1 / 53

IT Series: Physical and Environment Security for IT

IT Series: Physical and Environment Security for IT. Donald Hester March 29, 2011 For audio call Toll Free 1 - 888-886-3951 and use PIN/code 661899. Housekeeping. Maximize your CCC Confer window. Phone audio will be in presenter-only mode.

hazina
Download Presentation

IT Series: Physical and Environment Security for IT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Series:Physical and Environment Security for IT Donald Hester March 29, 2011 For audio call Toll Free 1-888-886-3951 and use PIN/code 661899

  2. Housekeeping • Maximize your CCC Confer window. • Phone audio will be in presenter-only mode. • Ask questions and make comments using the chat window.

  3. Adjusting Audio • If you’re listening on your computer, adjust your volume using the speaker slider. • If you’re listening over the phone, click on phone headset. Do not listen on both computer and phone.

  4. Saving Files & Open/close Captions • Save chat window with floppy disc icon • Open/close captioning window with CC icon

  5. Emoticons and Polling • Raise hand and Emoticons • Polling options

  6. Donald Hester IT Series:Physical and Environment Security for IT

  7. Introduction Topics Covered • Physical security of information systems • Environmental protection of information system (Not the green type) • Some life safety issues

  8. Threats • Heat (internal and external) • Water (leak, flood, weather) • Theft • Power (loss or spike) • Fire (smoke) • Natural disaster (earthquake, tornado etc..) • Man made disaster (chemical spill) • Loss of life

  9. Policy • Start at the top: • The organization understand the importance and will to commit need resources • Policy should: • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance

  10. Granting Physical Access • Designate sensitive verses publicly accessible areas • List of authorized personnel • To access sensitive areas • Review the list regularly • To make sure you remove anyone who no longer needs access

  11. Restricted/Sensitive/Secure Areas • Selecting Internal areas that need more control • Determine what assets require extra security • Control access of customers (students) • Restrict computer access or LAN access from lobbies

  12. Physical Access Control • Enforce access authorizations • Verify access authorization before granting access • Control entry • Control publicly accessible areas in accordance with risk • Secure keys, combinations, passwords, PINs, and other physical devices

  13. Exterior Security

  14. Physical Access Control • Secure keys, combinations, passwords, PINs, and other physical devices • Key log (who has the keys) • Rekey (when a key is lost) • Recovery (get keys back) • Change combination (like password) • Important events • Someone is terminated or leaves • Lost or compromised

  15. Physical Access Control • Doors • No more than two doors • Locks, or electronic door locks • Strike-plates on doors • Tamper-resistant hinges on doors • Resistant to forcible entry • Fire rated doors and walls • Internal windows should be small and shatter or bullet proof

  16. Control Access to Cables • Control access to the cables used for communication • Ethernet • Telecom • Wiring closets • Spare jacks • Conduit or cable trays

  17. Output Device Access Control • What output devices need control? • Printers • Monitors • Audio devices • For example HR prints to a printer no one can simple walk by and pick up the print out (restricted area) • Same with finance and transcripts • Protect from theft

  18. Monitoring • Monitor physical access • CCTV especially in cash collection sites • Log access • Access control devices can log who gained access • Netbotz (example not an endorsement) • Detect and respond to incidents

  19. CCTV • Closed-circuit TV • Wired or wireless • Simplest camera connected to TV monitor • More complex can detect, recognize, or identify • Smart CCTV – facial recognition technology • Purpose to detect & deter also used in investigations

  20. CCTV uses • Security Applications • Safety Applications • Management Tool • Investigation Tool

  21. Visitor control • Contractors and employees access to restricted areas • Monitor visitor activity • Sign in • Check ID • Did you know they were coming? • Appointment only

  22. Access Records • Keep records • Review records • Records should include: • Name/organization of the person visiting • Signature of the visitor • Form(s) of identification • Date of access, time of entry and departure • Purpose of visit • name/organization of person visited

  23. Power • Concern is loss of power resulting in down time • Protect power equipment • Access control to sub panels • Fire code issues • Protect power cables • Redundant or parallel power cables

  24. Emergency Shutoff • Power switch to turn off all system • Life safety issue • Server rooms can be equipped with a switch that will turn off all equipment included those on battery backup • Place switch in a accessible location • Protect switch from accidental activation

  25. Emergency Power • Provide a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss • UPS for short time periods • What is your current UPS rated for? • Is that enough time for a orderly shutdown? • Have you check the battery life lately?

