السعودية االلكترونية
College ofالجامعة
Computing
الجامعة السعودية االلكترونية
and Informatics
IT Security and Policies
26/12/2021
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Updated 02/2018
Chapter 7: Physical & Environmental
Security
Objectives
Define the concept of physical security and how it relates to information
security
Evaluate the security requirements of facilities, offices, and equipment
Understand the environmental risks posed to physical structures, areas
within those structures, and equipment
Enumerate the vulnerabilities related to reusing and disposing of
equipment
Recognize the risk posed by the loss or theft of mobile devices and media
Develop policies designed to ensure the physical and environmental
security of information, information systems, and information processing
and storage facilities
Introduction
ISO 27002:2013 encompasses both physical and environmental
security.
Environmental security refers to the workplace environment, which
includes the design and construction of the facilities, how and where
people move, where equipment is stored, how the equipment is
secured, and protection from natural and man-made disasters.
A physical security expert may question the location, the topography,
and even the traffic patterns of walkers, automobiles, and airplanes.
Introduction
Creating and maintaining physical and environmental security is a
team effort.
Security professionals often focus on technical controls and can
overlook the importance of physical controls
Early Computer Age (Easy system protection):
Locked labs, heavy computers and only few were granted access to
information
Today:
Transportable computers, cloud environment, many employees/workers
and limited privacy
Understanding the Secure Facility Layered Defense Model
In Layered Defense Model, If an intruder bypasses one layer of
controls, the next layer should provide additional defense and
detection capabilities
*Both physical and psychological
*The appearance of security is deterrent
E.g., Medieval القرون الوسطىcastles:
Built of stone, on a high hill, with guards, and one entry way
All designed to ward of intruders.
How to Secure the Site
Physical protection is required for information-processing facilities.
Information-processing facilities consist of:
1. A closet of one server
2. A complex of buildings with thousands of computers
In addressing site physical security, we must think of:
1. Theft
2. Malicious activity
3. Accidental damage
4. Damage that results from natural disasters
The design of a secure site starts with the location
Evaluating location-based threats:
1. Political stability
2. Susceptibility to terrorism
3. Crime rate in the area
4. Roadways and flight paths
5. Utility stability
6. Vulnerability to natural disasters
How to Secure the Site (Cont…)
Critical information processing facilities should be inconspicuous and unremarkable
They should not have signage relating to their purpose, nor should their outward
appearance hint at what may be inside.
The physical perimeter can be protected using:
1. Obstacles:
Berms, Fences, Gates , and Bollards
Illuminated entrances, exits, pathways, and parking areas
2. Detection systems:
Cameras, closed-circuit TV, alarms, motion sensors, and security guards
3. Response system:
Locking gates and doors, personnel notification and direct communication with
police.
How Is Physical Access Controlled?
Next area to consider is Physical entry and exit controls:
Physical entry and exit controls can be selected from
1. Authorizing Entry (building access)
2. Securing Offices, Rooms, and Facilities (within the building)
3. Working in Secure Areas
4. Ensuring clear desks and screens
Access control rules should be designed for:
Employees
Third-party (contractors/partners/vendors)
Visitors
Physical entry/access controls (rules):
Authorized users should be authorized prior to gaining access to protected area
Visitors should be identified, labeled, and authorized prior to gaining access to protected area
Visitors should be required to wear identification that can be evaluated from a distance, such as
a badge
Identification should start as soon as a person attempts to gain entry
Physical Entry Controls Policy Example
Securing Offices, Rooms, and Facilities
Workspaces should be classified based on the level of protection required
Some internal rooms and offices as well as parts of individual rooms (cabinets
and closets) may also require different levels of protection
Classification system should address
1. Personnel security
2. Information system security
3. Documents security
Secure design controls for spaces within a building include (but are not
limited to) the following:
1. Structural protection such as full height walls, fireproof ceilings, and restricted
vent وصولaccess
2. Alarmed solid, fireproof, lockable, and observable doors
3. Alarmed locking, unbreakable windows
4. Monitored and recorded entry controls (keypad, biometric, card swipe)
5. Monitored and recorded activity
Working in Secure Areas
It is not enough to just physically secure an area but, close
attention should be paid to
Who is allowed to access the area
What they are allowed to do
The area should be
Continually monitored
Access control lists should be review frequently
Based on the circumstances, devices are restricted from
entering certain areas
Cameras, smartphones, tablets, and USB drives
Ensuring Clear Desks and Screens
*Companies have a responsibilities to protect physical and digital information (during the
workday and non-business hours)
Protected or confidential documents should never be viewable to unauthorized personnel
1. Document should be locked in file rooms, desk drawers and cabinets when not in use
2. Copiers, scanners, and fax machines should be located in nonpublic areas and require the use
of codes
Unauthorized access can be the result of viewing a document left unattended
Also protect documents or screens from Shoulder Surfing
Shoulder surfing, is the act of looking over someone’s shoulder to see what is displayed on a
monitor or device.
