes are leaking or are broken, which can end up being expensive. Dry pipe: Initially there is no water in the pipes. Once a fire alarm is activated, water gets sent through the pipes. Halon: The system releases Halon gas to remove oxygen in the air. This process contains the fire and not allow it to spread. Carbon Dioxide: The system releases CO2 into a protected area to replace oxygen. CO2 is not a human friendly option, and thus is dangerous. FM-200: Suppresses fire by releasing gas onto the surface of combustible materials. Argonite: A combination of 50% argon and 50% nitrogen, which acts as an effective fire extinguisher and spreads to reduce fire. Source:  CISA® Review Manual 2011 © 2010, ISACA. All rights reserved. Used by permission. Carbon Dioxide FM-200 enviro- friendly Argonite CISA Review Manual 2009

13 Door Lock Systems Which systems…
Enable electronic logging to track who entered at which times? Can prevent entry by time of day to particular persons? Are prone to error, theft, or impersonation? Are expensive to install & maintain? Which system do you think is best? key eye Function of each door lock system: Bolting: requires the traditional metal key to gain access. Its important the key is stamped with “Don’t Duplicate”, stored securely and giving to only authorized personnel. Combination: has a key pad or dial to gain access. Its important the code to gain access is regularly changed. Electronic: has a magnetic or embedded chip-based plastic card key or token to gain access. Biometric: requires authorized personnel to use a unique body feature. For example: voice, eyes, fingerprint or signature. This system is used for extremely sensitive facilities like the military. Electronic and Biometric enable electronic logging and prevent entry by time of day. Combination and electronic can be easily changed if the logical access key is divulged or stolen. Source:  CISA® Review Manual 2011 © 2010, ISACA. All rights reserved. Used by permission. 3-6-4 CISA Review Manual 2009

14 Deadman Doors Double set of doors: only one can be open at a time
One person permitted in holding area Reduces risk of piggybacking: unauthorized person follows authorized person into restricted area CISA Review Manual 2009

15 Computers in Public Places
Logical Protections Physical Locks Imaged computers No client storage for programs and/or data Antivirus / antispyware Protects users from each other Web filters Avoid pornography, violence, adult content Login/passwords If privileged clientele allowed Firewall protection from rest of organization Computers in public places should be locked and cabled to something non-moveable. Non-portable PCs have loop holes to ensure that locks can prevent people from opening the back of the PC. This prevents both PC and PC cards from walking away. Here you can see that the lock locks the computer to its back cover, and includes a cable.

16 Mobile Computing Engrave a serial number and company name/logo on laptop using engraver or tamper-resistant tags Back up critical/sensitive data Use cable locking system Encrypt sensitive files Allocate passwords to individual files Consider if password forgotten or person leaves company…? Establish a theft response team for when a laptop is stolen. Report loss of laptop to police Determine effect of lost or compromised data on company, clients, third parties Disappearing laptops are one of the most common security problems.I n computer labs, universities use a cable locking system to lock down computers (and their parts) – to ensure the computers are NOT mobile!!! CISA Review Manual 2009

17 Device Security PDAs Approved & registered
Configuration: controlled, licensed, & tested S/W Encryption Antivirus Training & Due Care (including camera use) Easily misplaced Flash & Mini Hard Drive Banned and USB disabled OR Encrypt all data Here are some ways to ensure security with devices. CISA Review Manual 2009

18 Workbook: Physical Security Room Classifications
Sensitivity Class. Description Special Treatment Confidential Room contains Confidential info. storage or server Guard key entry. Badge must be visible. Visitors must be escorted Privileged Room contains computer equipment or controlled substances Computers are physically secured using cable locking system Doors locked between 5 PM and 7 AM, and weekends unless class in session. Here we can name a Room Sensitivity Class (which may correspond to the Data Sensitivity Class – or not). We need to define what defines a Room Sensitivity, and then how each room classification shall be handled. Above, we have a school system, where Protected rooms are public part time. A room is Confidential if it has files in paper or electronic form, that contain Confidential information.

