Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Principles and Practices

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security Principles and Practices"— Presentation transcript:

1 Information Security Principles and Practices
by Mark Merkow and Jim Breithaupt Chapter 8: Physical Security Control

2 © Pearson Education Information Security: Principles and Practices
Objectives Distinguish between logical and physical security, and explain the reasons for placing equal emphasis on both Recognize the importance of the Physical Security domain Outline the major categories of physical security threats © Pearson Education Information Security: Principles and Practices

3 © Pearson Education Information Security: Principles and Practices
Objectives cont. Classify the techniques to mitigate risks to an organization’s physical security Classify the five main categories of physical security controls Propose how smart cards can be used for physical access control The following objective has not been clearly addressed in this chapter; it will be addressed in more detail in Chapter 10. Categorize the different types of biometric access controls and determine their respective strengths and weaknesses © Pearson Education Information Security: Principles and Practices

4 © Pearson Education Information Security: Principles and Practices
Introduction In order to protect logical systems, the hardware running them must be physically secure Physical security deals with who has access to buildings, computer rooms, and the devices within them © Pearson Education Information Security: Principles and Practices

5 Understanding the Physical Security Domain
Four focus areas How to choose a secure site (location) and guarantee the correct design How to secure a site against unauthorized access How to protect equipment against theft How to protect the people and property within an installation © Pearson Education Information Security: Principles and Practices

6 Physical Security Threats
Weather: tornadoes, hurricanes, floods, fire, snow, ice, heat, cold, humidity, and so forth Fire/chemical: explosions, toxic waste/gases, smoke, fire Earth movement: earthquakes, mudslides Structural failure: building collapse because of snow/ice or moving objects (cars, trucks, airplanes, and so forth) © Pearson Education Information Security: Principles and Practices

7 Physical Security Threats cont.
Energy: loss of power, radiation, magnetic wave interference, and so forth Biological: virus, bacteria, infestations of animals or insects. Human: strikes, sabotage, terrorism, and war © Pearson Education Information Security: Principles and Practices

8 Providing Physical Security
Five Areas of Physical Security educating personnel administrative controls, such as site selection physical controls, such as keys and locks, fencing, lighting, and guards technical controls, such as smart cards, audit trails, intrusion detection systems, and biometrics environmental/life-safety control © Pearson Education Information Security: Principles and Practices

9 © Pearson Education Information Security: Principles and Practices
Educating Personnel An educated staff is the best weapon a company can have against illegitimate and accidental acts by others Being mindful of physical and environmental considerations required to protect the computer systems Adhering to emergency and disaster plans Monitoring the unauthorized use of equipment and services Recognizing the security objectives of the organization Accepting individual responsibilities associated with their own security as well as the equipment they use © Pearson Education Information Security: Principles and Practices

10 Administrative Access Controls
Restricting Work Areas Escort Requirements and Visitor Control Site Selection Visibility Locale considerations Natural disasters Transportation A physical security plan should first identify the access rights to the site (e.g., campus) in general and then the various access rights required by each location (building) within the site. Visitors typically must have a clear purpose for their visit and a confirmed contact within the site such as an employee or another individual with the appropriate clearance. Site designers and planners must make at least the following considerations: Visibility: How conspicuous will the facility be at a particular site? Locale considerations: The wise prospective homeowner should always inspect the neighborhood before purchasing a new house. Natural disasters: Site planners can minimize risk by examining local weather patterns, the history of weather-related disasters, and determining their risk tolerance. Transportation: A good transportation system is important not only for the delivery of goods and services but also for emergency evacuation procedures as part of a disaster recovery plan. © Pearson Education Information Security: Principles and Practices

11 Physical Security Controls
Perimeter Security Controls Controls on the perimeter of the data center are designed to prevent unauthorized access to the facility Badging The photo identification badge is a perimeter security control mechanism that not only authenticates an individual but also continues to identify the individual while inside the facility Keys and Combination Locks Keys and combination locks are the least complicated and least expensive devices © Pearson Education Information Security: Principles and Practices

12 Physical Security Controls
Security Dogs Dogs are a highly effective and threatening perimeter security control when handled properly and humanely Lighting Lighting is another form of perimeter protection that discourages intruders or other unauthorized individuals from entering restricted areas © Pearson Education Information Security: Principles and Practices