Password-protected screen savers should be automated to engage automatically.
Users should be trained to lock their screens when leaving devices unattended.
Physical security expectations and requirements should be included in organizational
acceptable use agreements.
Clear Desk and Clear Screen Policy Example
Protecting Equipment (Energy Consumption)
No power, no processing—it’s that simple
All information systems rely on clean, consistent, and abundant supplies of electrical power.
Portable devices that run on battery power require electricity for replenishment.
Power is not free.
Power can be very expensive, and excessive use has an environmental and geopolitical impact
After lighting, computers and monitors have the highest energy consumption in office
environments.
As power consumption and costs rise, saving energy is becoming a significant issue
Universities and Fortune 500 organizations have been leaders in the sustainable “green”
computing movement.
The goals of sustainable computing are to
1. Reduce the use of hazardous materials,
2. Maximize energy efficiency during the product’s lifetime,
3. Promote the recyclability or biodegradability of defunct products and factory waste.
Protecting Equipment
Both company and employee-owned equipment should be protected
To function properly, systems need consistent power delivered at the correct
voltage level.
Systems need to be protected from power loss, power degradation, and
even from too much power, all of which can damage equipment.
Common causes of voltage variation include:
1. Lightning; damage to overhead lines from storms, trees, birds, or
animals
2. Vehicles striking poles or equipment
3. Load changes or equipment failure on the network.
4. Heat waves can also contribute to power interruptions as the demand in
electricity
Protecting Equipment
Hardware assets must be protected from:
1. Power surges: Prolonged increase in voltage
2. Power spikes: momentary increase in voltage
3. Brownout: Prolonged period of low voltage
4. Sag: Momentary periods of low voltage
5. Blackouts انقطاع التيار الكهربائي: Prolonged periods of power loss
6. Fault: momentary loss of power
Protective devices can be installed to help protect the area and assets such as
1. Voltage regulators
2. Isolation transformers محوالت العزل
3. Line filters
No power, No processing
Reduce power consumption, for example by purchasing Energy Star certified
devices
How Dangerous Is Fire?
Three elements of fire protection:
1. Fire prevention controls
These are the first line of defense.
Fire prevention controls include:
Hazard assessments and inspections,
Adhering to building and construction codes,
Using flame-retardant/nonflammable materials, and
Proper handling and storage procedures for flammable/combustible materials.
2. Fire detection
It is recognizing that there is a fire.
Fire detection devices can be
Smoke activated,
Heat activated, or
Flame activated.
3. Fire containment and suppression
It involves actually responding to the fire.
Containment and suppression equipment is specific to fire classification.
How Dangerous Is Fire (Fire Classification)
Responding to the fire based on its specific classification
Class A: Fire with combustible materials ( )مواد قابلة لالشتعالas its fuel
source, such as wood, cloth, paper, rubber, and many plastics
Class B: Fire in flammable liquids, oils, greases ()شحوم, tars, oil-base
paints, lacquers ()دهان, and flammable gases
Class C: Fire that involves electrical equipment
Class D: Combustibles that involve metals
Facilities must comply/fullfill with standards to test fire-extinguishing (مطفاءة
)حريقmethods annually to validate full functionality.
The best-case scenario is that data centers and other critical locations are
protected by an automatic fire-fighting system that spans multiple classes.
In any emergency, human life always takes precedence. All personnel should
know how to quickly and safely evacuate an area.
