Domain 4: Physical (Environmental) Security - PowerPoint PPT Presentation

1 / 98
About This Presentation

Domain 4: Physical (Environmental) Security


... Zoom Pan & Tilt Transmission Media Coax Cable Fiber Cable Wireless Monitor CCTV Added Components Camera Tube Pan and Tilt Units Panning Device Mountings ... – PowerPoint PPT presentation

Number of Views:419
Avg rating:3.0/5.0
Slides: 99
Provided by: ErnieH1


Transcript and Presenter's Notes

Title: Domain 4: Physical (Environmental) Security

Domain 4Physical (Environmental) Security
  • CISSP Study Group
  • April 15, 2007

  • Official (ISC) Guide to the CISSP CBK
  • US Army Field Manual 3-19.30, Physical Security
  • CISSP Prep Guide Krutz Vines
  • Fighting Computer Crime Parker
  • CISSP Certification Shon Harris
  • CISSP for Dummies (Rev 0) Miller Gregory
  • Physical Security for Mission-Critical
    Facilities and Data Centers, by Gerald Bowman,
    Information Security Management Handbook, 5th
    Edition, Vol 3
  • Mike Meyers Passport Security
  • Uptime Institute
  • Status Of Industry Efforts To Replace Halon Fire
    Extinguishing Agents, Robert T. Wickham,

  • Many CISSP candidates underestimate the physical
    security domain. As a result, exam scores are
    often the lowest in this domain.
  • CISSP For Dummies
  • Page 301

  • Upon completion of this discussion, you should be
    able to
  • Describe the threats, vulnerabilities, and
    countermeasures related to physically protecting
    the enterprises sensitive information assets
  • Identify the risk to facilities, data, media,
    equipment, support systems, and supplies as they
    relate to physical security.

5 Functional Areas
  1. Information Protection Requirements
  2. Information Protection Environment
  3. Security Technology and Tools
  4. Assurance, Trust and Confidence Mechanisms
  5. Information Protection and Management Services

Risks to CIA
  • Interruptions in providing computer services
  • Physical Damage Availability
  • Unauthorized Disclosure of Information
  • Loss of Control Over Information Integrity
  • Physical Theft Confidentiality, Integrity, and

Definition Physical Security
  • The physical measures and their associated
    procedures to safeguard and protect against
  • Damage
  • Loss
  • Theft

Required Physical Controls
  • Perimeter and Building Grounds
  • Building Entry Points
  • Inside the Building Building Floors / Offices
  • Data Centers or Server Room Security
  • Computer Equipment Protection
  • Object Protection

5 Functional Areas
  1. Information Protection Requirements
  2. Information Protection Environment
  3. Security Technology and Tools
  4. Assurance, Trust and Confidence Mechanisms
  5. Information Protection and Management Services

Definition Threat
  • Any indication, circumstance or event with the
    potential to cause
  • Loss of or Damage to an Asset
  • Personal Injury
  • Loss of Live

Threat Types
  • Natural / Environmental
  • Earthquakes, floods, storms, hurricanes, fires,
    smoke, snow, ice
  • Consequence of Natural Phenomenon
  • Pandemic Flu
  • Normally not preventable
  • Human Made / Political Events
  • Explosions, vandalism, theft, terrorist attacks,
  • Result of a state of mind, attitude, weakness or
    character trait
  • Acts of commission or omission
  • Overt or covert
  • Disrupt or destroy

Examples of Threats
  • Emergencies
  • Fire and Smoke Contaminants
  • Building Collapse or Explosion
  • Utility Loss (Power, AC, Heat)
  • Water Damage (Broken Pipes)
  • Toxic Materials Release

Examples of Threats (2)
  • Natural Disasters
  • Earth Movement (Earthquakes or Mudslides)
  • Storm Damage (Snow, Ice, Floods, Hurricanes)
  • Human Intervention
  • Sabotage
  • Vandalism
  • War
  • Strikes

Examples of Physical Loss
  • Seven Major Sources of Physical Loss
  • Temperature Extreme Variations in Heat and Cold
  • Gasses Sarin, Nerve Gas, PCP from Transformers,
    Cleaning Fluids, Smog, Fuel Vapors, Paper
    Particles from Printers
  • Liquids Water and Chemicals (flood, plumbing
    failures, spilled drinks, fuel leaks, computer
    printer fluids)
  • Organisms Viruses, Bacteria, People, Animals
    and Insects, Molds, Mildews, Cobwebs

