Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 7: Physical & Environmental Security

Similar presentations

Presentation on theme: "Chapter 7: Physical & Environmental Security"— Presentation transcript:

1 Chapter 7: Physical & Environmental Security

2 Objectives Define the concept of physical security and how it relates to information security Evaluate the security requirements of facilities, offices and equipment Understand why it is critical to identify, authenticate and authorize access to secure areas Understand the environmental risks posed to physical structures, areas within those structures and equipment

3 Objectives Cont. Enumerate the vulnerabilities related to reusing and disposing of equipment Develop policies designed to ensure the physical security of information, information systems and information processing and storage facilities

4 Designing Secure Areas
All implemented controls to physically protect information are dictated first by a thorough analysis of the company’s risks and vulnerabilities, along with the value of the information that requires protection From what are we protecting information assets? Theft Malicious destruction Accidental damage Damage that results from natural disasters

5 Designing Secure Areas Cont.
The physical perimeter can be protected using: Man traps Manned reception desk Card-reading locks Heavy doors Solid, fire-resistant exterior walls Floor-to-ceiling barriers Reference Table 7.1 Physical Security Perimeter Policy

6 Designing Secure Areas Cont.
Physical entry controls: Access control rules should be designed for: Employees 3rd-party contractors / partners / vendors Visitors Visitors should be required to wear identification that can be evaluated from a distance, such as a badge Identification should start as soon as a person attempts to gain entry Reference Table 7.2 Physical Entry Controls Policy

7 Designing Secure Areas Cont.
Physical entry controls: Authorized users should be authorized prior to gaining access to protected area Visitors should be identified, labeled and authorized prior to gaining access to protected area An audit trail should be created

8 Securing Offices, Rooms and Facilities
The outer physical perimeter is not the only focus of the physical security policy Some internal rooms & offices must be protected differently Parts of individual rooms may also require different levels of protection, such as cabinets and closets Reference Table 7.3 Working in Secure Areas Policy

9 Working in Secure Areas
Goal: define behavioral & physical controls for the most sensitive workspaces within information processing facilities Policy controls are in addition to – and not in place of – existing physical controls, unless they supersede them Policy should include devices not allowed on premises, such as cameras, PDAs, MP3 players

10 Securing Equipment Company-owned hardware assets must be protected from: Theft Power spikes Power loss Hardware assets include: Servers Network devices (routers, switches) Cabling Reference Table 7.5 Equipment Siting and Protection Policy

11 Securing Equipment Cont.
This policy also includes maintenance of hardware assets Properly maintained hardware helps protect data & information system availability

12 Securing Equipment Cont.
Potential power problems include: Brownout: period of low voltage Power surge: increase in voltage Blackout: interruption or loss of power Reference Table 7.6 Power Supply Policy

13 Securing Equipment Cont.
Power equipment is used to: Condition power feeds for consistency Allow graceful shutdown of servers & network devices Provide power to critical devices during blackouts

14 Securing Equipment Cont.
Power equipment that can be used: Uninterruptible Power Supply Generator Line conditioner Surge suppressor

15 Secure Disposal and Reuse of Equipment
Formatting a hard drive does not mean that the data located on that drive cannot be retrieved All computers to be discarded must be sanitized prior to getting rid of them Policy should be crafted to disallow access to information through improper disposal or re-use of equipment Reference Table 7.7 Secure Disposal and Reuse of Equipment Policy

16 General Controls Objective: to prevent theft of information
Clear desk and clear screen policy All information must be secured at the end of the work day, regardless of the medium the data is located on: Printed paper CD Rom Floppy disks Thumbdrive Reference Table 7.8 Clear Desk and Clean Screen Policy

17 General Controls Cont. Clear desk & screen policy (cont.)
Shoulder surfing is a hacking activity which consists of looking over a computer user’s shoulder to gain access to information A successful policy will reinforce behavioral traits that help secure information, such as: Securing sensitive information in lockable cabinets The use of automatic, password-protect screen savers Copy and Fax machines should be locked Printed material should be picked up as soon as it is printed

18 Removing Company Property
Keeping track of the physical location of all hardware assets is a daunting task A policy should be crafted that requires signature for all company-owned equipment to be removed from the company’s premises Logs should be maintained and reviewed on a regular basis Reference Table 7.9 Removal of Property Policy

19 Summary The physical perimeter of the company must be secured.
Some internal rooms and offices must be identified as needing more security controls than others. These controls must be deployed. Environment threats such as power loss must be taken into account and the proper hardware must be deployed. A clean screen and desk policy is important to protect the confidentiality of company-owned data.

Download ppt "Chapter 7: Physical & Environmental Security"

Similar presentations

Ads by Google