WHERE TO FOCUS ATTENTION

Before implementing any form of physical security, it may be helpful to conduct a limited business impact analysis (BIA) to focus on existing threats to the computer systems and determine where resources can best be spent. It is very important to consider all potential threats, even unlikely ones. Ignore those with a zero likelihood, such as a tsunami in Phoenix or a sandstorm in Maui. A very simple BIA could be diagrammed as shown in Exhibit 1.

Exhibit 1.  Business Impact Analysis Example

An unlimited number of threats can be of concern to your organization. Any number of high-likelihood threats can be identified. First consider those threats that might actually affect your organization (e.g., fire, flood, or fraud). Three elements are generally associated with each threat:

•  The agent: the destructive agent can be a human, a machine, or nature.

•  The motive: the only agent that can threaten accidentally and intentionally is the human.

•  The results: for the information systems community, this would be a loss of access or unauthorized access, modification, or disclosure or destruction of data or information.

---

Note:Rank each impact based on 4 = high to 1 = low. Rank each resource based on 4 = weak resources available to 1 = strong resources available.

---

The focus of physical security has often been on human-made disasters, such as sabotage, hacking, and human error. Don’t forget that the same kinds of threats can also occur from natural disasters.

NATURAL DISASTERS AND CONTROLS

Fire — A conflagration affects information systems through heat, smoke, or suppression agent (e.g., fire extinguishers and water) damage. This threat category can be minor, major, or catastrophic. Controls: install smoke detectors near equipment; keep fire extinguishers near equipment and train employees in their proper use; conduct regular fire evacuation exercises.

Environmental failure — This type of disaster includes any interruption in the supply of controlled environmental support provided to the operations center. Environmental controls include clean air, air conditioning, humidity, and water. Controls: since humans and computers don’t coexist well, try to keep them separate. Many companies are establishing command centers for employees and a “lights-out” environment for the machines. Keep all rooms containing computers at reasonable temperatures (60 to 75ºF or 10 to 25ºC). Keep humidity levels at 20 to 70% and monitor environmental settings.

Earthquake — A violent ground motion results from stresses and movements of the earth’s surface. Controls: keep computer systems away from glass and elevated surfaces; in high-risk areas secure the computers with antivibration devices.

Liquid Leakage — A liquid inundation includes burst or leaking pipes and accidental discharge of sprinklers. Controls: keep liquid-proof covers near the equipment and install water detectors on the structural floor near the computer systems.

Lightning — An electrical charge of air can cause either direct lightning strikes to the facility or surges due to strikes to electrical power transmission lines, transformers, and substations. Controls: install surge suppressors, store backups in grounded storage media, install and test Uninterruptible Power Supply (UPS) and diesel generators.

Electrical Interruption — A disruption in the electrical power supply, usually lasting longer than one-half hour, can have serious business impact. Controls: install and test UPS, install line filters to control voltage spikes, and install antistatic carpeting.

THE HUMAN FACTOR

Recent FBI statistics indicate that 72% of all thefts, fraud, sabotage, and accidents are caused by a company’s own employees. Another 15 to 20% comes from contractors and consultants who are given access to buildings, systems, and information. Only about 5 to 8% is done by external people, yet the press and management focus mostly on them. The typical computer criminal is a nontechnical authorized user of the system who has been around long enough to locate the control deficiencies.

When implementing control devices, make certain that the controls meet the organization’s needs. Include a review of internal access, and be certain that employees meet the standards of due care imposed on external sources. “Intruders” can include anybody who is not authorized to enter a building, system, or data.

The first defense against instruders is to keep them out of the building or computer room. However, because of cost-cutting measures in the past two decades, very few computer facilities are guarded anymore. With computers everywhere, determining where to install locks is a significant problem.

To gain access to any business environment, everybody should have to pass an authentication and/or authorization test. The three ways of authenticating users involve something:

•  That the user knows (a password).

•  That the user has (a badge, key, card, or token).

•  Of their physiognomy (fingerprint, retinal image, voice).

LOCKS

In addition to securing the campus, it may be necessary to secure the computers, networks, disk drives, and electronic media. One method of securing a workstation is with an anchor pad, a metal pad with locking rods secured to the surface of the workstation. The mechanism is installed to the shell of the computer. These are available from many vendors.

Many organizations use cables and locks. Security cables are multistrand, aircraft-type steel cables affixed to the workstation with a permanently attached plate that anchors the security cable to the desk or other fixture.

Disk locks are another way to secure the workstation. These small devices are quickly inserted into the diskette slot and lock out any other diskette from the unit. They can prevent unauthorized booting from diskettes and infection from viruses.

Cryptographic locks also prevent unauthorized access by rendering information unreadable to unauthorized personnel. Encryption software does not impact day-to-day operations while ensuring the confidentiality of sensitive business information. Crypographic locks are cost-effective and easily available.