Ref Fighting Computer Crime Donn B. Parker
Wiley 1998
Examples of Physical Loss
  • Seven Major Sources of Physical Loss (2)
  • Projectiles Tangible Objects in Motion (Cars,
    Trucks, Falling Objects, Meteorites, Bullets,
  • Movement Collapse, Shearing, Shaking,
    Vibration, Liquefaction, Flows, Waves,
    Separations and Slides (Lava Flows, Earthquakes,
    Adhesive Failures, Dropping or Shaking Equipment)
  • Energy Anomalies Electrical Surges or Failures,
    Magnetism, Static Electricity, Radiation, Sound,
    Light, Radio and Magnetic Waves

Site Location
  • Security Should include WHERE the building is and
    HOW it should be built
  • Choosing a Secure Site
  • Visibility Usually low visibility is the rule
    to follow. What types of neighbors and markings
    on the building?
  • Local Considerations Near hazardous waste dump?
    In flood control plain? Local crime rate,
    riots, strike-prone area?
  • Natural Disasters Weather-related problems,
    tornados, flooding, heavy snow, earthquake zone

Site Location (2)
  • Choosing a Secure Site
  • Transportation Excessive highway, air or road
    traffic in area, failed bridges will cause
    building access problems?
  • Joint Tenancy Are access to HVAC and
    environmental controls shared in building?
  • Adjacent Buildings
  • External Services Proximity to local Fire,
    Police, Hospital/Medical Facilities?

Key Concept Layered Defense Model
Key Concept Layered Defense Model
Ref http//
Designing a Secure Site
  • All walls MUST have an acceptable Fire Rating.
  • Be Floor to Ceiling
  • Any Closets or Rooms that Store Media must also
    have Fire Rating
  • Be aware if they are WEIGHT BEARING and their
    Fire Rating

Designing a Secure Site (2)
  • Slab or Raised?
  • SLAB
  • If concrete then concerns are Weight Bearing (aka
    Loading) Usually 150 pounds per square foot.
  • Concerned with Fire Rating, Electrical
    Conductivity (Grounding against static
  • Must employ non-conducting surface material in
    data center

Designing a Secure Site (3)
  • Must resist Forced Entry
  • Solid or Hollow
  • Hinges Hidden, Internal or Fixed
  • Fire Rating Equal to Walls
  • Emergency Exits Must Be Clearly Marked,
    Monitored, or Alarmed
  • Electrical Doors on Emergency Exits Should Revert
    to Disabled State if Power Outage Occurs For Safe
  • TIP!! Personnel Safety ALWAYS Takes Precedence!
    Doors Can Be Guarded During an Emergency

Designing a Secure Site (4)
  • Location and Type of Suppression System Must
    Always Be Known
  • Know Where the Shut Off Valves Are
  • Water, Steam and Gas Lines Should Have POSITIVE
  • i.e., Flow Outward and Away from Building

Designing a Secure Site (5)
  • AC Units Should Have Dedicated Power Circuits
  • Know Where the Emergency Power Off (EPO) Switch
    is Located
  • Provide Outward, Positive Air Pressure to
  • Protected Intake Vents to Prevent Inflow of
    Potential Toxins Into a Facility

Designing a Secure Site (6)
  • Located to Prevent Viewing Monitors or Desks
  • Standard Plate Glass (Brittle, Breaks Easily)
  • Tempered Glass (Stronger, Breaks into Small
  • Acrylic Materials
  • Polycarbonate Windows
  • Glass and Polycarbonate Combinations Combine Best
    of Glass and Acrylics
  • Wire Mesh Layers
  • Lexan (General Electric)
  • Bomb Blast Film (Prevent Viewing In and Reinforce
  • Bullet Resistant Windows
  • Glass Breakage Sensors
  • Usually Not Accepted in Data Center
  • If Installed, Should Be Translucent and
  • Frames Secured to Walls, Windows Can Be Locked,
    Glass Cant be Removed

Procedural Controls
  • Guard Post / Dogs
  • Checking and Escorting Visitors on Site
  • Managing Deliveries to the Site
  • Building-Specific

Facility Security Management
  • Administrative Security Controls NOT Related to
    Initial Planning Process
  • Audit Trails or Access Logs
  • Vital to Know Where Attempts to Enter Existed and
    Who Attempted Them
  • Emergency Procedures
  • Should be Clearly Documented and Readily
  • Copies Stored Offsite in the Event of a Disaster
  • Updated Periodically

