1 / 16

Physical Security for Information Systems

Physical Security for Information Systems. Importance of Physical Security. Most people focus on protecting logical systems (software that is running) If you cannot protect the physical systems (computer hardware), you cannot protect the program and data running on the hardware

ahmed-vang
Download Presentation

Physical Security for Information Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Physical Security for Information Systems CSE 465 & CSE591, Fall 2006

  2. Importance of Physical Security • Most people focus on protecting logical systems (software that is running) • If you cannot protect the physical systems (computer hardware), you cannot protect the program and data running on the hardware • Physical security deals with who has access to buildings, computer rooms, and the devices within them • Protect sites from natural and man-made physical threats CSE 465 & CSE591, Fall 2006

  3. Physical Security Threats • Weather • Tornadoes, hurricanes, floods, fire, snow, ice, heat, cold, humidity, etc. • Fire/chemical • Explosions, toxic waste/gases, smoke, fire • Earth movement • Earthquakes, mudslides • Structural failure • Building collapse because of snow/ice or moving objects (cars, trucks, airplanes, etc.) CSE 465 & CSE591, Fall 2006

  4. Physical Security Threats (cont.) • Energy • Loss of power, radiation, magnetic wave interference, etc. • Biological • Virus, bacteria, etc. • Human • Strikes, theft, sabotage, terrorism and war CSE 465 & CSE591, Fall 2006

  5. Physical Security Areas • Educating personnel • An educated staff is best weapon a company can have against illegitimate and accidental acts by others • Administrative controls • Address procedural and codified applications of physical controls • Physical security controls • Enforce proper controls for physical contact of system facilities CSE 465 & CSE591, Fall 2006

  6. Physical Security Areas (cont.) • Technical controls • Use of computer hardware and software to protect facilities as opposed to some of traditional “pure physical” techniques • Environmental/life-safety controls • Ensure infrastructure to maintain proper operating environment for both human and machine CSE 465 & CSE591, Fall 2006

  7. Educating Personnel • Security staff should be prepared for potential of unforeseen acts • Other employees should be reminded periodically of importance of helping their surroundings secure • Being mindful of physical and environmental considerations required to protect information systems • Adhering to emergency and disaster plans • Monitoring unauthorized use of equipment and services, and reporting those activities to security personnel • Recognizing security objectives of organization • Accepting individual responsibilities associated with their jobs and that of their coworkers CSE 465 & CSE591, Fall 2006

  8. Administrative Controls • Restricting Work Areas • First identify access rights to the site in general • Then decide various access rights required by each location (rooms, elevators, buildings) within the site • Escort Requirements and Visitor Control • In many government facilities or facilities with strong government ties, foreign nationals are not allowed unescorted access to any site within the facility. Escorted access requires background clearance and onsite identity check • For less secure sites, visitor must have a clear purpose for visit and a confirmed contact within the site. A temporary badge will be given after the visitor sign-in at the security desk CSE 465 & CSE591, Fall 2006

  9. Administrative Controls (cont.) • Site Selection • Visibility • Most data centers are not descriptive. They do not want to advertise what they are and attract undue attention • Locale considerations • Neighborhood, local ordinances and variances, crime rate, hazardous sites nearby, such as landfills, waste dumps, or nuclear reactors, etc. • Natural disasters • Transportation • Airport, highways, railroads, etc.

  10. Physical Security Controls • Perimeter Security Controls • Gates, fences, turnstiles, mantraps • Badging • Photo identification that not only authenticates an individual, but also continues to identify the individual while inside the facility CSE 465 & CSE591, Fall 2006

  11. Physical Security Controls (cont.) • Keys and Combination Locks • Mechanical locks , password locks, electronic locks, etc. • Security Dogs • Well-trained dogs are good at detecting intruders or sniffing out explosives • Lighting • Proper lighting could serve as a deterrent CSE 465 & CSE591, Fall 2006

  12. Technical Controls • Smart card • It carries a semiconductor chip with logic and nonvolatile memory • It can store software that detects unauthorized tampering and intrusions to the chip itself and if detected, can lock or destroy the contents of the chip to prevent disclosure or unauthorized uses • Three major types: contact, contact-less and combinations of the two. CSE 465 & CSE591, Fall 2006

  13. Technical Controls (cont.) • Audit Trails/Access Logs • Physical Intrusion Detection • Metallic foil tape, infrared light beams, motion sensors • Alarm Systems • Systems like ADT that monitors and responds to intrusion alert from a central location CSE 465 & CSE591, Fall 2006

  14. Technical Controls (cont.) [t1-ch11.4, t2-ch12.4] • Biometrics • Use characteristics of a human, such as face, eyes (iris), voice, fingerprints, DNA, hands, signature, and even body temperature. • Using biometrics in conjunction with standard forms of authentication ( such as password, smart card, etc.), security can further be enhanced • Need to balance convenience with security

  15. Environmental/Life-safety Controls • Power • When there is a power-outage, emergency lights and continuing functioning of those electronic gates are needed • Computers will not function without power • Uninterrupted: Uninterrupted Power Service (UPS) and emergency power-off switch • Constant voltage and current: regulator CSE 465 & CSE591, Fall 2006

  16. Environmental/Life-safety Controls(cont.) • Fire\Chemical Detection and Suppression • Targets: Explosions, toxic waste/gases, smoke, fire • Detectors: heat sensor, flame detector, smoke detector • Extinguish systems: water-sprinkler or gas-discharge system • Heating, Ventilation and Air Conditioning • Computers require temperature and humidity control to function correctly • Human that operates systems need a reasonable working environment CSE 465 & CSE591, Fall 2006

More Related