  26. Emergency Power • Provide a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source • Power generator • How important is uptime? • How reliable is the power grid?

  27. Emergency Lighting • Employ and maintains automatic emergency lighting • Life safety issue again • Typically lights are in common areas and not always in a server room • Typically handled by facilities personnel

  28. Fire Hazard • Fire suppression and detection devices/systems • Fire Prevention • Fire Detection • Fire Alarm • Fire Suppression • Fire Drills

  29. Fire Suppression • Fire suppression devices/systems • Should have an independent power source • Properly rated fire extinguisher • Sprinklers, dry pipe best • Should have automatic shut down of servers • Halon FM-200 (or FE-227), FE-13, FE-25, Novec-1230, inert gas systems like Argonite, Inergen or CO2 • Toxic fumes from burning plastic

  30. Fire Protection

  31. Temperature and Humidity Controls • Maintains temperature and humidity levels • Monitors temperature and humidity levels • Maintain a constant temperature be between 70-74F (21-23C) • Maintain a constant humidity between 45-60% • High humidity causes corrosion and low humidity causes static electricity.

  32. HVAC • Positive air pressure • Air flow out of the room • Limits dust getting in • Protected air vents • Possible entry point • Filtered air • Dust reduces heat transfer and can cause heat damage to circuits • Redundant HVAC systems

  33. Water Damage Protection • Protects the information system from damage resulting from water leakage • Master shutoff valves • Accessible • Working • Known by key personnel • Not just for the server room, wire closets • Positive flow water drains • Protect from the risk of flooding

  34. Delivery and Removal • Authorizes, monitors, and controls computer equipment entering or exiting the facility • Record of those items • Theft is the big issues here

  35. Alternate Work Site • Part of Business Continuity Planning • Consider physical and environment controls in alternate work site

  36. Locate Systems • Position information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access • Where is the best place in your facility for a server room? • External issues? • Proximity of emergency services • Offsite hazards

  37. Location, Location, Location • Avoid the basement • Avoid the top floor • Avoid the first floor • Avoid be located near stairs, bathrooms, water pipes, elevators or EMI emissions • Avoid locating it on an external wall • Avoid external windows and doors

  38. Areas • Plenum space • Requires plenum cabling • Raised false floors • Access to & protect cabling • Drop ceilings can give access to server rooms • Walls should extend beyond any false or drop ceilings • Security Mesh to help stop break-ins through gypsum walls

  39. Site Security • Site Location (Site Survey) • Proximity to emergency services • Flood zones, types of natural events, e.g. earthquake, hurricane, tornado • Proximity to hazardous materials, e.g. next to a oil refinery, train tracks • Redundant roads or ways in to the area • Crime rates for the area

  40. Site Location

  41. Site Examples

  42. Other Site Issues • Crime Prevention Through Environmental Design (CPTED) • The building and facilities (campus) are designed in such a way as to limit or deter crime. • Parking lots & lighting • Perimeter lighting • Perimeter security • Landscaping • Barriers (bollards)

  43. Information Leakage • Tempest • Protect the information system from information leakage due to electromagnetic signals emanations

  44. Interference • Shielding from: • Electromagnetic interference (EMI) • Radio frequency interference (RFI) • Shielded cabling, room • Electrostatic discharge (ESD) • Anti-static flooring • Anti-static wrist strap

  45. Signage • For life safety • Clearly mark exits for life safety • Clearly mark locations of fire extinguishers • Clearly mark shutoff switches and valves • For theft • Signs create a psychological barrier • Asset tag equipment for possible recovery

  46. Alarm Systems • A Communication systems design to alert, warn or notify a receiver of an event or danger. • Made up of 3 parts, sensor (detector) that detects the condition, and alarm system circuit to transmit the information to an annunciator (signal, alarm) • Standards UL, ISO and IEEE

  47. Secure Disposal (End of Life Cycle) • Consider security before returning a failed hard drive • Data remanence • Software Data removers • Degauss • Shredding • Incinerators

  48. Dumpster Diving • Not illegal • Industrial espionage • Some consider it a hobby • Can find private, confidential information on paper or media or computers

  49. Copiers http://www.youtube.com/watch?v=iC38D5am7go

  50. Monitoring Tools • Netbotz • (now owned by APC) • IT WatchDogs • www.itwatchdogs.com • APC • www.apc.com • SynapSense • www.synapsense.com

More Related