PHYSICAL AND ENVIRONMENTAL SECURITY
It is generally accepted that, when it comes to protecting information resources from a physical perspective (i.e. where we are protecting tangible assets that one can touch, kick, steal, drop, etc.,), the name of the game has to be about convincing a perpetrator that the cost, time and risk of discovery involved in attempting unauthorised access to information or equipment exceeds the value of the gains thus made.
Physical security is not a modern phenomenon - it exists to deter or prevent unauthorised persons from entering a physical facility or stealing something of perceived value. The safety of personnel should not be overlooked in this respect.
Little has changed over the centuries when it comes to protecting property, with locked doors/chests, armed security guards, booby-traps, etc.
Physical security considerations (at all levels from corporate to personal) should include protection from burglary, theft, vandalism, view and, potentially, terrorism, depending upon your location and what you are into! The very best in software security isn't worth very much if somebody walks off with your computer under their arm!
Additionally, environmental threats include fire, flood, natural disasters and contamination from spilled food/drink.
The following gives a brief overview of some of the options available for physically securing and protecting your equipment and data.
Secure your computer equipment. (Preventive control)
This concept is, obviously, one of the easiest to understand in the world of IT security but achieving this can be daunting. Nevertheless, the fundamental issue is not so much protecting the intrinsic value of the computer but WHAT INFORMATION IS STORED ON THAT COMPUTER OR IS ACCESSIBLE FROM IT?
You can always buy new kit and probably with significantly enhanced performance than the one you had before – OK, the insurance no-claims discount might take a bit of a hit – but loss of a high-performance machine is but little compared to loss of the valued data upon it, or worse, compounded by loss of confidentiality of that data.
Loss of information, especially client information perhaps, can also lead to reputational damage, litigation, data recovery/re-creation costs … you name it.
So, in your risk analysis (if you have one) for protecting information, stack the impact assessment against the data, not the machine.
Having said all that, there are sensible physical protection precautions you can take:
· Keep non-portable devices (PCs, printers) in lockable premises
· Keep portable devices (laptops, smart phones, tablets) always within your protective reach when on the move
· Lock portable equipment away in cupboards overnight – never leave it on view during silent hours.
· If you have precious information on the device, regularly back it up and store the backup media securely
· If possible, remove the hard drive and keep it separate from the device
· Definitely don’t leave USB keys inserted for too long – they’re so small nowadays you may forget they are there
· Use some form of endpoint encryption on your device that prevents data being exported
· If using a token authentication, keep the PC/device and token separately - don’t write the token PIN down and keep it with the token
· Don’t leave computing equipment in a car, locked or not – even if out of sight, this would be a major bonus to what would otherwise be a common car thief!
· Use reliable cable locks where other secure storage is unavailable.
Keep computing equipment away from environmental hazards. (Preventive control)
Computing equipment, especially mobile devices, are not just under threat from malicious intent – they suffer accidents from time to time, just like many of our items of property!
Some of the controls, like taking data backups, removing hard drives, encrypting data, etc. mentioned in the previous item, are also relevant here, but the following is worth mentioning:
· Always transport a laptop in a padded laptop bag or a smaller device (e.g. tablet or smart phone) in its protective casing - both will fare better if they get dropped.
· When travelling in a taxi, especially at night when the back of the cab is dark, or if having a snooze on a train, keep your arm or leg through the strap of your (preferably locked) laptop bag. That way, if it gets snatched, at least you’ll be snatched with it … and you’re less likely to leave it on the taxi by mistake. (It does happen!)
· Keep drinks well away from your device.
· If you use a server room, ensure the most appropriate fire prevention/detection systems are deployed – water-based sprinklers may save the building but will do no favours to computing equipment or associated media.
Audible alarms. (Deterrent control)
Audible devices can be fitted to your computer casing (above), either on the inside or outside, which, when disturbed will emit a loud siren that will alert anybody within earshot that something is being stolen. It will not prevent the theft but should deter (or at least embarrass) the miscreant.
The downside to these is that, in the writer’s view, they can sound off spontaneously as false alarms, which can result at best in irritation or at worst ignoring it and taking no action.
Marking systems. (Detective control)
Computer equipment that is indelibly (and possibly invisibly) marked with appropriate detail, such as a postcode, is fairly easy and cheap. The marking can be performed in various ways - in the form of metallic tabs that are fixed with a strong epoxy adhesive, by an etching compound or simply by using a UV marking pen.
Associated with this, you should keep a separate record of the equipment manufacturer’s serial number.
