30 Jan Use the information found at Protecting Your System: Physical Security to research how determining possible physical threats may affect the choice of physical security
Use the information found at Protecting Your System: Physical Security to research how determining possible physical threats may affect the choice of physical security countermeasures while planning new or updated security systems. Summarize your findings.
Fully address the question(s) in this discussion; provide valid rationale or a citation for your choices; and respond to at least two other students’ views.
Initial post should be at least 350 words in length. Each reply post should be at least 150 words in length.
-
CHAPTER5week4diss.docx
|
CHAPTER 5 Protecting Your System: Physical Security |
|
|||||
|
|
|
|
|
|||
|
|
|
Introduction to Physical Security Most people think about locks, bars, alarms, and uniformed guards when they think about security. While these countermeasures are by no means the only precautions that need to be considered when trying to secure an information system, they are a perfectly logical place to begin. Physical security is a vital part of any security plan and is fundamental to all security efforts–without it, information security ( Chapter 6 ), software security ( Chapter 7 ), user access security ( Chapter 8 ), and network security ( Chapter 9 ) are considerably more difficult, if not impossible, to initiate. Physical security refers to the protection of building sites and equipment (and all information and software contained therein) from theft, vandalism, natural disaster, manmade catastrophes, and accidental damage (e.g., from electrical surges, extreme temperatures, and spilled coffee). It requires solid building construction, suitable emergency preparedness, reliable power supplies, adequate climate control, and appropriate protection from intruders. |
|
|||
|
|
|
|
|
|||
|
|
|
Q. How can I implement adequate site security when I am stuck in an old and decrepit facility? A. Securing your site is usually the result of a series of compromises– what you need versus what you can afford and implement. Ideally, old and unusable buildings are replaced by modern and more serviceable facilities, but that is not always the case in the real world. If you find yourself in this situation, use the risk assessment process described in Chapter 2 to identify your vulnerabilities and become aware of your preferred security solutions. Implement those solutions that you can, with the understanding that any steps you take make your system that much more secure than it had been. When it comes time to argue for new facilities, documenting those vulnerabilities that were not addressed earlier should contribute to your evidence of need. Q. Even if we wanted to implement these physical security guidelines, how would we go about doing so? A. Deciding which recommendations to adopt is the most important step. Your risk assessment results should arm you with the information required to make sound decisions. Your findings might even show that not every guideline is required to meet the specific needs of your site (and there will certainly be some variation based on need priorities). Once decided on, however, actually initiating a strategy is often as simple as raising staff awareness and insisting on adherence to regulations. Some strategies might require basic “‘handyman”‘ skills to install simple equipment (e.g., key locks, fire extinguishers, and surge protectors), while others definitely demand the services of consultants or contractors with special expertise (e.g., window bars, automatic fire equipment, and alarm systems). In any case, if the organization determines that it is necessary and feasible to implement a given security strategy, installing equipment should not require effort beyond routine procedures for completing internal work orders and hiring reputable contractors. |
|
|||
|
|
|
Q. What if my budget won’t allow for hiring full-time security guards? A. Hiring full-time guards is only one of many options for dealing with security monitoring activities. Part-time staff on watch during particularly critical periods is another. So are video cameras and the use of other staff (from managers to receptionists) who are trained to monitor security as a part of their duties. The point is that by brainstorming a range of possible countermeasure solutions you can come up with several effective ways to monitor your workplace. The key is that the function is being performed. How it is done is secondary–and completely up to the organization and its unique requirements. |
|
|||
|
|
|
|
|
|||
|
|
|
