| | CHAPTER 5
Protecting Your System:
Physical Security | |
 | |
CHAPTER 5 IN A NUTSHELL: Introduction to Physical Security
Commonly Asked Questions
Policy Issues
Physical Security Countermeasures
Physical Security Checklist | | | | Introduction to Physical Security Most people think about locks, bars, alarms, and uniformed guards whenthey think about security. While these countermeasures are by nomeans the only precautions that need to be considered when trying tosecure an information system, they are a perfectly logical place to begin.Physical security is a vital part of any security plan and is fundamental to allsecurity efforts--without it, information security (Chapter 6), softwaresecurity (Chapter 7), user access security (Chapter 8), and networksecurity (Chapter 9) are considerably more difficult, if not impossible, toinitiate. Physical security refers to the protection of building sites andequipment (and all information and software contained therein) fromtheft, vandalism, natural disaster, manmade catastrophes, and accidentaldamage (e.g., from electrical surges, extreme temperatures, and spilledcoffee). It requires solid building construction, suitable emergencypreparedness, reliable power supplies, adequate climate control, and appropriate protection from intruders.
| | |
| | | Commonly Asked Questions Q.How can I implement adequate site security when I am stuck in anold and decrepit facility?
A.Securing your site is usually the result of a series of compromises--what you need versus what you can afford and implement. Ideally, oldand unusable buildings are replaced by modern and more serviceablefacilities, but that is not always the case in the real world. If you findyourself in this situation, use the risk assessment process described inChapter 2 to identify your vulnerabilities and become aware of your preferred security solutions. Implement those solutions that you can, withthe understanding that any steps you take make your system that muchmore secure than it had been. When it comes time to argue for newfacilities, documenting those vulnerabilities that were not addressed earliershould contribute to your evidence of need. Q.Even if we wanted to implement these physical security guidelines,how would we go about doing so?
A.Deciding which recommendations to adopt is the most important step.Your risk assessment results should arm you with the informationrequired to make sound decisions. Your findings might even show that notevery guideline is required to meet the specific needs of your site (andthere will certainly be some variation based on need priorities). Oncedecided on, however, actually initiating a strategy is often as simple asraising staff awareness and insisting on adherence to regulations. Somestrategies might require basic "'handyman"' skills to install simple equipment(e.g., key locks, fire extinguishers, and surge protectors), while othersdefinitely demand the services of consultants or contractors with specialexpertise (e.g., window bars, automatic fire equipment, and alarmsystems). In any case, if the organization determines that it is necessaryand feasible to implement a given security strategy, installing equipmentshould not require effort beyond routine procedures for completing internalwork orders and hiring reputable contractors.
|
Determining countermeasures often requires creativity: don't limit yourself to traditional solutions.
| | Q.What if my budget won't allow for hiring full-time security guards?
A. Hiring full-time guards is only one of many options for dealing withsecurity monitoring activities. Part-time staff on watch duringparticularly critical periods is another. So are video cameras and the use ofother staff (from managers to receptionists) who are trained to monitorsecurity as a part of their duties. The point is that by brainstorming a rangeof possible countermeasure solutions you can come up with severaleffective ways to monitor your workplace. The key is that the function isbeing performed. How it is done is secondary--and completely up to theorganization and its unique requirements.
| | |
|
Guidelines for security policy development can be found in Chapter 3.
| | Policy Issues Physical security requires that building site(s) be safeguarded in a way thatminimizes the risk of resource theft and destruction. To accomplishthis, decision-makers must be concerned about building construction, roomassignments, emergency procedures, regulations governing equipmentplacement and use, power supplies, product handling, and relationshipswith outside contractors and agencies. The physical plant must be satisfactorily secured to prevent thosepeople who are not authorized to enter the site and use equipment fromdoing so. A building does not need to feel like a fort to be safe. Well-conceivedplans to secure a building can be initiated without adding undueburden on your staff. After all, if they require access, they will receive it--as long as they were aware of, and abide by, the organization's statedsecurity policies and guidelines (see Chapter 3). The only way to ensurethis is to demand that before any person is given access to your system,they have first signed and returned a valid Security Agreement. Thisnecessary security policy is too important to permit exceptions.
