1 / 19

Site Security Policy Case

Site Security Policy Case. 01/19/2007 95-841: Information Assurance Policy Douglas Hines, Jr. Overview. Goals What do we need to protect What are the risks and threats Develop Policy. Goals. Site Selection Handling of visitors How buildings or facilities are accessed

andren
Download Presentation

Site Security Policy Case

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Site Security Policy Case 01/19/2007 95-841: Information Assurance Policy Douglas Hines, Jr.

  2. Overview • Goals • What do we need to protect • What are the risks and threats • Develop Policy

  3. Goals • Site Selection • Handling of visitors • How buildings or facilities are accessed • Review physical access points to the network • Review what hardware and media can enter or exit the facility • How communication will occur

  4. What do we need to protect • Access to secure areas • Private meetings • Voting stations • The building itself • Critical personnel • Communications

  5. Control Volume of Facility OUT IN • Employees • Local Organizers • Contractors • Venue owners • National Organization • Sponsors • Media • Cameras • Law enforcement • Malicious people • Information (CD, network, memory sticks) • Vehicles • Weather (snow, sleet, ice) • Employees • Local Organizers • Contractors • Venue owners • National Organization • Sponsors • Media • Cameras • Law enforcement • Malicious people • Information (CD, network, memory sticks) • Vehicles Sensitive information from meetings, Equipment, People, Buildings, Hardware, Information- on paper, Network, Servers

  6. Risks • Information Leaks • Loss of privacy to key people • Violent Protestors • Extreme Weather (Fire, Floods, Earthquakes)

  7. Site Selection • Needs a committee that should consist of • Event Planners • City officials • Security Professionals • Site must meet certain standards • The external threats should be limited

  8. Site Selection • “To ensure that the site used for the Event fits the functionality and needed security criteria, the Selection Committee decides on an appropriate location for the Event.” • “Members of the Selection Committee must include a member of the Event planning committee, a city official, and a security professional.”

  9. Access to facility • People must be registered with the Event’s system • The access should be authenticated by keycard without any way for people to tailgate • Attempts should be logged

  10. Access to individual rooms Rooms that need to be private • Private meeting rooms • Voting rooms • Computer rooms • Data Center

  11. Access to individual rooms “Upon registering with the Event, you will receive a badge and a note showing which rooms you have access to. The badge will grant access to those rooms listed only. All entry attempts will be logged.” • Real World Example • “At a minimum, computer facilities should be designated as a controlled area. A computer facility shall be designated as a restricted area in which access into the facility is limited to personnel who are assigned there or who are authorized access by the facility manager.” (US Department of Commerce)

  12. ID Badges • Identifies people who should have access to facilities and rooms • Distinguishes between the types of parties involved • Allows guards to remove those who don’t have certain privileges • Another layer in site security • What happens when a badge is lost

  13. ID Badges • “The ID Badge allows access to the main entrance of the site. Any employer, contractor, or associate of The Event with access into the site, with the exception of law enforcement, must wear the appropriate Event badge around the neck while on the site. People not wearing the badge won’t be allowed on the site or removed if on the site previously. This is to spot and remove people who have entered the facility without having the necessary privileges. The badge also provides access into the facility and designated rooms.” • “The badges are color coded based on the type of party the user is identified with. Red represents media. Blue represents the contractors and vendors. Yellow represents the National Organization...” • “Each person within a departmental facility, regardless of position, shall be subject to challenge by another employee, security guard or any law enforcement officer, and shall display appropriate identification when challenged. Failure to do so may result in removal from the facility or other administrative action.”

  14. Missing Badge? • “Personnel should immediately report missing badges to the issuing office. The servicing security officer should conduct a security evaluation to determine if it is necessary to disable or activate certain badges.”

  15. Devices allowed/denied • In the case of private meetings, we don’t want people to have the ability to record what is going on. • Will cause loss of privacy. • People checked before entering these certain private meetings. • “To maintain the privacy of the meetings in the Event, no recording device shall be allowed to enter the private meeting rooms. Security guards at the entrance of these rooms will conduct a screening with a metal detector for any person seeking entry. If any recording device is found, the person may not enter the room.”

  16. Visitors • There should be no need for visitors through the duration of The Event • All parties that use the facility should fall under a certain category and should be in the system • “No visitors in the facility are permitted”

  17. Communication • Security staff or law enforcement needs to be updated of known threats • Minimize circulation of information regarding activities • Critical information secured inside facility

  18. Communication • Uncertainty • “Personnel should report to security guards if any staff witnesses suspicious activity in the facility ” • Security breach • “In the event of a security breach, managers must notify top-level management.”

  19. Conclusion • Site Policy compliments physical security • 1st layer of protection • Questions?

More Related