Audit Trails
  • These are known as DETECTIVE rather than
  • Date and Time of Access Attempt
  • Whether the Attempt was Successful or Not
  • Where the Access was Granted (i.e., which door)
  • Who Attempted the Access
  • Who Modified the Access Privileges at the
    Supervisor Level
  • Can Send Alarms or Alerts if Required

Emergency Procedures
  • Should Include the Following
  • Emergency System Shutdown Procedures
  • Evacuation Procedures
  • Employee Training, Awareness Programs, and
    Periodic Drills
  • Periodic Equipment and Systems Tests

Administrative Personnel Controls
  • Pre-Employment Screening
  • Employment, References and Educational History
  • Background Investigation and/or Credit Rating
    Checks for Sensitive Positions
  • On-Going Employee Checks
  • Security Clearances
  • Ongoing Employee Ratings or Reviews by
  • Post-Employment Procedures
  • Exit Interview, Removal of Network Access, Return
    of Computers, etc.

Environmental and Life Safety Controls
  • Three Areas of Environmental Control
  • Electrical Power
  • Fire Detection and Suppression
  • Heating, Ventilation and Air Conditioning (HVAC)

Electrical Power
  • Disruptions in Electrical Power Can Have a
    Serious Business Impact
  • Goals
  • Clean and Steady Power
  • Excellent Power Quality
  • Design Considerations
  • Dedicated Feeders
  • Alternate Power Source
  • Access Controls
  • Secure Breaker and Transformer Rooms

Electrical Power Threat Elements
  • Electromagnetic Interference (EMI)
  • Radio Frequency Interference (RFI)
  • Brownout, Blackout, Fault, etc.
  • Affected by Low Humidity

Electrical Noise
  • Def Random Disturbance Interfering With Devices
  • Electromagnetic Interference (EMI)
  • Caused by Motors, Lightning, etc.
  • Spark Noise
  • Radio Frequency Interference (RFI)
  • Caused by Components of Electrical System
  • Caused by Electrical Cables, Fluorescent
    Lighting, Truck Ignitions, etc.
  • Can Cause Permanent Damage to Sensitive
    Components in a System

Electrical Noise (2)
  • Common Types of EMI
  • Common Mode Noise Noise from Radiation
    Generated by the Difference Between the Hot and
    Ground Wires
  • Traverse Mode Noise Noise from Radiation
    Generated by the Difference Between the Hot and
    Neutral Wires

Protective Measures for NOISE
  • Proper Line Conditioning
  • Proper Grounding of the System to Earth
  • Cable Shielding
  • Limited Exposure to Magnets, Electrical Motors,
    Space Heaters and Fluorescent Lights

Electrical Anomalies
Electrical Event Definition
Blackout Total loss of power
Fault Momentary loss of power
Brownout Prolonged drop in voltage (up to 10)
Sag Short drop in voltage
Inrush Initial power rush
Spike Momentary rush of power, Momentary high voltage
Surge Prolonged rush of power, prolonged high voltage
Mnemonic Bob Frequently Buys Shoes in Shoe
Electrical Anomalies (2)
  • Transients
  • Line Noise that is Superimposed On the Supply
    Circuit Can Cause Fluctuation in Power
  • Inrush Current
  • The Initial Surge of Current Required When There
    is an Increase in Power Demand (e.g., starting a
    large motor)

Electrostatic Discharge (ESD)
  • Power Surge Generated by a Person or Device
    Contacting Another Device and Transferring a High
    Voltage Shock
  • Affected by Low Humidity

Now, About Humidity
  • Ideal Humidity Range 40 to 60
  • High Humidity gt 60
  • Causes Problems with Condensation on Computer
  • Cause Corrosion of Electrical Connections sort
    of like Electroplating and Impedes Electrical
  • Low Humidity lt 40
  • Can Cause Increase in Electrostatic Discharge
  • Up to 4000 Volts Under Normal Humidity
  • Up to 25,000 Volts Under Very Low Humidity

Static Charge and Damage
Static Charge in Volts Will Damage
40 Sensitive Circuits and Transistors
1,000 Scramble Monitor Display
1,500 Disk Drive Data Loss
2,000 System Shutdown
4,000 Printer Jam
17,000 Permanent Chip Damage
Precautions for Static Electricity
  • Use Anti-Static Sprays Where Possible
  • Operations or Computer Centers Should Have
    Anti-Static Flooring
  • Zinc Whiskers Problem
  • Building and Computer Rooms Should be Grounded
  • Anti-Static Table or Floor Mats
  • HVAC Should Maintain Proper Level of Humidity in
    Computer Rooms

Electrical Support Systems
  • Surge Suppressors
  • Uninterruptible Power Supplies
  • Only for Duration Needed to Safely Shutdown
  • Emergency Shutoff (EPO Switch)
  • Have Monitored by Camera
  • Alternate Power Supply
  • Generator, Fuel Cell, etc.

