Handbook of Information Security Management:Physical Security

Previous Table of Contents Next


Domain 10
Physical Security


Physical security is often a discounted discipline, yet attention to safeguarding the physical environment can yield a satisfactory level of protection. Chapter 10-1-1 offers a comprehensive look at implementing a physical security program, which begins with a risk assessment so that the appropriate most cost-effective controls are implemented. Additionally, the author illustrates the multiple biometric technologies and defines each in terms of rejection and acceptance rates. Ultimately, the chapter maintains that a good physical security program is an organization’s first line of defense.

Information security (IS) management polls continue to reveal that insider threat, due to disgruntled employees or dishonest employees, is the number one risk to the security of computing resources. Likewise, the 1996 National Retail Security Survey indicates that 42% of inventory shrinkage is due to employee theft. Further, today’s highly competitive, technologically advanced workplace generates an environment where talented technicians move from one organization to another, and take their knowledge with them. This situation begs the legal question, “Who owns the knowledge?” Chapter 10-2-1 addresses today’s workplace climate, and the risks involved where downsizing, rightsizing, high employee turnover, and an increased contingent workforce, pose new threats to the security of information. In this chapter, we learn how to adopt effective hiring and firing practices and how to proactively address the protection of trade secrets using exit interviews, employment contracts and noncompetition clauses.

In Domain 10 we address the distributed computing environment, and how individual accountability extends to the desktop. In Chapter 10-3-1, the author submits several protection strategies to safeguard the desktop and portable computing environment. The chapter provides a detailed analysis of the threats and risks involved with the individually-owned and operated personal computer, including data disclosure, computer viruses, theft, and data integrity. In addition, the author includes a valuable security checklist, which itemizes the varied issues that the user and the Security Administrator must take into consideration when deploying a portable computer.

Section 10-1
Threats and Facility Requirements

Chapter 10-1-1
Physical Security

Tom Peltier

Before any controls can be implemented into the workplace, it is necessary to assess the current level of security. This can be accomplished in a number of ways. The easiest one is a “walk-about.” After hours, walk through the facility and check for five key controls:

1.  Office doors are locked.
2.  Desks and cabinets are locked.
3.  Workstations are secured.
4.  Diskettes are secured.
5.  Company information is secured.

Checking for these five key control elements will give you a basic understanding of the level of controls already in place and a benchmark for measuring improvements once a security control system is implemented. Typically, this review will nearly show a 90% control deficiency rate. A second review is recommended six to nine months after the new security controls are in place.

This chapter examines two key elements of basic computer security: physical security and biometrics. Physical security protects your organization’s physical computer facilities. It includes access to the building, to the computer room(s), to the computers (mainframe, mini, and micros), to the magnetic media, and to other media. Biometrics devices record physical traits (i.e., fingerprint, palm print, facial features, etc.) or behavioral traits (signature, typing habits, etc.).

A BRIEF HISTORY

In the beginning of the computer age, it was easy to protect the systems; they were locked away in a lab and only a select few “wizards” were granted access. Today, computers are cheaper, smaller, and more accessible to almost everyone.

During the mid-twentieth century, the worldwide market for mainframe computer systems exploded. As the third-generation systems became available in the 1960s, companies began to understand their dependence on these systems. By the mid to late 1970s, the security industry began to catch up: with Halon fire suppression systems, card access, and RACF and ACF2. In the final quarter of the century, mainframe-centered computing was at its zenith.

By 1983, the affordable portable computer began to change the working landscape for information security professionals. An exodus from the mainframe to the desktop began. The controls that had been so hard won in the previous two decades were now considered the cause of much bureaucracy. Physical security is now needed in desktops. For years, conventional thinking was that a computer is a computer is a computer is a computer. Controls are even more important in the desktop or workstation environment than in the mainframe environment.

The computing environment is now moving from the desktop to the user. With the acceptance of telecommuting, the next challenge will be to apply physical security solutions to the user-centered computing environment.

With computers on every desk connected via networks to other local and remote systems, physical security needs must be reviewed and upgraded wherever necessary. Advances in computer and communications security are not enough; physical security remains a vitally important component of an overall information security plan.


Previous Table of Contents Next


-->
The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.