|
As discussed more completely in Chapter 2, a threat is any action, actor, or event that contributes to risk
| | Physical Threats (Examples) | Examples of physical threats include:- Natural events (e.g., floods, earthquakes, and tornados)
- Other environmental conditions (e.g., extreme temperatures, high humidity, heavy rains, and lightning)
- Intentional acts of destruction (e.g., theft, vandalism, and arson)
- Unintentionally destructive acts (e.g., spilled drinks, overloaded electrical outlets, and bad plumbing)
| | | |
|
A countermeasure is a strp planned and taken in opposition to another act or potential act.
| | Physical Security Countermeasures The following countermeasures address physical security concerns thatcould affect your site(s) and equipment. These strategies arerecommended when risk assessment identifies or confirms the need tocounter potential breaches in the physical security of your system.
| | | Countermeasures come in a variety of sizes, shapes, and levelsof complexity. This document endeavors to describe a range ofstrategies that are potentially applicable to life in educationorganizations. In an effort to maintain this focus, thosecountermeasures that are unlikely to be applied in educationorganizations are not included here. If after your risk assessment,for example, your security team determines that your organizationrequires high-end countermeasures like retinal scanners or voiceanalyzers, you will need to refer to other security references andperhaps even need to hire a reliable technical consultant. | | |
Create a Secure Environment: Building and Room Construction:17- Don't arouse unnecessary interest in your critical facilities: A secureroom should have "low" visibility (e.g., there should not be signsin front of the building and scattered throughout the hallwaysannouncing "expensive equipment and sensitive informationthis way").
|
Select only those countermeasures that meetpercuived needs as indentified during riskassessment (Chapter 2) and supportsecurity policy (Chapter 3).
| | - Maximize structural protection: A secure room should have fullheight walls and fireproof ceilings.
- Minimize external access (doors): A secure room should only haveone or two doors--they should be solid, fireproof, lockable, andobservable by assigned security staff. Doors to the secure roomshould never be propped open.
- Minimize external access (windows): A secure room should nothave excessively large windows. All windows should have locks.
- Maintain locking devices responsibly: Locking doors and windowscan be an effective security strategy as long as appropriateauthorities maintain the keys and combinations responsibly. Ifthere is a breach, each compromised lock should be changed.
- Investigate options other than traditional keyhole locks for securingareas as is reasonable:
Based on the findings from your riskassessment (see Chapter 2), consider alternative physical security strategies such as window bars, anti-theft cabling (i.e., an alarm sounds when any piece of equipment is disconnected from the system), magnetic key cards, and motion detectors.
|
| |
Recognize that some countermeasures are ideals and may not be feasible if, for example, your organization is housed in an old building.- Be prepared for fire emergencies: In an ideal world, a secure roomshould be protected from fire by an automatic fire-fightingsystem. Note that water can damage electronic equipment, socarbon dioxide systems or halogen agents are recommended. Ifimplemented, staff must be trained to use gas masks and otherprotective equipment. Manual fire fighting equipment (i.e., fireextinguishers) should also be readily available and staff should beproperly trained in their use.
- Maintain a reasonable climate within the room: A good rule ofthumb is that if people are comfortable, then equipment isusually comfortable--but even if people have gone home for thenight, room temperature and humidity cannot be allowed toreach extremes (i.e., it should be kept between 50 and 80degrees Fahrenheit and 20 and 80 percent humidity). Note thatit's not freezing temperatures that damage disks, but thecondensation that forms when they thaw out.
- Be particularly careful with non-essential materials in a securecomputer room: Technically, this guideline should read "no eating,drinking, or smoking near computers," but it is quite probablyimpossible to convince staff to implement such a regulation.Other non-essential materials that can cause problems in asecure environment and, therefore, should be eliminated includecurtains, reams of paper, and other flammables.
| | |
Don't say it if you don't mean it--instituting policies that you don't bother to enforce makes users wonder whether you're serious about other rules as well.
|
Locking critical equipment in secure closet can bean excellent security strategy findings establish that it is warranted.
| | Guard Equipment:- Keep critical systems separate from general systems: Prioritizeequipment based on its criticality and its role in processingsensitive information (see Chapter 2). Store it in secured areasbased on those priorities.
- House computer equipment wisely: Equipment should not be ableto be seen or reached from window and door openings, norshould it be housed near radiators, heating vents, airconditioners, or other duct work. Workstations that do notroutinely display sensitive information should always be stored inopen, visible spaces to prevent covert use.