What About Disposal?
What do servers, workstations, laptops, tablets,
smartphones, firewalls, routers, copies, scanners, printers,
memory cards, cameras, and flash drives have in
common?
They all store data that should be permanently removed
before handing down, recycling, or discarding.
What About Disposal (Data Files)?
The data can be apparent, hidden, temporary, cached, browser based, or metadata.
1. Apparent data files are files that authorized users can view and access.
2. Hidden files are files that the operating system by design does not display.
3. Temporary files are created to hold information temporarily while a file is being created.
4. A web cache is the temporary storage of web documents, such as HTML pages, images, and
downloads.
5. A data cache is the temporary storage of data that has recently been read and, in some cases,
adjacent data areas that are likely to be accessed next.
6. Browser-based data includes the following items:
1. Browsing history, which is the list of sites visited
2. Download history, which is the list of files downloaded
3. Form history, which includes the items entered into web page forms
4. Search bar history, which includes items entered into the search engines
5. Cookies, which store information about websites visited, such as site preferences and login status
7. Metadata is details about a file that describes or identifies it, such as title, date, author name, subject,
and keywords that identify the document’s topic or contents.
Data Destruction Standard
NIST Special Publication 800-88 defines data destruction as
“the result of actions taken to ensure that media cannot be
reused as originally intended and that information is virtually
impossible to recover or prohibitively expensive.”
What About Disposal?
Removing data from drives
Formatting a hard drive or deleting files does not mean that the data located
on that drive cannot be retrieved
Two methods for permanently removing data from drives before their
disposal:
Disk wiping (overwriting the hard drive with 0 and 1)
Degaussing (exposing the hard drive to high magnetic field)
What About Disposal?
Disk wiping
The process will overwrite the master boot record (MBR), partition table, and every
sector of the hard drive with the numerals 0 and 1 several times. Then the drive is
formatted.
The more times the disk is overwritten and formatted, the more secure the disk wipe is.
Disk wiping does not work reliability on solid-state drives: USB thumb drives, compact
flash, and MMC/SD cards.
Degaussing
The process wherein a magnetic object, such as a computer tape, hard disk drive, or
CRT monitor, is exposed to a magnetic field of greater, fluctuating intensity.
As applied to magnetic media, such as video, audio, computer tape, or hard drives, the
movement of magnetic media through the degaussing field realigns the particles,
resetting the magnetic field of the media to a near-zero state, erasing all the data written
to the tape or hard drive.
In many instances, degaussing resets the media to a like-new state so that it can be
reused and recycled.
What About Disposal?
Destroying materials
*The objective of physical destruction is to render the device and/or the media
unreadable and unusable.
Devices and media can be crushed, shredded, or, in the case of hard drives,
drilled in several locations perpendicular to the platters and penetrating clear
through from top to bottom.
Cross-cut shredding technology, which reduces material to fine, confetti-like
pieces ()قطع تشبع القصاصات, can be used on all media, ranging from paper to
hard drives.
What About Disposal?
Outsource the destruction process
Companies that offer destruction services often have specialized equipment
and are aware of environmental and regulatory requirements.
The downside is that the organization is transferring responsibility for protecting
information.
*The media may be transported to off-site locations. The data is being handled
by non-employees over whom the originating organization has no control.
Selecting a destruction service is serious business, and thorough due
diligence/care is in order.
Stop, Thief! (Statistics)
According to the Federal Bureau of Investigation (FBI), on average:
1/10 individuals will have their laptop stolen at some point.
97% of laptops stolen will never be returned to their rightful owners.
The cost of lost and stolen devices is significant:
*The most obvious loss is the device itself.
What cost more is the cost of detection, investigation, notification,
after-the-fact response, and economic impact of lost customer trust
and confidence, especially if the device contained legally protected
information.
Summary
The physical perimeter of the company must be secured.
Some internal rooms and offices must be identified as needing
more security controls than others. These controls must be
deployed.
Environmental threats such as power loss or a fire must be taken
into account and the proper hardware must be placed.
A clean screen and desk policy is important to protect the
confidentiality of company-owned data.
It is important to permanently remove data before recycling or
disposing of a device.
Thank
You