  1. Fire Prevention
  2. Fire Detection
  3. Fire Suppression

Fire Triangle
A FIRE Needs These Three Elements to Burn
Fire Fighting Removes One of These Three Elements
OR By Temporarily Breaking Up the
Chemical Reaction
Types of Fires
Class Description (Fuel)
A Common combustibles such as paper, wood, furniture, clothing
B Burnable fuels such as gasoline or oil
C Electrical fires such as computers and electronics
D Special fires, such as chemical, metal
K Commercial Kitchens
Fire Prevention
  • Use Fire Resistant Materials for Walls, Doors,
    Furnishings, etc.
  • Reduce the Amount of Combustible Papers Around
    Electrical Equipment
  • Provide Fire Prevention Training to Employees
  • REMEMBER Life Safety is the Most Important
  • Conduct Fire Drills on All Shifts So that
    Personnel Know How to Exit A Building

Fire Detection
  • Ionization-type Smoke Detectors
  • Detect Charged Particles in Smoke
  • Optical (Photoelectric) Detectors
  • React to Light Blockage Caused by Smoke
  • Fixed or Rate-of-Rise Temperature Sensors
  • Heat Detectors That React to the Heat of a Fire
  • Fixed Sensors Have Lower False Positives
  • Flame Actuated
  • Senses Infrared Energy of Flame or Pulsating of
    the Flame
  • Very FAST Response Time, Expensive

Fire Detection (2)
  • Automatic Dial-Up Fire Alarm
  • System Dials the Local Fire or Police Department
    and Plays a Prerecorded Message When a Fire is
  • Usually Used in Conjunction with One of the Other
    Type of Fire Detectors
  • This Type of System Can Be Easily/Intentionally
  • Combinations are Usually Used for The Best
    Effectiveness in Detecting a Fire

Fire Classes and Suppression/Extinguishing Methods
Class Description (Fuel) Extinguishing Method
A Common combustibles such as paper, wood, furniture, clothing Water, Foam
B Burnable fuels such as gasoline or oil Inert Gas, CO2
C Electrical fires such as computers and electronics Inert Gas, CO2(Note Most important step Turn off electricity first!)
D Special fires, such as chemical, metal Dry Powder (May require total immersion or other special techniques)
K Commercial Kitchens Wet Chemicals
Fire Suppression
  • Carbon Dioxide (CO2), Foam, Inert Gas and Dry
    Power Extinguishers DISPLACE Oxygen to Suppress a
  • CO2 Is a Risk to Humans (Because of Oxygen
  • Water Suppresses the Temperature Required to
    Sustain a Fire

Fire Suppression - Halon
  • Halon Banned for New Systems Under 1987 Montreal
    Protocol on Substances that Deplete the Ozone
  • Began Implementation of Ban in 1992
  • Any New Installations of Fire Suppression systems
    Must Use Alternate Options
  • EU Requires Removal of Halon for Most
  • Halon Replacements
  • FM200,

Halon Replacements
Ref http//
Fire Suppression - Water
  • Wet Pipe
  • Always Contains Water
  • Most Popular and Reliable
  • 165 Fuse Melts
  • Can Freeze in Winter
  • Pipe Breaks Can Cause Floods
  • Dry Pipe
  • No Water in Pipe
  • Preferred for Computer Installations
  • Water Held Back by Clapper
  • Air Blows Out of Pipe, Water Flows

Wet Pipe Dry Pipe
Fire Suppression Water (2)
  • Deluge
  • Type of Dry Pipe
  • Water Discharge is Large
  • Not Recommended for Computer Installations
  • Preaction
  • Most Recommended for Computer Room
  • Combines Both Dry and Wet Pipes
  • Water Released into Pipe First Then After Fuse
    Melts in Nozzle the Water is Dispersed