Disk drive and USB port locks. (Preventive control)
To protect your drives from misuse there are a wide range of hardware solutions that will prevent them being used at all without a key. Some are stronger than others, and some of them have pathetic locks that can be forced easily with a paperclip, but if you choose a good one it can be extremely effective.
Clear desk and screen policy (Preventive control)
A clear desk ensures that when you’re not at your desk (especially out of working hours) sensitive hard copy documents are properly locked and secured against unauthorised access or copying. The threats vary from the everyday (e.g. viewing/removal by third parties, such as cleaning contractors) to the dramatic (e.g. explosion, blowing the windows out and distributing paperwork all over the district).
Although not a physical control, closely associated with this concept is the use of screen saver passwords – always, even when at home, use a timeout based upon a short period of keyboard inactivity – and be sure to position your monitor in such a way as to prevent casual viewing or “shoulder surfing”.
When leaving your desk for a short period, allow yourself time to exit from and/or lock down any sensitive work you may be doing in case “unauthorised” people approach your work area during your absence.
Remember, also, when leaving meeting rooms, to clear white boards of any information that should not be disclosed to unauthorised viewers.
Premises security (Preventive & detective control)
Premises security can be as complex or simple, expensive or economical as you like and quite often the effectiveness can be indistinguishable from each other.
So, let’s start with “simple” and “economical” controls:
· Locks on doors and windows (with keys under suitable control)
· Identity badges to be worn at all times
· Visitors to be hosted, accompanied at all times … well, nearly all times … and checked in and out of the premises
· Keep a visitor’s book with details of name, date, who is being visited (or who is hosting), time in/out and, if appropriate, vehicle registration. (NB. A visitor’s book can also be critical in the event of an emergency evacuation to ensure all people on the premises are accounted for)
· Educate staff about premises security – no “tailgating”; challenging strangers, etc – and explain the rationale behind these rules, e.g. it may be for their own safety.
More sophisticated (which usually means more expensive) premises protection can also be achieved with:
· Electronic badge recognition systems which open doors and record who has been where … but be sure not to set the badge reader sensitivity so high that it activates simply when a badge wearer walks past!
· “Data lock” devices requiring input of a PIN code – but codes do need to be periodically changed to remain effective
· CCTV – securely retain a reasonable cycle of tapes, such as up to 2 weeks
· Motion sensors activating alarms or lights
· Laser beam barriers internally or at the perimeter
It is generally accepted that, when it comes to protecting information resources from a physical perspective (i.e. where we are protecting tangible assets that one can touch, kick, steal, drop, etc.,), the name of the game has to be about convincing a perpetrator that the cost, time and risk of discovery involved in attempting unauthorised access to information or equipment exceeds the value of the gains thus made.
Physical security is not a modern phenomenon - it exists to deter or prevent unauthorised persons from entering a physical facility or stealing something of perceived value. The safety of personnel should not be overlooked in this respect.
Little has changed over the centuries when it comes to protecting property, with locked doors/chests, armed security guards, booby-traps, etc.
Physical security considerations (at all levels from corporate to personal) should include protection from burglary, theft, vandalism, view and, potentially, terrorism, depending upon your location and what you are into! The very best in software security isn't worth very much if somebody walks off with your computer under their arm!
Additionally, environmental threats include fire, flood, natural disasters and contamination from spilled food/drink.
The following gives a brief overview of some of the options available for physically securing and protecting your equipment and data.
Secure your computer equipment. (Preventive control)
This concept is, obviously, one of the easiest to understand in the world of IT security but achieving this can be daunting. Nevertheless, the fundamental issue is not so much protecting the intrinsic value of the computer but WHAT INFORMATION IS STORED ON THAT COMPUTER OR IS ACCESSIBLE FROM IT?
You can always buy new kit and probably with significantly enhanced performance than the one you had before – OK, the insurance no-claims discount might take a bit of a hit – but loss of a high-performance machine is but little compared to loss of the valued data upon it, or worse, compounded by loss of confidentiality of that data.
Loss of information, especially client information perhaps, can also lead to reputational damage, litigation, data recovery/re-creation costs … you name it.
So, in your risk analysis (if you have one) for protecting information, stack the impact assessment against the data, not the machine.
Having said all that, there are sensible physical protection precautions you can take:
· Keep non-portable devices (PCs, printers) in lockable premises
· Keep portable devices (laptops, smart phones, tablets) always within your protective reach when on the move
· Lock portable equipment away in cupboards overnight – never leave it on view during silent hours.