13 © Pearson Education Information Security: Principles and Practices
Technical Controls The more prominent technical controls include smart/dumb cards audit trails/access logs intrusion detection biometric access controls © Pearson Education Information Security: Principles and Practices

14 Technical Controls cont.
Smart Cards The smart card has many purposes Storing value for consumer purchases Medical identification Travel ticketing and identification Building access control The smart card can facilitate file encryption and digital signature The use of smart cards in conjunction with biometrics authentication can be extremely effective © Pearson Education Information Security: Principles and Practices

15 Technical Controls cont.
© Pearson Education Information Security: Principles and Practices

16 Technical Controls cont.
Audit Trails/Access Logs Should contain The user ID or name of the individual who performed the transaction Where the transaction was performed The time and date of the transaction A description of the transaction—what function did the user perform, and on what The retention period of the audit logs, recovery time, and the integrity of the data must also be considered and the logging system designed appropriately. © Pearson Education Information Security: Principles and Practices

17 Technical Controls cont.
Intrusion Detection Perimeter intrusion detectors These devices are based on dry contact switches or photoelectric sensors. An alarm is set off when the switches are disturbed or the beam of light is broken Motion detectors These devices detect unusual movements within a well-defined interior space, including wave pattern detectors that detect changes to light-wave patterns audio detectors that passively receive un-usual sound waves and set off an alarm © Pearson Education Information Security: Principles and Practices

18 Technical Controls cont.
Biometrics Biometrics authentication uses physiological or behavioral characteristics such as the human face, eyes, voice, fingerprints, hands, signature, and even body temperature Biometric is data stored and used for the authentication procedure © Pearson Education Information Security: Principles and Practices

19 Environmental/Life-Safety Controls
The three most critical areas are power (electrical, diesel) fire detection and suppression heating, ventilation, and air conditioning (HVAC) © Pearson Education Information Security: Principles and Practices

20 © Pearson Education Information Security: Principles and Practices
Summary Physical security is often underemphasized by security experts when discussing strategies for protecting critical resources Physical security domain includes traditional safeguards against intentional and unintentional threats Physical security addresses the following areas educating personnel administrative controls physical controls technical controls environmental/life-safety controls © Pearson Education Information Security: Principles and Practices

Download ppt "Information Security Principles and Practices"

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
INTRODUCTION TO INFORMATION SECURITY MANAGEMENT Information Security Management (INFS 5055) & Information Security Management (INFS 3070) Study Period.

INTRODUCTION TO INFORMATION SECURITY MANAGEMENT Information Security Management (INFS 5055) & Information Security Management (INFS 3070) Study Period.
Computer Security Computer Security is defined as:

Computer Security Computer Security is defined as:
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Copyright 2004 Foreman Architects Engineers School Security From Common Sense to High Tech.

Copyright 2004 Foreman Architects Engineers School Security From Common Sense to High Tech.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Chapter 5 Enhancing Security Through Physical Controls

Chapter 5 Enhancing Security Through Physical Controls
Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.

Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.
Copyright © Center for Systems Security and Information Assurance Lesson Seven Physical Security.

Copyright © Center for Systems Security and Information Assurance Lesson Seven Physical Security.
Stephen S. Yau CSE 465 & CSE591, Fall 2006 1 Physical Security for Information Systems.

Stephen S. Yau CSE 465 & CSE591, Fall Physical Security for Information Systems.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 16: Physical and Infrastructure Security.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 16: Physical and Infrastructure Security.
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Information Systems Security Physical Security Domain #4.

Information Systems Security Physical Security Domain #4.
Physical Security Chapter 9.

Physical Security Chapter 9.
Chapter 3.  Security Framework  Operational Security Lifecycle  Security Perimeter  Access Control  Social Engineering  Environmental Issues.

Chapter 3.  Security Framework  Operational Security Lifecycle  Security Perimeter  Access Control  Social Engineering  Environmental Issues.
Security Devices A modern security system, with its array of electronic components, is designed to sense, decide, and act. The security system senses events.

Security Devices A modern security system, with its array of electronic components, is designed to sense, decide, and act. The security system senses events.
Chapter 8: Disaster Management

Chapter 8: Disaster Management

Similar presentations

Ads by Google