19 Physical Workbook: Criticality Table
Class. Description Special Treatment (Controls related to Availability) Critical Room contains Critical computing resources, which cannot be performed manually. Availability controls include: Temperature control, UPS, smoke detector, fire suppressant. Vital Room contains Vital computing resources, which can be performed manually for a short time. surge protector, temperature control, fire extinguisher. CISA Review Manual 2009

20 Workbook: Physical Security Physical Security map
Rm. 124 Rm. 128 Rm 130 Rm 132 Comp. Facility Lobby Rm. 123 Rm. 125 Rm. 129 This map shows a layout of a floor, including which rooms are Protected and Confidential. Door entry is also shown. The Criticality classification may be shown on the map too, instead of as a note. Sensitivity Classification: Black: Confidential Gray: Privileged Light: Public Criticality Classification: (Availability) Rm 132: Critical Rm 124, 125, 128, 129: Vital

21 Workbook: Physical Security Allocation of Assets
Room Sensitivity & Crit. Class Sensitive Assets or Info. Room Controls Rm 123 Privileged, Vital Computer Lab: Computers, Printer Cable locking system Doors locked 9PM-8AM by security Rm 125 Classroom: Computer & projector Teachers have keys to door. Rm 132 Confidential, Critical Servers and critical/sensitive information Key-card entry logs personnel. Badges required.

22 Summary of Physical Controls
Physical Access Control Walls, Doors, Locks Badges, smart cards Biometrics Security cameras & guards Fences, lighting, sensors Cable locking system Computer screen hoods Environmental Controls Backup power Air conditioning Fire suppressant Secure procedures Engraved serial numbers Locked files, desks Clean desk Paper shredders Locking screensaver Secure procedures: locked doors at night

23 Question A Fire Suppression system that is environmentally friendly, is not lethal, and does not damage equipment is: Dry Pipe Halon Charged FM-200 4 – FM-200.

24 Question The best way to prevent piggybacking into secured areas is:
Deadman door Bolting door Guard Camera 1 – Deadmand door Camera is not a preventative technique; guard and bolting door may allow someone in other than the authorized person.

25 Question A surge protector is the best protection against
Electromagnetic interference Loss of power for minutes A blackout Sags and spikes 4 - Sags and spikes: Since sags and spikes are a short term interruptions (last from a millionths to a few thousandths of a second), surge protector can protect a computer with interruptions less than a few milliseconds. A surge protector reduces the risk of damages to equipment by regulating power spikes. It either increases or decreases the electric current to make electric current consistent.

26 Question To eliminate problems with incomplete transactions during a sudden power failure, Joe has decided that some form of temporary power supply is necessary to ensure a graceful shut down. The best option for Joe is: UPS Surge protector Alternate power generator Battery supply 1 – UPS: UPS system consists of a battery or gasoline powered generator that ensures wattages into the computer is consistent, so if a power failures happens the UPS system will provide electricity from the generator to the computer for a certain amount of time.

27 Auditors check for both Physical and Personnel Security too…
CISA Review Manual 2009

28 Workbook: Personnel Security Personnel Threats
Role Liability or Cost if threat occurs Divulging private info Employee FERPA violation = loss of federal funds Grant abuse Employee with grant Loss of funds from US granting agencies The next Workbook slides show the method used to develop personnel security

29 Security Awareness & Training
Training covers what is expected of employees Why is policy in place? How is policy enforced? Training may be implemented as: New employee orientation Company newsletters Determine effectiveness by interviewing employees CISA Review Manual 2009

30 Awareness Function: Types of Security Training
Create security-conscious workforce Employees, partners & vendors Newsletters, surveys, quizzes, video training, forums, posters Training: Necessary skills for a particular position HR, legal, middle or top mgmt, IT, programmers Workshops, conferences Education: High level skills High-skilled professions: audit, security admin/mgmt, Risk mgmt… Organized and gradual development: teaching & coaching Left column: level of security training Middle column: intended audience Right column: appropriate methods

31 Awareness Training Signed employment agreements, video, memos, s, posters, seminars and training classes A combination of parallel approaches Knowledge areas: Back-up work-related files Choosing passwords and avoiding exposure Avoiding and web viruses Recognizing social engineers Recognizing & reporting security incidents Securing electronic & paper media against theft & exposure Spotting malware that could lead to identity theft & desktop spying Metrics should be established to determine effectiveness of change in behavior and workforce attitude

