Chapter 7: Physical & Environmental Security

Objectives Define the concept of physical security and how it relates to information security Evaluate the security requirements of facilities, offices and equipment Understand why it is critical to identify, authenticate and authorize access to secure areas Understand the environmental risks posed to physical structures, areas within those structures and equipment

Objectives Cont. Enumerate the vulnerabilities related to reusing and disposing of equipment Develop policies designed to ensure the physical security of information, information systems and information processing and storage facilities

Designing Secure Areas All implemented controls to physically protect information are dictated first by a thorough analysis of the company’s risks and vulnerabilities, along with the value of the information that requires protection From what are we protecting information assets? Theft Malicious destruction Accidental damage Damage that results from natural disasters

Designing Secure Areas Cont. The physical perimeter can be protected using: Man traps Manned reception desk Card-reading locks Heavy doors Solid, fire-resistant exterior walls Floor-to-ceiling barriers Reference Table 7.1 Physical Security Perimeter Policy

Designing Secure Areas Cont. Physical entry controls: Access control rules should be designed for: Employees 3rd-party contractors / partners / vendors Visitors Visitors should be required to wear identification that can be evaluated from a distance, such as a badge Identification should start as soon as a person attempts to gain entry Reference Table 7.2 Physical Entry Controls Policy

Designing Secure Areas Cont. Physical entry controls: Authorized users should be authorized prior to gaining access to protected area Visitors should be identified, labeled and authorized prior to gaining access to protected area An audit trail should be created

Securing Offices, Rooms and Facilities The outer physical perimeter is not the only focus of the physical security policy Some internal rooms & offices must be protected differently Parts of individual rooms may also require different levels of protection, such as cabinets and closets Reference Table 7.3 Working in Secure Areas Policy

Working in Secure Areas Goal: define behavioral & physical controls for the most sensitive workspaces within information processing facilities Policy controls are in addition to – and not in place of – existing physical controls, unless they supersede them Policy should include devices not allowed on premises, such as cameras, PDAs, MP3 players

Securing Equipment Company-owned hardware assets must be protected from: Theft Power spikes Power loss Hardware assets include: Servers Network devices (routers, switches) Cabling Reference Table 7.5 Equipment Siting and Protection Policy

Securing Equipment Cont. This policy also includes maintenance of hardware assets Properly maintained hardware helps protect data & information system availability

Securing Equipment Cont. Potential power problems include: Brownout: period of low voltage Power surge: increase in voltage Blackout: interruption or loss of power Reference Table 7.6 Power Supply Policy

Securing Equipment Cont. Power equipment is used to: Condition power feeds for consistency Allow graceful shutdown of servers & network devices Provide power to critical devices during blackouts

Securing Equipment Cont. Power equipment that can be used: Uninterruptible Power Supply Generator Line conditioner Surge suppressor

Secure Disposal and Reuse of Equipment Formatting a hard drive does not mean that the data located on that drive cannot be retrieved All computers to be discarded must be sanitized prior to getting rid of them Policy should be crafted to disallow access to information through improper disposal or re-use of equipment Reference Table 7.7 Secure Disposal and Reuse of Equipment Policy

General Controls Objective: to prevent theft of information Clear desk and clear screen policy All information must be secured at the end of the work day, regardless of the medium the data is located on: Printed paper CD Rom Floppy disks Thumbdrive Reference Table 7.8 Clear Desk and Clean Screen Policy

General Controls Cont. Clear desk & screen policy (cont.) Shoulder surfing is a hacking activity which consists of looking over a computer user’s shoulder to gain access to information A successful policy will reinforce behavioral traits that help secure information, such as: Securing sensitive information in lockable cabinets The use of automatic, password-protect screen savers Copy and Fax machines should be locked Printed material should be picked up as soon as it is printed

Removing Company Property Keeping track of the physical location of all hardware assets is a daunting task A policy should be crafted that requires signature for all company-owned equipment to be removed from the company’s premises Logs should be maintained and reviewed on a regular basis Reference Table 7.9 Removal of Property Policy

Summary The physical perimeter of the company must be secured. Some internal rooms and offices must be identified as needing more security controls than others. These controls must be deployed. Environment threats such as power loss must be taken into account and the proper hardware must be deployed. A clean screen and desk policy is important to protect the confidentiality of company-owned data.