1 / 19

Chapter 7: Physical & Environmental Security

Chapter 7: Physical & Environmental Security. Objectives. Define the concept of physical security and how it relates to information security Evaluate the security requirements of facilities, offices and equipment

wilona
Download Presentation

Chapter 7: Physical & Environmental Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 7: Physical & Environmental Security

  2. Objectives • Define the concept of physical security and how it relates to information security • Evaluate the security requirements of facilities, offices and equipment • Understand why it is critical to identify, authenticate and authorize access to secure areas • Understand the environmental risks posed to physical structures, areas within those structures and equipment

  3. Objectives Cont. • Enumerate the vulnerabilities related to reusing and disposing of equipment • Develop policies designed to ensure the physical security of information, information systems and information processing and storage facilities

  4. Designing Secure Areas • All implemented controls to physically protect information are dictated first by a thorough analysis of the company’s risks and vulnerabilities, along with the value of the information that requires protection • From what are we protecting information assets? • Theft • Malicious destruction • Accidental damage • Damage that results from natural disasters

  5. Designing Secure Areas Cont. • The physical perimeter can be protected using: • Man traps • Manned reception desk • Card-reading locks • Heavy doors • Solid, fire-resistant exterior walls • Floor-to-ceiling barriers

  6. Designing Secure Areas Cont. • Physical entry controls: • Access control rules should be designed for: • Employees • 3rd-party contractors / partners / vendors • Visitors • Visitors should be required to wear identification that can be evaluated from a distance, such as a badge • Identification should start as soon as a person attempts to gain entry

  7. Designing Secure Areas Cont. • Physical entry controls: • Authorized users should be authorized prior to gaining access to protected area • Visitors should be identified, labeled and authorized prior to gaining access to protected area • An audit trail should be created

  8. Securing Offices, Rooms and Facilities • The outer physical perimeter is not the only focus of the physical security policy • Some internal rooms & offices must be protected differently • Parts of individual rooms may also require different levels of protection, such as cabinets and closets

  9. Working in Secure Areas • Goal: define behavioral & physical controls for the most sensitive workspaces within information processing facilities • Policy controls are in addition to – and not in place of – existing physical controls, unless they supersede them • Policy should include devices not allowed on premises, such as cameras, PDAs, MP3 players

  10. Securing Equipment • Company-owned hardware assets must be protected from: • Theft • Power spikes • Power loss • Hardware assets include: • Servers • Network devices (routers, switches) • Cabling

  11. Securing Equipment Cont. • This policy also includes maintenance of hardware assets • Properly maintained hardware helps protect data & information system availability

  12. Securing Equipment Cont. • Potential power problems include: • Brownout: period of low voltage • Power surge: increase in voltage • Blackout: interruption or loss of power

  13. Securing Equipment Cont. • Power equipment is used to: • Condition power feeds for consistency • Allow graceful shutdown of servers & network devices • Provide power to critical devices during blackouts

  14. Securing Equipment Cont. • Power equipment that can be used: • Uninterruptible Power Supply • Generator • Line conditioner • Surge suppressor

  15. Secure Disposal and Reuse of Equipment • Formatting a hard drive does not mean that the data located on that drive cannot be retrieved • All computers to be discarded must be sanitized prior to getting rid of them • Policy should be crafted to disallow access to information through improper disposal or re-use of equipment

  16. General Controls • Objective: to prevent theft of information • Clear desk and clear screen policy • All information must be secured at the end of the work day, regardless of the medium the data is located on: • Printed paper • CD Rom • Floppy disks • Thumbdrive

  17. General Controls Cont. • Clear desk & screen policy (cont.) • Shoulder surfing is a hacking activity which consists of looking over a computer user’s shoulder to gain access to information • A successful policy will reinforce behavioral traits that help secure information, such as: • Securing sensitive information in lockable cabinets • The use of automatic, password-protect screen savers • Copy and Fax machines should be locked • Printed material should be picked up as soon as it is printed

  18. Removing Company Property • Keeping track of the physical location of all hardware assets is a daunting task • A policy should be crafted that requires signature for all company-owned equipment to be removed from the company’s premises • Logs should be maintained and reviewed on a regular basis

  19. Summary • The physical perimeter of the company must be secured. • Some internal rooms and offices must be identified as needing more security controls than others. These controls must be deployed. • Environment threats such as power loss must be taken into account and the proper hardware must be deployed. • A clean screen and desk policy is important to protect the confidentiality of company-owned data.

More Related