- Protect cabling, plugs, and other wires from foot traffic: Trippingover loose wires is dangerous to both personnel and equipment.
- Keep a record of your equipment: Maintain up-to-date logs ofequipment manufacturers, models, and serial numbers in asecure location. Be sure to include a list of all attachedperipheral equipment. Consider videotaping the equipment(including close-up shots) as well. Such clear evidence ofownership can be helpful when dealing with insurancecompanies.
- Maintain and repair equipment: Have plans in place foremergency repair of critical equipment. Either have a technicianwho is trained to do repairs on staff or make arrangements withsomeone who has ready access to the site when repair work isneeded. If funds allow, consider setting up maintenancecontracts for your critical equipment. Local computer suppliersoften offer service contracts for equipment they sell, and manyworkstation and mainframe vendors also provide such services.Once you've set up the contract, be sure that contactinformation is kept readily available. Technical supporttelephone numbers, maintenance contract numbers, customeridentification numbers, equipment serial numbers, and mail-ininformation should be posted or kept in a log book near thesystem for easy reference. Remember that computer repairtechnicians may be in a position to access your confidentialinformation, so make sure that they know and follow yourpolicies regarding outside employees and contractors who accessyour system.
| |
| |
| Who needs a Maintenance Contract? "Percussive maintenance" is the fine art of pounding on a piece of sensitive electronic equipment until it returns to proper working order. | |
| | | Rebuff Theft:18- Identify your equipment as yours in an overt way: Mark yourequipment in an obvious, permanent, and easily identifiable way.Use bright (even fluorescent) paint on keyboards, monitorbacks and sides, and computer bodies. It may decrease theresale value of the components, but thieves cannot remove thesetypes of identifiers as easily as they can adhesive labels.
| | Losing a computer to theft has both financial costs (the replacement value of the equipment) and information costs (the files contained on the hard drive). | | | - Identify your equipment as yours in a covert way: Label the insideof equipment with the organization's name and contactinformation to serve as powerful evidence of ownership.
- Make unauthorized tampering with equipment difficult: Replaceregular body case screws with Allen-type screws or comparabledevices that require a special tool (e.g., an Allen wrench) to openthem.
- Limit and monitor access to equipment areas: Keep an up-to-datelist of personnel authorized to access sensitive areas. Neverallow equipment to be moved or serviced unless the task is pre-authorizedand the service personnel can produce an authenticwork order and verify who they are. Require picture or otherforms of identification if necessary. Logs of all such activityshould be maintained. Staff should be trained to always err onthe cautious side (and the organization must support suchcaution even when it proves to be inconvenient).
| | | | | Attend to Portable Equipment and Computers:19 - Never leave a laptop computer unattended: Small, expensivethings often disappear very quickly--even more quickly frompublic places and vehicles!
|
| |
While the X-ray conveyor belt is the preferred way oftransporting a laptop through airport security (compared tosubjecting the computer to the magnetic fields of walk-through orwand scanners), it is also a prime place for theft. Thieves love to"inadvertently" pick up the wrong bag and disappear whilepassengers are fumbling through their pockets to find the loosecoins that keep setting off the metal detectors. Use the X-rayconveyor belt, but never take your eyes off your laptop!
|
Require laptop users to read the recommended travel guidelines that should come with the equipments's documentation.
| | - Store laptop computers wisely: Secure laptops in a hotel saferather than a hotel room, in a hotel room rather than a car, and ina car trunk rather than the back seat.
- Stow laptop computers appropriately: Just because a car trunk issafer than its back seat doesn't mean that the laptop won't bedamaged by an unsecured tire jack. Even if the machine isn'tstolen, it can be ruined all the same. Stow the laptop and itsbattery safely!
- Don't leave a laptop computer in a car trunk overnight or for longperiods of time: In cold weather, condensation can form anddamage the machine. In warm weather, high temperatures(amplified by the confined space) can also damage hard drives.
