It series physical and environment security for it
1 / 53

IT Series: Physical and Environment Security for IT - PowerPoint PPT Presentation

  • Uploaded on

IT Series: Physical and Environment Security for IT. Donald Hester March 29, 2011 For audio call Toll Free 1 - 888-886-3951 and use PIN/code 661899. Housekeeping. Maximize your CCC Confer window. Phone audio will be in presenter-only mode.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' IT Series: Physical and Environment Security for IT' - hazina

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
It series physical and environment security for it

IT Series:Physical and Environment Security for IT

Donald Hester

March 29, 2011

For audio call Toll Free 1-888-886-3951

and use PIN/code 661899


  • Maximize your CCC Confer window.

  • Phone audio will be in presenter-only mode.

  • Ask questions and make comments using the chat window.

Adjusting audio
Adjusting Audio

  • If you’re listening on your computer, adjust your volume using the speaker slider.

  • If you’re listening over the phone, click on phone headset.

    Do not listen on both computer and phone.

Saving files open close captions
Saving Files & Open/close Captions

  • Save chat window with floppy disc icon

  • Open/close captioning window with CC icon

Emoticons and polling
Emoticons and Polling

  • Raise hand and Emoticons

  • Polling options

Donald hester

Donald Hester

IT Series:Physical and Environment Security for IT


Topics Covered

  • Physical security of information systems

  • Environmental protection of information system (Not the green type)

  • Some life safety issues


  • Heat (internal and external)

  • Water (leak, flood, weather)

  • Theft

  • Power (loss or spike)

  • Fire (smoke)

  • Natural disaster (earthquake, tornado etc..)

  • Man made disaster (chemical spill)

  • Loss of life


  • Start at the top:

    • The organization understand the importance and will to commit need resources

  • Policy should:

    • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance

Granting physical access
Granting Physical Access

  • Designate sensitive verses publicly accessible areas

  • List of authorized personnel

    • To access sensitive areas

  • Review the list regularly

    • To make sure you remove anyone who no longer needs access

Restricted sensitive secure areas
Restricted/Sensitive/Secure Areas

  • Selecting Internal areas that need more control

  • Determine what assets require extra security

  • Control access of customers (students)

  • Restrict computer access or LAN access from lobbies

Physical access control
Physical Access Control

  • Enforce access authorizations

  • Verify access authorization before granting access

  • Control entry

  • Control publicly accessible areas in accordance with risk

  • Secure keys, combinations, passwords, PINs, and other physical devices

Physical access control1
Physical Access Control

  • Secure keys, combinations, passwords, PINs, and other physical devices

    • Key log (who has the keys)

    • Rekey (when a key is lost)

    • Recovery (get keys back)

    • Change combination (like password)

  • Important events

    • Someone is terminated or leaves

    • Lost or compromised

Physical access control2
Physical Access Control

  • Doors

    • No more than two doors

    • Locks, or electronic door locks

    • Strike-plates on doors

    • Tamper-resistant hinges on doors

    • Resistant to forcible entry

    • Fire rated doors and walls

    • Internal windows should be small and shatter or bullet proof

Control access to cables
Control Access to Cables

  • Control access to the cables used for communication

    • Ethernet

    • Telecom

    • Wiring closets

    • Spare jacks

    • Conduit or cable trays

Output device access control
Output Device Access Control

  • What output devices need control?

    • Printers

    • Monitors

    • Audio devices

      • For example HR prints to a printer no one can simple walk by and pick up the print out (restricted area)

      • Same with finance and transcripts

  • Protect from theft


  • Monitor physical access

    • CCTV especially in cash collection sites

  • Log access

    • Access control devices can log who gained access

    • Netbotz (example not an endorsement)

  • Detect and respond to incidents


  • Closed-circuit TV

    • Wired or wireless

  • Simplest camera connected to TV monitor

  • More complex can detect, recognize, or identify

    • Smart CCTV – facial recognition technology

  • Purpose to detect & deter also used in investigations

Cctv uses
CCTV uses

  • Security Applications

  • Safety Applications

  • Management Tool

  • Investigation Tool

Visitor control
Visitor control

  • Contractors and employees access to restricted areas

  • Monitor visitor activity

  • Sign in

  • Check ID

  • Did you know they were coming?

    • Appointment only

Access records
Access Records

  • Keep records

  • Review records

  • Records should include:

    • Name/organization of the person visiting

    • Signature of the visitor

    • Form(s) of identification

    • Date of access, time of entry and departure

    • Purpose of visit

    • name/organization of person visited


  • Concern is loss of power resulting in down time

  • Protect power equipment

    • Access control to sub panels

    • Fire code issues

  • Protect power cables

    • Redundant or parallel power cables

Emergency shutoff
Emergency Shutoff

  • Power switch to turn off all system

    • Life safety issue

  • Server rooms can be equipped with a switch that will turn off all equipment included those on battery backup

  • Place switch in a accessible location

  • Protect switch from accidental activation

Emergency power
Emergency Power

  • Provide a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss

    • UPS for short time periods

    • What is your current UPS rated for?

    • Is that enough time for a orderly shutdown?

    • Have you check the battery life lately?