Fire Contamination Damage
  • Smoke
  • Heat
  • Water
  • Suppression Medium Contamination

Heating Ventilation Air Conditioning (HVAC)
  • Usually the Focal Point for Environmental
  • You Need to Know Who is Responsible for HVAC in
    Your Building
  • Clear Escalation Steps Need to Be Defined Well in
    Advance of an Environmental-Threatening Incident

HVAC Issues
  • Are Computerized Components Involved?
  • Does It Maintain Appropriate Temperature and
    Humidity Levels? Air Quality?
  • Ideal Temperature 70 to 74 F
  • Ideal Humidity 40 to 60
  • Maintenance Procedures Should Be Documented
  • Preventive Maintenance Performed and Documented

5 Functional Areas
  1. Information Protection Requirements
  2. Information Protection Environment
  3. Security Technology and Tools
  4. Assurance, Trust and Confidence Mechanisms
  5. Information Protection and Management Services

Elements of Physical Security
  • Badges
  • Restricted Areas
  • Lights
  • Dogs
  • CCTV
  • Locks
  • Access Control
  • Barriers
  • Security Forces
  • Fences
  • Intrusion Detection Systems

Functions of Physical Security
  1. Deter
  2. Delay
  3. Detect
  4. Assess
  5. Respond

Layered Defense
  • Security Breach Alarms
  • On-Premises Security Officers
  • Server Ops Monitoring
  • Early Warning Smoke Detectors
  • Redundant HVAC Equipment
  • UPS and Backup Generators
  • Seismically Braced Server Racks
  • Biometric Access Exit Sensors
  • Continuous Video Surveillance
  • Electronic Motion Sensors

Perimeter Protection
  • Perimeter Security Controls are the First Line of
  • Protective Barriers Natural or Structural
  • Natural Barriers
  • Terrains That are Difficult to Cross
  • Landscaping (Shrubs, Trees, Spiny Shrubs)
  • Structural Barriers
  • Fences, Gates, Bollards, Facility Walls

  • Know These Fencing Heights
  • 3 ft 4 ft High Deters Casual Trespassers
  • 6 ft 8 ft High Too Hard to Climb Easily
  • 8 ft High with 3 Strands of Barbed Wire Deters
  • 3 Types of Fencing
  • Chain Link
  • Barbed Wire
  • Barbed Tape or Concertina Wire

Fences (2)
  • Chain Link
  • 6 Feet Tall (Excluding Top Guard)
  • 8 Feet Tall (with Top Guard)
  • 2 inch Openings or Less
  • Reach within 2 Inches of Ground or On Soft Ground
    It Is Below the Surface
  • Be Sure Vegetation or Adjacent Structures Do Not
    Bridge Over the Fence

Gates, Bollards, Barriers
Intrusion Detection Surveillance
  • Perimeter Intrusion Detection Systems
  • Sensors That Detect Access Into the Area
  • Photoelectric (Usu. Infrared Light)
  • Ultrasonic
  • Microwave
  • Passive Infrared (PIR)
  • Pressure Sensitive (Dry Contact Switch)
  • Surveillance Devices
  • Closed-Circuit Television (CCTV)

Motion Detectors
  • 3 Categories
  • Wave Pattern Generates a Frequency Wave
    Pattern. If Pattern is Disturbed as it is
    Reflected Back to its Receiver (low, ultrasonic
    or microwave range)
  • Capacitance Monitor an Electrical Field Around
    an Object. If Field is Disturbed the Alarm is
    Triggered. Used for Spot Protection.
  • Audio Detectors Monitor for any Abnormal Sound
    Wave Generation. (Lots of False Alarms)

Intrusion Detection Systems
  • Can Be Installed On
  • Windows, Doors, Ceilings, Walls
  • Any Other Entry Points Such as HVAC, Roof Access
    Openings, Ducts, etc.
  • They Detect Change In
  • Electrical Circuits, Light Beams
  • Sounds, Vibrations, Motion
  • Capacitance Due to Penetration of An
    Electrostatic Field
  • Biometrics

  • Def A Television Transmission System That Uses
    Cameras to Transmit Pictures To Connected
  • CCTV Levels
  • Detection The Ability to Detect the Presence of
    an Object
  • Recognition The Ability to Determine the Type
    of Object (animal, blowing debris, crawling
  • Identification The Ability to Determine the
    Object Details (person, large rabbit, small deer,
  • Remember Monitoring Live Events is Preventive
    and Recording of Events is Detective