It Really Happens!Jack's briefcase was his life. Well, maybe it wasn't his whole life, but it definitely contained the betterpart of his professional life. It held his grade book, his lesson plans, his master's thesis--all very important things in the world of a middle school teacher. And it wouldn't be an exaggeration to say that Jack sure was surprised when his life (the briefcase) went up in flames one afternoon in the school cafeteria. He couldn't explain it, but nonetheless he found himself sitting in front of the district technologist trying to do exactly that--explain why his briefcase caught on fire and ruined, among more important things to him, the spare battery he was carrying for the school's laptop computer. "So," the technologist asked, "you're saying that you're surprised that your briefcase caught on fire? Well, let me tell you, I'm glad that it was only your bag that was damaged. Didn't you know that the exposed terminals of a battery can cause a spark? Didn't you know that any piece of metal, even a paper clip, can serve as the conduit? That's all it takes: an improperly stored battery, a paper clip and anything combustible--and wham, you've got yourself a fire. Your home could have gone up in flames last night because of it. Or your school could have this afternoon. Didn't you know that?" Jack almost replied that, of course, he hadn't known about all of those dangers, and that the technologist should have warned him about them before he had borrowed the laptop and extra battery. But instead he just shook his head sheepishly. After all, along with his grade book, lesson plans, and master's thesis, he had just burned a $200 dollar laptop battery that didn't belong to him. | | | Regulate Power Supplies:- Be prepared for fluctuations in the electrical power supply: Do so by (1) plugging all electrical equipment into surge suppressors orelectrical power filters; and (2) using Uninterruptible PowerSources (UPSs) to serve as auxiliary electrical supplies to criticalequipment in the event of power outages.
|
Pay attention to the manufacturer's recommendations for storing portable computer batteries--they carry live charges and are capable of igniting fires if not handled properly.
| | - Protect power supplies from environmental threats: Considerhaving a professional electrician design or redesign your electricalsystem to better withstand fires, floods, and other disasters.
- Select outlet use carefully: Although little thought generally goesinto plugging equipment into an outlet, machines that drawheavily from a power source can affect, and be affected by,smaller equipment that draws energy from the same outlet.
- Guard against the negative effects of static electricity in the office place: Install anti-static carpeting and anti-static pads, use anti-staticsprays, and encourage staff to refrain from touching metaland other static-causing agents before using computerequipment.
| | |
Protect Output:- Keep photocopiers, fax machines, and scanners in public view:These types of equipment are very powerful tools fordisseminating information--so powerful, in fact, that their usemust be monitored.
- Assign printers to users with similar security clearances: You don'twant employees looking at sensitive financial information (e.g.,staff salaries) or confidential student information (e.g., individualrecords) while they are waiting for their documents to print. It isbetter to dedicate a printer to the Director of Finance than to have sensitive data scattered around a general use printer.Don't hesitate to put printers in locked rooms if that is what thesituation demands.
- Label printed information appropriately: Confidential printoutsshould be clearly identified as such.
- Demand suitable security procedures of common carriers whenshipping/receiving confidential information: Mail, delivery,messenger, and courier services should be required to meet yourorganization's security standards when handling your confidentialinformation.
- Dispose of confidential waste adequately: Print copies ofconfidential information should not be placed in commondumpsters unless shredded. (Comparable requirements fordiscarding electronic copies of confidential information can befound in Chapter 6.)
| | |
It Really Happens!Dr. Hamilton was everything that a school district could ask for. She was a great visionary, a trustedleader, and an excellent superintendent... but she was terrible with the piles of paper she kept on her desk.Luckily for her and the district, she had an equally competent secretary. Lucy was always one step ahead of Dr.Hamilton with the paperwork. She knew where to find the latest draft of the letter to the Board. She knewwhich form needed to be completed by when. She knew how many copies of the monthly report needed to berun off. One afternoon, Dr. Hamilton came running out of her office to Lucy's desk, "You haven't shredded thosepapers I gave you this morning yet, have you?" As was always the case, Lucy had, of course, completed the task shortly after it had been handed to her.She told Dr. Hamilton so, and asked what was the matter. "I think that I accidentally gave you my only copy of the speech I'm giving to the Chamber of Commercetonight," the distraught woman replied, knowing that she'd never be able to reproduce the outline in time forthe meeting. "Don't worry," Lucy said, beaming with pride that her forethought was about to again pay off, "I makebackup copies of every sheet of paper you give me before I turn on that paper shredder. Let's look in my filingcabinet." Dr. Hamilton let out a deep sigh of relief--Lucy had again saved the day. Suddenly, however, the astutesuperintendent paused, "What do you mean you make copies of everything I give you before you turn on thepaper shredder?" | | |
| | | | | | Physical Security Checklist While it may be tempting to simply refer to the following checklist as yoursecurity plan, to do so would limit the effectiveness of the recom-mendations.They are most useful when initiated as part of a larger plan todevelop and implement security policy throughout an organization. Otherchapters in this document also address ways to customize policy to yourorganization's specific needs--a concept that should not be ignored if youwant to maximize the effectiveness of any given guideline. | | | Security Checklist for Chapter 5
The brevity of a checklist can be helpful, but it in no way makes up for the detail of the text. | | | Check Points
for Physical Security | | Create a Secure Environment: Building and Room Construction | | - Does each secure room or facility have low visibility (e.g., no unnecessarysigns)?
