it series physical and environment security for it
Download
Skip this Video
Download Presentation
IT Series: Physical and Environment Security for IT

Loading in 2 Seconds...

play fullscreen
1 / 53

IT Series: Physical and Environment Security for IT - PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on

IT Series: Physical and Environment Security for IT. Donald Hester March 29, 2011 For audio call Toll Free 1 - 888-886-3951 and use PIN/code 661899. Housekeeping. Maximize your CCC Confer window. Phone audio will be in presenter-only mode.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' IT Series: Physical and Environment Security for IT' - hazina


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
it series physical and environment security for it

IT Series:Physical and Environment Security for IT

Donald Hester

March 29, 2011

For audio call Toll Free 1-888-886-3951

and use PIN/code 661899

housekeeping
Housekeeping
  • Maximize your CCC Confer window.
  • Phone audio will be in presenter-only mode.
  • Ask questions and make comments using the chat window.
adjusting audio
Adjusting Audio
  • If you’re listening on your computer, adjust your volume using the speaker slider.
  • If you’re listening over the phone, click on phone headset.

Do not listen on both computer and phone.

saving files open close captions
Saving Files & Open/close Captions
  • Save chat window with floppy disc icon
  • Open/close captioning window with CC icon
emoticons and polling
Emoticons and Polling
  • Raise hand and Emoticons
  • Polling options
introduction
Introduction