· If you have precious information on the device, regularly back it up and store the backup media securely
· If possible, remove the hard drive and keep it separate from the device
· Definitely don’t leave USB keys inserted for too long – they’re so small nowadays you may forget they are there
· Use some form of endpoint encryption on your device that prevents data being exported
· If using a token authentication, keep the PC/device and token separately - don’t write the token PIN down and keep it with the token
· Don’t leave computing equipment in a car, locked or not – even if out of sight, this would be a major bonus to what would otherwise be a common car thief!
· Use reliable cable locks where other secure storage is unavailable.
Keep computing equipment away from environmental hazards. (Preventive control)
Computing equipment, especially mobile devices, are not just under threat from malicious intent – they suffer accidents from time to time, just like many of our items of property!
Some of the controls, like taking data backups, removing hard drives, encrypting data, etc. mentioned in the previous item, are also relevant here, but the following is worth mentioning:
· Always transport a laptop in a padded laptop bag or a smaller device (e.g. tablet or smart phone) in its protective casing - both will fare better if they get dropped.
· When travelling in a taxi, especially at night when the back of the cab is dark, or if having a snooze on a train, keep your arm or leg through the strap of your (preferably locked) laptop bag. That way, if it gets snatched, at least you’ll be snatched with it … and you’re less likely to leave it on the taxi by mistake. (It does happen!)
· Keep drinks well away from your device.
· If you use a server room, ensure the most appropriate fire prevention/detection systems are deployed – water-based sprinklers may save the building but will do no favours to computing equipment or associated media.
Audible alarms. (Deterrent control)
Audible devices can be fitted to your computer casing (above), either on the inside or outside, which, when disturbed will emit a loud siren that will alert anybody within earshot that something is being stolen. It will not prevent the theft but should deter (or at least embarrass) the miscreant.
The downside to these is that, in the writer’s view, they can sound off spontaneously as false alarms, which can result at best in irritation or at worst ignoring it and taking no action.
Marking systems. (Detective control)
Computer equipment that is indelibly (and possibly invisibly) marked with appropriate detail, such as a postcode, is fairly easy and cheap. The marking can be performed in various ways - in the form of metallic tabs that are fixed with a strong epoxy adhesive, by an etching compound or simply by using a UV marking pen.
Associated with this, you should keep a separate record of the equipment manufacturer’s serial number.
Disk drive and USB port locks. (Preventive control)
To protect your drives from misuse there are a wide range of hardware solutions that will prevent them being used at all without a key. Some are stronger than others, and some of them have pathetic locks that can be forced easily with a paperclip, but if you choose a good one it can be extremely effective.
Clear desk and screen policy (Preventive control)
A clear desk ensures that when you’re not at your desk (especially out of working hours) sensitive hard copy documents are properly locked and secured against unauthorised access or copying. The threats vary from the everyday (e.g. viewing/removal by third parties, such as cleaning contractors) to the dramatic (e.g. explosion, blowing the windows out and distributing paperwork all over the district).
Although not a physical control, closely associated with this concept is the use of screen saver passwords – always, even when at home, use a timeout based upon a short period of keyboard inactivity – and be sure to position your monitor in such a way as to prevent casual viewing or “shoulder surfing”.
When leaving your desk for a short period, allow yourself time to exit from and/or lock down any sensitive work you may be doing in case “unauthorised” people approach your work area during your absence.
Remember, also, when leaving meeting rooms, to clear white boards of any information that should not be disclosed to unauthorised viewers.
Premises security (Preventive & detective control)
Premises security can be as complex or simple, expensive or economical as you like and quite often the effectiveness can be indistinguishable from each other.
So, let’s start with “simple” and “economical” controls:
· Locks on doors and windows (with keys under suitable control)
· Identity badges to be worn at all times
· Visitors to be hosted, accompanied at all times … well, nearly all times … and checked in and out of the premises
· Keep a visitor’s book with details of name, date, who is being visited (or who is hosting), time in/out and, if appropriate, vehicle registration. (NB. A visitor’s book can also be critical in the event of an emergency evacuation to ensure all people on the premises are accounted for)
· Educate staff about premises security – no “tailgating”; challenging strangers, etc – and explain the rationale behind these rules, e.g. it may be for their own safety.
More sophisticated (which usually means more expensive) premises protection can also be achieved with:
· Electronic badge recognition systems which open doors and record who has been where … but be sure not to set the badge reader sensitivity so high that it activates simply when a badge wearer walks past!
· “Data lock” devices requiring input of a PIN code – but codes do need to be periodically changed to remain effective
· CCTV – securely retain a reasonable cycle of tapes, such as up to 2 weeks
· Motion sensors activating alarms or lights
· Laser beam barriers internally or at the perimeter
No comments:
Post a Comment