| | - Has the room or facility been constructed with full-height walls?
| | - Has the room or facility been constructed with a fireproof ceiling?
| | - Are there two or fewer doorways?
| | - Are doors solid and fireproof?
| | - Are doors equipped with locks?
| | - Are window openings to secure areas kept as small as possible?
| | - Are windows equipped with locks?
| | - Are keys and combinations to door and window locks secured responsibly?
| | - Have alternatives to traditional lock and key security measures (e.g., bars,anti-theft cabling, magnetic key cards, and motion detectors) beenconsidered?
| | - Have both automatic and manual fire equipment been properly installed?
| | - Are personnel properly trained for fire emergencies?
| | - Are acceptable room temperatures always maintained (i.e., between 50and 80 degrees Fahrenheit)?
| | - Are acceptable humidity ranges always maintained (i.e., between 20 and80 percent)?
| | - Are eating, drinking, and smoking regulations in place and enforced?
| | - Has all non-essential, potentially flammable, material (e.g., curtains andstacks of computer paper) been removed from secure areas?
| | | Guard Equipment | | - Has equipment been identified as critical or general use, and segregatedappropriately?
| | - Is equipment housed out of sight and reach from doors and windows, andaway from radiators, heating vents, air conditioners, and other duct work?
| | - Are plugs, cabling, and other wires protected from foot traffic?
| | - Are up-to-date records of all equipment brand names, model names, andserial numbers kept in a secure location?
| | - Have qualified technicians (staff or vendors) been identified to repaircritical equipment if and when it fails?
| | - Has contact information for repair technicians (e.g., telephone numbers,customer numbers, maintenance contract numbers) been stored in a securebut accessible place?
| | - Are repair workers and outside technicians required to adhere to theorganization's security policies concerning sensitive information?
| | | Rebuff Theft | | - Has all equipment been labeled in an overt way that clearly andpermanently identifies its owner (e.g., the school name)?
| | - Has all equipment been labeled in a covert way that only authorized staffwould know to look for (e.g., inside the cover)?
| | - Have steps been taken to make it difficult for unauthorized people totamper with equipment (e.g., by replacing case screws with Allen-typescrews)?
| | - Have security staff been provided up-to-date lists of personnel and theirrespective access authority?
| | - Are security staff required to verify identification of unknown peoplebefore permitting access to facilities?
| | - Are security staff required to maintain a log of all equipment taken in andout of secure areas?
| | | Attend to Portable Equipment and Computers | | - Do users know not to leave laptops and other portable equipmentunattended outside of the office?
| | - Do users know and follow proper transportation and storage proceduresfor laptops and other portable equipment?
| | | Regulate Power Supplies | | - Are surge protectors used with all equipment?
| | - Are Uninterruptible Power Supplies (UPSs) in place for critical systems?
| | - Have power supplies been "insulated" from environmental threats by aprofessional electrician?
| | - Has consideration been given to the use of electrical outlets so as toavoid overloading?
| | - Are the negative effects of static electricity minimized through the use ofanti-static carpeting, pads, and sprays as necessary?
| | | Protect Output | | - Are photocopiers, fax machines, and scanners kept in open view?
| | - Are printers assigned to users with similar security clearances?
| | - Is every printed copy of confidential information labeled as"confidential"?
| | - Are outside delivery services required to adhere to security practiceswhen transporting sensitive information?
| | - Are all paper copies of sensitive information shredded before beingdiscarded?
| |
| | |
| | |