32 Segregation of Duties Authorization Distribution Approves Acts on
No one person can deliver service and take money with the potential of stealing or falsifying sales. Consider a Movie Theater: Origination: The person who sells you the ticket Distribution: The person who lets you into the theater. Authorization: Ticket sales of a certain unusually large amount may require manager approval Verification: Was this done correctly? Authorization: Someone charges on VISA. VISA validates that yes, this VISA account is good. Acts on Double-checks Origination Verification CISA Review Manual 2009

33 Organizational Segregation of Duties
Audit Ensures procedures are professionally done Security/ Compliance Quality Control advises & monitors for security tests or ensures quality of S/W or production Development only delivers S/W to System Administration when QC has approved Compliance: tracks security issues, such as metrics or violations of procedures, and resolves security issues Business System/ Network Admin Development serves delivers S/W to advises

34 IT Segregation of Duties
User End User Data Entry Test Environment Quality Assurance Requirements/Design Systems Analyst Database Administrator Security Control Group Security Admin Production Environment Computer Operator System Administrator Network Administrator Help Desk Development Environment: Application programmer Systems programmer The full and partial walls indicate where functionality can, should not, or cannot overlap. Do note that development environment should not overlap with production environment: programmers should not become system administrators. In previous slide terms, Originators should not become Distributers. Security admin can do some system admin work, but there are advantages for these groups to have separate functions: since security serves to Authorize or Verify whereas system administration serves as Distribution. Quality Assurance serves to Authorize or Verify what Development Originates. This shown diagram is not as complete as the table in the CISA manual.

35 Segregation of Duties Controls
Transaction Authorization Custody of Assets Data owner’s responsibility is specific and documented Allocates authorization according to least-privilege and segregation of duties Security Administrator implements physical, system & application security Authorization forms User authorization tables: who can view/update/delete data at transaction or field level A Data Owner is a person who can give out accounts for a specific (database) service. They are usually a business manager. Security administrator is someone in IT or IT security. They have a high level of permissions on a computer.

36 Workbook: Personnel Security Personnel Controls
Threat Role Control Divulging private info Employee FERPA training: annual quiz review, new employee training Grant abuse Employee with grant Financial controls: employee and administrator and financial office check Here the role or position is ANY employee. Sometimes the role is more specific: e.g., Administrator. The above says that the controls consist of FERPA training for new employees, but also annual review (with quiz) thereafter. The second includes financial controls: For grant money, spending will be doublechecked via employee, administrator, and the financial office.

37 Workbook: Personnel Security Responsibility of Security to Roles
Registrar Establish FERPA training Data Owner: student scholastic and financial information Oversee FERPA adherence in Registration dept. Admin. Attend FERPA training Retain locked cabinets with student info Security Admin Monitor logs, enable/disable permissions, rebuild computers after malware infection, collect security metrics for incident response, ... Security responsibility is allocated to IS/IT/security staff, but also to regular business staff. The admin above is the office administrator, who is responsible for the privacy of student paper records. The Registrar is the Data Owner for much of the student record information. She/he decides who should have access to which information.

38 Workbook: Personnel Security Requirements: Training, Documentation
Role Requirements: Training, Documentation Registrar FERPA experience in hiring. Training every 3-5 years at national conference or workshop Employee handling student data University FERPA documentation, FERPA web page, annual quizzes, sign acceptable use policy

39 Personnel Issues Background checks can reduce fraud
More secure position=more checking required A standard or procedure may be useful Training & signed contracts Track and document theft Minor incidents could add up to a major pattern problem can be monitored for potential problem employees Assuming policy is in place and employees are aware Training here means training to perform job well, as well as security awareness. Signed contracts include security contracts. Theft should not be ignored. Little problems add up to big ones, or may encourage big ones. It is important to document all problems for legal purposes.