Emergency power1
Emergency Power

  • Provide a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source

    • Power generator

    • How important is uptime?

    • How reliable is the power grid?

Emergency lighting
Emergency Lighting

  • Employ and maintains automatic emergency lighting

    • Life safety issue again

    • Typically lights are in common areas and not always in a server room

    • Typically handled by facilities personnel

Fire hazard
Fire Hazard

  • Fire suppression and detection devices/systems

    • Fire Prevention

    • Fire Detection

    • Fire Alarm

    • Fire Suppression

    • Fire Drills

Fire suppression
Fire Suppression

  • Fire suppression devices/systems

    • Should have an independent power source

    • Properly rated fire extinguisher

    • Sprinklers, dry pipe best

    • Should have automatic shut down of servers

    • Halon FM-200 (or FE-227), FE-13, FE-25, Novec-1230, inert gas systems like Argonite, Inergen or CO2

    • Toxic fumes from burning plastic

Temperature and humidity controls
Temperature and Humidity Controls

  • Maintains temperature and humidity levels

  • Monitors temperature and humidity levels

    • Maintain a constant temperature be between 70-74F (21-23C)

    • Maintain a constant humidity between 45-60%

      • High humidity causes corrosion and low humidity causes static electricity.


  • Positive air pressure

    • Air flow out of the room

    • Limits dust getting in

  • Protected air vents

    • Possible entry point

  • Filtered air

    • Dust reduces heat transfer and can cause heat damage to circuits

  • Redundant HVAC systems

Water damage protection
Water Damage Protection

  • Protects the information system from damage resulting from water leakage

  • Master shutoff valves

    • Accessible

    • Working

    • Known by key personnel

  • Not just for the server room, wire closets

  • Positive flow water drains

    • Protect from the risk of flooding

Delivery and removal
Delivery and Removal

  • Authorizes, monitors, and controls computer equipment entering or exiting the facility

  • Record of those items

  • Theft is the big issues here

Alternate work site
Alternate Work Site

  • Part of Business Continuity Planning

  • Consider physical and environment controls in alternate work site

Locate systems
Locate Systems

  • Position information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access

    • Where is the best place in your facility for a server room?

    • External issues?

      • Proximity of emergency services

      • Offsite hazards

Location location location
Location, Location, Location

  • Avoid the basement

  • Avoid the top floor

  • Avoid the first floor

  • Avoid be located near stairs, bathrooms, water pipes, elevators or EMI emissions

  • Avoid locating it on an external wall

  • Avoid external windows and doors


  • Plenum space

    • Requires plenum cabling

  • Raised false floors

    • Access to & protect cabling

  • Drop ceilings can give access to server rooms

    • Walls should extend beyond any false or drop ceilings

  • Security Mesh to help stop break-ins through gypsum walls

Site security
Site Security

  • Site Location (Site Survey)

    • Proximity to emergency services

    • Flood zones, types of natural events, e.g. earthquake, hurricane, tornado

    • Proximity to hazardous materials, e.g. next to a oil refinery, train tracks

    • Redundant roads or ways in to the area

    • Crime rates for the area

Other site issues
Other Site Issues

  • Crime Prevention Through Environmental Design (CPTED)

    • The building and facilities (campus) are designed in such a way as to limit or deter crime.

    • Parking lots & lighting

    • Perimeter lighting

    • Perimeter security

    • Landscaping

    • Barriers (bollards)

Information leakage
Information Leakage

  • Tempest

  • Protect the information system from information leakage due to electromagnetic signals emanations


  • Shielding from:

    • Electromagnetic interference (EMI)

    • Radio frequency interference (RFI)

    • Shielded cabling, room

  • Electrostatic discharge (ESD)

    • Anti-static flooring

    • Anti-static wrist strap


  • For life safety

    • Clearly mark exits for life safety

    • Clearly mark locations of fire extinguishers

    • Clearly mark shutoff switches and valves

  • For theft

    • Signs create a psychological barrier

    • Asset tag equipment for possible recovery

Alarm systems
Alarm Systems

  • A Communication systems design to alert, warn or notify a receiver of an event or danger.

  • Made up of 3 parts, sensor (detector) that detects the condition, and alarm system circuit to transmit the information to an annunciator (signal, alarm)

  • Standards UL, ISO and IEEE

Secure disposal end of life cycle
Secure Disposal (End of Life Cycle)

  • Consider security before returning a failed hard drive

  • Data remanence

  • Software Data removers

  • Degauss

  • Shredding

  • Incinerators

Dumpster diving
Dumpster Diving

  • Not illegal

  • Industrial espionage

  • Some consider it a hobby

  • Can find private, confidential information on paper or media or computers


Monitoring tools
Monitoring Tools

  • Netbotz

    • (now owned by APC)

  • IT WatchDogs


  • APC


  • SynapSense


Donald E. Hester

CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+

Director, Maze & Associates

University of San Francisco / San Diego City College / Los Positas College | | |

[email protected]


Evaluation survey link
Evaluation Survey Link

Help us improve our seminars by filing out a short online evaluation survey at:

Thanks for attending

For upcoming events and links to recently archived seminars, check the @ONE Web site at:

IT Series:Physical and Environment Security for IT