Topics Covered

  • Physical security of information systems
  • Environmental protection of information system (Not the green type)
  • Some life safety issues
threats
Threats
  • Heat (internal and external)
  • Water (leak, flood, weather)
  • Theft
  • Power (loss or spike)
  • Fire (smoke)
  • Natural disaster (earthquake, tornado etc..)
  • Man made disaster (chemical spill)
  • Loss of life
policy
Policy
  • Start at the top:
    • The organization understand the importance and will to commit need resources
  • Policy should:
    • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
granting physical access
Granting Physical Access
  • Designate sensitive verses publicly accessible areas
  • List of authorized personnel
    • To access sensitive areas
  • Review the list regularly
    • To make sure you remove anyone who no longer needs access
restricted sensitive secure areas
Restricted/Sensitive/Secure Areas
  • Selecting Internal areas that need more control
  • Determine what assets require extra security
  • Control access of customers (students)
  • Restrict computer access or LAN access from lobbies
physical access control
Physical Access Control
  • Enforce access authorizations
  • Verify access authorization before granting access
  • Control entry
  • Control publicly accessible areas in accordance with risk
  • Secure keys, combinations, passwords, PINs, and other physical devices
physical access control1
Physical Access Control
  • Secure keys, combinations, passwords, PINs, and other physical devices
    • Key log (who has the keys)
    • Rekey (when a key is lost)
    • Recovery (get keys back)
    • Change combination (like password)
  • Important events
    • Someone is terminated or leaves
    • Lost or compromised
physical access control2
Physical Access Control
  • Doors
    • No more than two doors
    • Locks, or electronic door locks
    • Strike-plates on doors
    • Tamper-resistant hinges on doors
    • Resistant to forcible entry
    • Fire rated doors and walls
    • Internal windows should be small and shatter or bullet proof
control access to cables
Control Access to Cables
  • Control access to the cables used for communication
    • Ethernet
    • Telecom
    • Wiring closets
    • Spare jacks
    • Conduit or cable trays
output device access control
Output Device Access Control
  • What output devices need control?
    • Printers
    • Monitors
    • Audio devices
      • For example HR prints to a printer no one can simple walk by and pick up the print out (restricted area)
      • Same with finance and transcripts
  • Protect from theft
monitoring
Monitoring
  • Monitor physical access
    • CCTV especially in cash collection sites
  • Log access
    • Access control devices can log who gained access
    • Netbotz (example not an endorsement)
  • Detect and respond to incidents
slide19
CCTV
  • Closed-circuit TV
    • Wired or wireless
  • Simplest camera connected to TV monitor
  • More complex can detect, recognize, or identify
    • Smart CCTV – facial recognition technology
  • Purpose to detect & deter also used in investigations
cctv uses
CCTV uses
  • Security Applications
  • Safety Applications
  • Management Tool
  • Investigation Tool
visitor control
Visitor control
  • Contractors and employees access to restricted areas
  • Monitor visitor activity
  • Sign in
  • Check ID
  • Did you know they were coming?
    • Appointment only
access records
Access Records
  • Keep records
  • Review records
  • Records should include:
    • Name/organization of the person visiting
    • Signature of the visitor
    • Form(s) of identification
    • Date of access, time of entry and departure
    • Purpose of visit
    • name/organization of person visited
power
Power
  • Concern is loss of power resulting in down time
  • Protect power equipment
    • Access control to sub panels
    • Fire code issues
  • Protect power cables
    • Redundant or parallel power cables
emergency shutoff
Emergency Shutoff
  • Power switch to turn off all system
    • Life safety issue
  • Server rooms can be equipped with a switch that will turn off all equipment included those on battery backup
  • Place switch in a accessible location
  • Protect switch from accidental activation
emergency power
Emergency Power
  • Provide a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss
    • UPS for short time periods
    • What is your current UPS rated for?
    • Is that enough time for a orderly shutdown?
    • Have you check the battery life lately?
emergency power1
Emergency Power
  • Provide a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source
    • Power generator
    • How important is uptime?
    • How reliable is the power grid?
emergency lighting
Emergency Lighting
  • Employ and maintains automatic emergency lighting
    • Life safety issue again
    • Typically lights are in common areas and not always in a server room
    • Typically handled by facilities personnel
fire hazard
Fire Hazard
  • Fire suppression and detection devices/systems
    • Fire Prevention
    • Fire Detection
    • Fire Alarm
    • Fire Suppression
    • Fire Drills
fire suppression
Fire Suppression
  • Fire suppression devices/systems
      • Should have an independent power source
      • Properly rated fire extinguisher
      • Sprinklers, dry pipe best
      • Should have automatic shut down of servers
      • Halon FM-200 (or FE-227), FE-13, FE-25, Novec-1230, inert gas systems like Argonite, Inergen or CO2
      • Toxic fumes from burning plastic
temperature and humidity controls
Temperature and Humidity Controls
  • Maintains temperature and humidity levels
  • Monitors temperature and humidity levels
    • Maintain a constant temperature be between 70-74F (21-23C)
    • Maintain a constant humidity between 45-60%
      • High humidity causes corrosion and low humidity causes static electricity.
slide32
HVAC
  • Positive air pressure
    • Air flow out of the room
    • Limits dust getting in
  • Protected air vents
    • Possible entry point
  • Filtered air
    • Dust reduces heat transfer and can cause heat damage to circuits
  • Redundant HVAC systems
water damage protection
Water Damage Protection
  • Protects the information system from damage resulting from water leakage
  • Master shutoff valves
    • Accessible
    • Working
    • Known by key personnel
  • Not just for the server room, wire closets
  • Positive flow water drains
    • Protect from the risk of flooding
delivery and removal
Delivery and Removal
  • Authorizes, monitors, and controls computer equipment entering or exiting the facility
  • Record of those items
  • Theft is the big issues here
alternate work site
Alternate Work Site
  • Part of Business Continuity Planning
  • Consider physical and environment controls in alternate work site
locate systems
Locate Systems
  • Position information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access
    • Where is the best place in your facility for a server room?
    • External issues?
      • Proximity of emergency services
      • Offsite hazards
location location location
Location, Location, Location
  • Avoid the basement
  • Avoid the top floor
  • Avoid the first floor
  • Avoid be located near stairs, bathrooms, water pipes, elevators or EMI emissions
  • Avoid locating it on an external wall
  • Avoid external windows and doors
areas
Areas
  • Plenum space
    • Requires plenum cabling
  • Raised false floors
    • Access to & protect cabling
  • Drop ceilings can give access to server rooms
    • Walls should extend beyond any false or drop ceilings
  • Security Mesh to help stop break-ins through gypsum walls
site security
Site Security
  • Site Location (Site Survey)
    • Proximity to emergency services
    • Flood zones, types of natural events, e.g. earthquake, hurricane, tornado
    • Proximity to hazardous materials, e.g. next to a oil refinery, train tracks
    • Redundant roads or ways in to the area
    • Crime rates for the area
other site issues
Other Site Issues
  • Crime Prevention Through Environmental Design (CPTED)
    • The building and facilities (campus) are designed in such a way as to limit or deter crime.
    • Parking lots & lighting
    • Perimeter lighting
    • Perimeter security
    • Landscaping
    • Barriers (bollards)
information leakage
Information Leakage
  • Tempest
  • Protect the information system from information leakage due to electromagnetic signals emanations
interference
Interference
  • Shielding from:
    • Electromagnetic interference (EMI)
    • Radio frequency interference (RFI)
    • Shielded cabling, room
  • Electrostatic discharge (ESD)
    • Anti-static flooring
    • Anti-static wrist strap
signage
Signage
  • For life safety
    • Clearly mark exits for life safety
    • Clearly mark locations of fire extinguishers
    • Clearly mark shutoff switches and valves
  • For theft
    • Signs create a psychological barrier
    • Asset tag equipment for possible recovery
alarm systems
Alarm Systems
  • A Communication systems design to alert, warn or notify a receiver of an event or danger.
  • Made up of 3 parts, sensor (detector) that detects the condition, and alarm system circuit to transmit the information to an annunciator (signal, alarm)
  • Standards UL, ISO and IEEE
secure disposal end of life cycle
Secure Disposal (End of Life Cycle)
  • Consider security before returning a failed hard drive
  • Data remanence
  • Software Data removers
  • Degauss
  • Shredding
  • Incinerators
dumpster diving
Dumpster Diving
  • Not illegal
  • Industrial espionage
  • Some consider it a hobby
  • Can find private, confidential information on paper or media or computers
copiers
Copiers

http://www.youtube.com/watch?v=iC38D5am7go

monitoring tools
Monitoring Tools
  • Netbotz
    • (now owned by APC)
  • IT WatchDogs
    • www.itwatchdogs.com
  • APC
    • www.apc.com
  • SynapSense
    • www.synapsense.com
slide51
Donald E. Hester

CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+

Director, Maze & Associates

University of San Francisco / San Diego City College / Los Positas College

www.LearnSecurity.org | www.linkedin.com/in/donaldehester | www.facebook.com/LearnSec | www.twitter.com/sobca

[email protected]

Q&A

evaluation survey link
Evaluation Survey Link

Help us improve our seminars by filing out a short online evaluation survey at:

http://www.surveymonkey.com/s/PhysSecurity

slide53
Thanks for attending

For upcoming events and links to recently archived seminars, check the @ONE Web site at:

http://onefortraining.org/

IT Series:Physical and Environment Security for IT

ad