CCTV Components
  • Camera
  • Fixed, Zoom
  • Pan Tilt
  • Transmission Media
  • Coax Cable
  • Fiber Cable
  • Wireless
  • Monitor

CCTV Added Components
  • Camera Tube
  • Pan and Tilt Units
  • Panning Device
  • Mountings
  • Switchers/Multiplexers
  • Remote Camera Controls
  • Infrared Illuminators
  • Time/Date Generators
  • Videotape or Digital Recorders
  • Motion Detectors
  • Computer Controls
  • Video Loss Detectors

CCTV Deployment Features
  • Cameras High Enough to Avoid Physical Attack
  • Cameras Distributed to Exclude Blind Areas
  • Appropriate Lenses
  • Pan, Tilt, Zoom (PTZ) as Required
  • Ability to be Recorded
  • Camera System Tied to Alarm System
  • Number and Quality of Video Frames Increased
    During Alarm Event
  • Regular Service of Moving Parts
  • Cleaning Lenses
  • Human Intervention

CCTV Application Guidelines
  • Understand the Facilitys Total Surveillance
  • Determine the Size of the Area to be Monitored
  • Depth, Height, and Width
  • Ensures Proper Camera Lens Specifications
  • Lighting is Important Different Lamps and
    Lighting Provide Various Levels of Effectiveness
  • Contrast Between the Object and Background
  • For Outdoor Use, the US Army Specifies the
    Automatically Adjusted Iris Feature

CCTV Design Guidelines
  • System Familiarity is Important Understand
    Camera Placement and Detection Field Shape
  • Exterior Camera Concerns
  • Weather
  • Illumination Range
  • Field of View Alignment
  • Balanced Lighting
  • Environmental Housings
  • Mounting Heights
  • In All Cases, Place Camera High Enough to Avoid
    Tampering or Collision

CCTV Legal and Practical Implications
  • Storage Implications of Recorded Data
  • Video Tapes Must Be Stored to Prevent
  • Digital Records Must Be Maintained to Assert
  • Human Rights and Privacy Implications in
    Recording People
  • Requirements to Blurr/Pixelate Individuals Other
    than Accused

  • Provides a Deterrent to Intruders
  • Makes Detection Likely if Entry Attempted
  • Should be Used With Other Controls Such as
    Fences, Patrols, Alarm Systems, CCTV
  • Critical Protected Buildings Should Be
    Illuminated Up to 8 Feet High, with 2 Foot-Candle

Types of Lighting
  • Continuous Lighting (Most Common)
  • Glare Projection
  • Flood Lighting
  • Trip Lighting
  • Standby Lighting
  • Movable (Portable)
  • Emergency Lighting

Access Control
Advisory Magnetic Access Cards Should Have
No Company ID On Them
  • Card Access
  • Smart Cards
  • Mag Stripe Cards
  • Proximity Cards
  • Biometrics
  • Fingerprint
  • Retina or Iris Scans
  • Hand Geometry
  • Signature Dynamics

  • Tip Locks are Considered DELAY Devices Only
  • All Locks Can Be Defeated By Force and/or the
    Proper Tools
  • Locks Must Never Be Considered a Stand-Alone
    Method of Security

Locks (2)
  • Types of Locks
  • Key Locks
  • Combination Locks
  • Key Locks
  • Key-in-Knob or Key-in-Lever (Cylindrical Lockset)
    Only for Low Security Apps
  • Dead Bolt Locks or Tubular Dead Bolts Good for
    Storerooms, Houses (Bolt is Thrown)
  • Mortise Locks (Lock Case is Recessed or Mortised
    into the Edge of Door) Low Security Apps
  • Padlocks
  • Combination Locks
  • Combinations Must Be Changed at Specific Times
    and Under Specific Circumstances

Keyless and Smart Locks
  • Keyless (Cipher) Locks
  • Push-button locks
  • Smart Locks
  • Permit Only Authorized People Into Certain Doors
    at Certain Times
  • E.g., Magnetic Stripe Card that is Time Sensitive

Lock Security Measures
  • Key Control Procedures
  • Restrict Issue of Keys on a Long-Term Basis to
    Outside Maintenance or Janitorial Personnel
  • Keep a Record of All Issued Keys
  • Investigate the Loss of All Keys
  • When in Doubt, Rekey the Affected Locks
  • Use as Few Master Keys as Possible
  • Issue Keys on a Need-to-Go Basis
  • Remember Keys are a Single-Factor
    Authentication Mechanism That Can Be Lost,
    Stolen, or Copied.
  • (Use 2-Factor Methods for More Secure Spaces)