40 Employee Hiring Document security responsibilities
Screen candidates for sensitive positions Have signed agreements regarding Job responsibilities, conditions of employment Security responsibilities (incl. copyright) Confidentiality agreement Indicate corrective actions taken if security requirements not followed

41 New Employee Orientation
New employee signs Privacy Policy document: Has read and agreed to follow security policies Conform to laws and regulations Promise to not divulge logon IDs and passwords Create quality passwords Lock terminal when not present Report suspected violations of security Maintain good physical security (locked doors, private keys) Use IT resources only for authorized business purposes

42 Employee Termination Unless continued relationship expected:
Return equipment Revoke access Return all access keys, ID cards and budgets Notify all staff and security personnel Arrange final pay Perform termination interview CISA Review Manual 2009

43 Third Party Agreements
Define information security policy Define procedures to implement policy Deploy controls to protect against malicious software Publish restrictions on copying/distributing information Implement procedures to determine whether assets were compromised Ensure return or destruction of data at end of job The first and second parties are the people who have a contract. The third party is a contractor for the second party.

44 Summary of Personnel Controls
Segregation of Duties Mandatory vacations or job rotation Training and written policies and procedures Background checks Need to Know/Least Privilege Fraud reporting mechanism Transaction logs

45 Question Which of the following duties can be performed by one person in a well-controlled IS environment? Software Developer and System Administration Database administration and Data Entry System Administrator and Quality Assurance Quality Assurance and Software Developer 3 - System Administrator and Quality Assurance has the least conflict of interest, considering segregation of duties. This is a CISA-like question, but has been reformulated. Database admin creates the database, data entry is the operations aspect. So this is developer-operations, which is a segregation of duties conflict.

46 Question Which is MOST important for a successful security awareness program? Technical training for security administrators Aligning the training to organization requirements Training management for security awareness Using metrics to ensure that training is effective 2-Aligning the training to organization

47 Question To detect fraud, the BEST type of audit trail to log would be: User session logs Firewall incidents Operating system incidents Application transactions 4 - Fraud occurs most often by taking advantage of a vulnerability in an application. User session logs track when you logged in and logged out, possibly when you do certain commands – but not what you do in a database.

48 Vocabulary Blackout, brownout, sag, spike, surge, electromagnetic interference Surge protector, UPS, alternate power generator Fire suppression: charged, dry pipe, FM200, Argonite Deadman door, piggybacking Security awareness, security training, security education Segregation of duties

49 Health First Case Study
Jamie Ramon MD Doctor Chris Ramon RD Dietician Terry Licensed Practicing Nurse Pat Software Consultant Health First Case Study Designing Physical Security

50 Defining Room Classifications and Controls
Sensitivity Classification Description Special Treatment (Examples) Proprietary Room contains Propriety information storage. Room and all cabinets remained locked. Confidential Room contains Confidential information storage.  Workstation monitor has hood. Private Room contains computer with access to sensitive data or room contains controlled substances.  Room remains locked when not attended. No visitors are allowed in these areas unescorted Privileged Room contains computer with access to sensitive data but public has access when escorted. Public The public is free to spend time in this room, without escort. Criticality Classification Critical Room contains Critical computing resources, which cannot be performed manually. Vital Room contains Vital computing resources, which can be performed manually for a short time.

51 Physical Security Map Sensitivity Classification Color Key:
Green: Public Yellow: Privileged Orange: Private Red: Confidential

52 Workbook: Physical Security Allocation of Assets
Room Sensitive Assets or Information Room Controls Rm 123 Computer Lab: Computers, Printer Cable locking system Doors locked 9PM-8AM by security Rm 125 Classroom: Computer & projector Teachers have keys to door. Rm 132 Servers and critical/sensitive information Key-card entry logs personnel. Badges required.

53 Reference Slide # Slide Title Source of Information 4
Criticality Classification CISA: page 127 Exhibit 2.18 6 Security: Defense in Depth CISM: page 60, 61 Exhibit 1.16 7 Defense in Depth: Physical access controls with Guards CISM: page 61 Exhibit 1.16 9 Power Protection Systems CISA: page 381, 383 10 Computer Room Equipped with CISA: page 382 12 Fire Suppression Systems 13 Door Lock Systems CISA: page 385 14 Deadman Doors CISA: page 386 16 Mobile Computing CISA: page 386, 387 17 Device Security CISA: page 256, 256, 344 29 Security Awareness & Training CISA: page 321, 369 32 Segregation of Duties CISA: page 117, 118 35 Segregation of Duties Controls CISA: page 119, 120 40 Employee Hiring CISA: page 105 42 Employee Termination CISA: page 106

Download ppt "Physical & Personnel Security"

Similar presentations

Ads by Google