Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 7: Physical & Environmental Security. 2 Objectives Define the concept of physical security and how it relates to information security Evaluate.

Similar presentations


Presentation on theme: "Chapter 7: Physical & Environmental Security. 2 Objectives Define the concept of physical security and how it relates to information security Evaluate."— Presentation transcript:

1 Chapter 7: Physical & Environmental Security

2 2 Objectives Define the concept of physical security and how it relates to information security Evaluate the security requirements of facilities, offices and equipment Understand why it is critical to identify, authenticate and authorize access to secure areas Understand the environmental risks posed to physical structures, areas within those structures and equipment

3 3 Objectives Cont. Enumerate the vulnerabilities related to reusing and disposing of equipment Develop policies designed to ensure the physical security of information, information systems and information processing and storage facilities

4 4 Designing Secure Areas All implemented controls to physically protect information are dictated first by a thorough analysis of the companys risks and vulnerabilities, along with the value of the information that requires protection From what are we protecting information assets? Theft Malicious destruction Accidental damage Damage that results from natural disasters

5 5 Designing Secure Areas Cont. The physical perimeter can be protected using: Man traps Manned reception desk Card-reading locks Heavy doors Solid, fire-resistant exterior walls Floor-to-ceiling barriers

6 6 Designing Secure Areas Cont. Physical entry controls: Access control rules should be designed for: Employees 3 rd -party contractors / partners / vendors Visitors Visitors should be required to wear identification that can be evaluated from a distance, such as a badge Identification should start as soon as a person attempts to gain entry

7 7 Designing Secure Areas Cont. Physical entry controls: Authorized users should be authorized prior to gaining access to protected area Visitors should be identified, labeled and authorized prior to gaining access to protected area An audit trail should be created

8 8 Securing Offices, Rooms and Facilities The outer physical perimeter is not the only focus of the physical security policy Some internal rooms & offices must be protected differently Parts of individual rooms may also require different levels of protection, such as cabinets and closets

9 9 Working in Secure Areas Goal: define behavioral & physical controls for the most sensitive workspaces within information processing facilities Policy controls are in addition to – and not in place of – existing physical controls, unless they supersede them Policy should include devices not allowed on premises, such as cameras, PDAs, MP3 players

10 10 Securing Equipment Company-owned hardware assets must be protected from: Theft Power spikes Power loss Hardware assets include: Servers Network devices (routers, switches) Cabling

11 11 Securing Equipment Cont. This policy also includes maintenance of hardware assets Properly maintained hardware helps protect data & information system availability

12 12 Securing Equipment Cont. Potential power problems include: Brownout: period of low voltage Power surge: increase in voltage Blackout: interruption or loss of power

13 13 Securing Equipment Cont. Power equipment is used to: Condition power feeds for consistency Allow graceful shutdown of servers & network devices Provide power to critical devices during blackouts

14 14 Securing Equipment Cont. Power equipment that can be used: Uninterruptible Power Supply Generator Line conditioner Surge suppressor

15 15 Secure Disposal and Reuse of Equipment Formatting a hard drive does not mean that the data located on that drive cannot be retrieved All computers to be discarded must be sanitized prior to getting rid of them Policy should be crafted to disallow access to information through improper disposal or re-use of equipment

16 16 General Controls Objective: to prevent theft of information Clear desk and clear screen policy All information must be secured at the end of the work day, regardless of the medium the data is located on: Printed paper CD Rom Floppy disks Thumbdrive

17 17 General Controls Cont. Clear desk & screen policy (cont.) Shoulder surfing is a hacking activity which consists of looking over a computer users shoulder to gain access to information A successful policy will reinforce behavioral traits that help secure information, such as: Securing sensitive information in lockable cabinets The use of automatic, password-protect screen savers Copy and Fax machines should be locked Printed material should be picked up as soon as it is printed

18 18 Removing Company Property Keeping track of the physical location of all hardware assets is a daunting task A policy should be crafted that requires signature for all company-owned equipment to be removed from the companys premises Logs should be maintained and reviewed on a regular basis

19 19 Summary The physical perimeter of the company must be secured. Some internal rooms and offices must be identified as needing more security controls than others. These controls must be deployed. Environment threats such as power loss must be taken into account and the proper hardware must be deployed. A clean screen and desk policy is important to protect the confidentiality of company-owned data.


Download ppt "Chapter 7: Physical & Environmental Security. 2 Objectives Define the concept of physical security and how it relates to information security Evaluate."

Similar presentations


Ads by Google