Physical security requires that building site(s) be safeguarded in a way that minimizes the risk of resource theft and destruction. To accomplish this, decision-makers must be concerned about building construction, room assignments, emergency procedures, regulations governing equipment placement and use, power supplies, product handling, and relationships with outside contractors and agencies. The physical plant must be satisfactorily secured to prevent those people who are not authorized to enter the site and use equipment from doing so. A building does not need to feel like a fort to be safe. Well-conceived plans to secure a building can be initiated without adding undue burden on your staff. After all, if they require access, they will receive it–as long as they were aware of, and abide by, the organization’s stated security policies and guidelines (see Chapter 3 ). The only way to ensure this is to demand that before any person is given access to your system, they have first signed and returned a valid Security Agreement. This necessary security policy is too important to permit exceptions. |
|
|||
|
|
|
|
|
|||
|
|
|
|
|
|||
|
|
|
Physical Security Countermeasures The following countermeasures address physical security concerns that could affect your site(s) and equipment. These strategies are recommended when risk assessment identifies or confirms the need to counter potential breaches in the physical security of your system. |
|
|||
|
|
|
Countermeasures come in a variety of sizes, shapes, and levels of complexity. This document endeavors to describe a range of strategies that are potentially applicable to life in education organizations. In an effort to maintain this focus, those countermeasures that are unlikely to be applied in education organizations are not included here. If after your risk assessment, for example, your security team determines that your organization requires high-end countermeasures like retinal scanners or voice analyzers, you will need to refer to other security references and perhaps even need to hire a reliable technical consultant. |
|
|||
|
|
|
Create a Secure Environment: Building and Room Construction: 17 · Don’t arouse unnecessary interest in your critical facilities: A secure room should have “low” visibility (e.g., there should not be signs in front of the building and scattered throughout the hallways announcing “expensive equipment and sensitive information this way”). |
|
|||
|
|
|
· Maximize structural protection: A secure room should have full height walls and fireproof ceilings. · Minimize external access (doors): A secure room should only have one or two doors–they should be solid, fireproof, lockable, and observable by assigned security staff. Doors to the secure room should never be propped open. · Minimize external access (windows): A secure room should not have excessively large windows. All windows should have locks. · Maintain locking devices responsibly: Locking doors and windows can be an effective security strategy as long as appropriate authorities maintain the keys and combinations responsibly. If there is a breach, each compromised lock should be changed. · Investigate options other than traditional keyhole locks for securing areas as is reasonable: Based on the findings from your risk assessment (see Chapter 2 ), consider alternative physical security strategies such as window bars, anti-theft cabling (i.e., an alarm sounds when any piece of equipment is disconnected from the system), magnetic key cards, and motion detectors. |
|
|||
|
|
|
Recognize that some countermeasures are ideals and may not be feasible if, for example, your organization is housed in an old building. · Be prepared for fire emergencies: In an ideal world, a secure room should be protected from fire by an automatic fire-fighting system. Note that water can damage electronic equipment, so carbon dioxide systems or halogen agents are recommended. If implemented, staff must be trained to use gas masks and other protective equipment. Manual fire fighting equipment (i.e., fire extinguishers) should also be readily available and staff should be properly trained in their use. · Maintain a reasonable climate within the room: A good rule of thumb is that if people are comfortable, then equipment is usually comfortable–but even if people have gone home for the night, room temperature and humidity cannot be allowed to reach extremes (i.e., it should be kept between 50 and 80 degrees Fahrenheit and 20 and 80 percent humidity). Note that it’s not freezing temperatures that damage disks, but the condensation that forms when they thaw out. · Be particularly careful with non-essential materials in a secure computer room: Technically, this guideline should read “no eating, drinking, or smoking near computers,” but it is quite probably impossible to convince staff to implement such a regulation. Other non-essential materials that can cause problems in a secure environment and, therefore, should be eliminated include curtains, reams of paper, and other flammables. |
|
|||
|
|
|
|
|
|||
|
|
|
· Keep critical systems separate from general systems: Prioritize equipment based on its criticality and its role in processing sensitive information (see Chapter 2 ). Store it in secured areas based on those priorities. · House computer equipment wisely: Equipment should not be able to be seen or reach |