Compartmentalized Area
  • Def Location Where Sensitive Equipment is
    Stored and Where Sensitive Information is
  • Must Have a Higher Level of Security Controls

Data Center
  • Walls
  • Extend from True Floor to True Ceiling
  • Access Controls
  • Depending Upon Sensitivity of the Information and
    Value of Equipment, Electronic Access Controls
    May Need to be Installed

Ref CISSP Certification, Shon Harris
Portable Device Security
  • Laptops, PDAs, Etc.
  • Protect the Device
  • Protect the Data in the Device
  • Examples
  • Locking Cables for Docking Stations
  • Tracing Software
  • Audible Motion Alarm
  • Encryption Software
  • PIN Protection for PDAs
  • Inventory System

Alarm Systems
  1. Local Alarm Systems Alarm Sounds Locally and
    Must be Protected from Tampering and Audible for
    at Least 400 Feet
  2. Central Station Units Monitored 7x24 and
    Signaled Over Leased Lines Usually within lt10
    Minutes Travel Time (Private Security Firms)
  3. Proprietary Systems Similar to Central but
    Owned and Operated by Customer
  4. Auxiliary Station Systems Systems that Ring at
    Local Fire or Police Stations

Additional Alarm Systems
  • Line Supervision
  • Alarm Sounds When Alarm Transmission Medium
    Detects Tampering.
  • Secure Detection and Alarm Systems Require Line
  • Power Supplies
  • Require Separate Circuitry and Backup Power with
    24 Hour Minimum Discharge Time

5 Functional Areas
  1. Information Protection Requirements
  2. Information Protection Environment
  3. Security Technology and Tools
  4. Assurance, Trust and Confidence Mechanisms
  5. Information Protection and Management Services

Drills Testing
  • Drills/Exercises/Testing
  • Keeps Everyone Aware of Their Responsibilities
  • Building Evacuation Drills Are Important
  • Physical Vulnerability/Penetration Tests
  • Should Identify Weak Entry Points
  • Findings Should Be Documented
  • Ref Ira Winkler Stories

Checklist, Maintenance Service
  • Checklist
  • Identifies Those Elements of Physical Security
    That Need to be Checked on a Regular Basis
  • Maintenance and Service
  • Needs to be Done
  • Need to Monitor Who Performs the Maintenance,
    Especially if it is an Outside Contractor

5 Functional Areas
  1. Information Protection Requirements
  2. Information Protection Environment
  3. Security Technology and Tools
  4. Assurance, Trust and Confidence Mechanisms
  5. Information Protection and Management Services

Managed Services
  • Be Sure To Address
  • Contractor Understands and is Contractually Bound
    to Meet the Organizations Physical and
    Procedural Security Requirements
  • The Contracting Organization Has Ability to Audit
    or Test the Security Services Provided
  • There is a Channel of Communications Between the
    Contracting Authority and the Contractor to
    Affect Changes As Needed

Media Storage Requirements
  • Common Storage Areas for Media
  • On Site safes, desks, storage cabinets
  • Off Site data backup vaults (Transportation can
    be a security concern)
  • Elements and Resources in Control to Protect the
  • Physical Access Control at Storage Area
  • Environmental Controls (fire, water protection)
  • Inventory Controls and Monitoring
  • Audits

Media Storage Requirements (2)
  • Data Destruction and Reuse
  • Degaussing or Overwriting Usually Typically
    Destroys Most Data
  • Normal Formatting Does Not Destroy the Data
  • Format or Overwrite 7 Times (Mil-Spec)
  • Consider Shredding Hard Drives, Other Portable
  • Paper Records Confetti Shred or Burn

Physical Summary
  • Physical and Procedural Countermeasures
  • Provide Identification and Authentication
  • Authorization (Access Control)
  • Accountability
  • Provide Physical Contingency Resources and
    Alternate Procedures
  • Organized in a DEFENSE IN DEPTH Strategy
  • Effectiveness Relies on Knowledge, Skills and
    Awareness of Staff

Thank You!
Ernie Hayden CISSP, CEH Ce
ll 425-765-1400
Uptime Institute
  • Zinc Whiskers
  • Conductivity Contamination
  • Data Center Energy Issues
Write a Comment
User Comments (0)