Upload
akungbgl4475
View
216
Download
0
Embed Size (px)
Citation preview
8/14/2019 Security System 1 - 02
1/29
#2. PHYSICAL SECURITY
8/14/2019 Security System 1 - 02
2/29
AGENDA
Security Methodology
Physical Security
Introduction
Facility Requirements
Perimeter Security
8/14/2019 Security System 1 - 02
3/29
Security Methodology
Level 0 Physical Security
Level 1 Database Security, Data
Security, Computer Security, Device
Security & Application Security
Level 2 Network Security
Level 3 Information Security
Level 4 - Security
8/14/2019 Security System 1 - 02
4/29
Database, Data, Computer, Device, Application
Physical
Network
Information
Security
Security Methodology
8/14/2019 Security System 1 - 02
5/29
Physical Security
Security is very important to organizations andtheir infrastructures, and physical security is noexception.
Physical security encompasses a different set of
threats, vulnerabilities, and risks than the othertypes of security that have been addressed sofar. Physical security mechanisms include sitedesign and layout, environmental components,emergency response readiness, training, access
control, intrusion detection, and power and fireprotection. Physical security mechanisms protectpeople, data, equipment, systems, facilities, anda long list of company assets.
8/14/2019 Security System 1 - 02
6/29
Physical Security
Physical security of computers and their resources in the1960s and 1970s was not as challenging as it is today,because: computers were mostly mainframes that were locked away in
server rooms, and
only a handful of people knew what to do with them anyway.
Today, there is a computer on almost every desk in everycompany, and access to devices and resources is spreadthroughout the environment.
Companies have several wiring closets and server rooms,and remote and mobile users take computers and
resources out of the facility. Properly protecting these computer systems, networks,
facilities, and employees has become an overwhelmingtask to many companies.
8/14/2019 Security System 1 - 02
7/29
Physical Security
Most people in the information security
field do not think as much aboutphysical
security as they do about computer
security and the associated hackers,ports, viruses, and technology-oriented
security countermeasures. But
information security without properphysical security could be a waste of
time.
8/14/2019 Security System 1 - 02
8/29
Physical Security
Physical security has a different set of
vulnerabilities, threats, and
countermeasures from that of computer
and information security. The set forphysical security has more to do with
physical destruction, intruders,
environmental issues, theft, andvandalism.
8/14/2019 Security System 1 - 02
9/29
Physical Security
When security professionals look atinformation security, they think abouthow someone can enter an environment
in an unauthorized manner through aport, modem, or wireless access point.
When security professionals look atphysical security, they are concerned
with how people can physically enter anenvironment and cause an array ofdamages.
8/14/2019 Security System 1 - 02
10/29
Physical Security
The threats that an organization faces fallinto many different categories: Natural environmental threats
Floods, earthquakes, storms and tornadoes,fires, extreme temperature conditions, and soforth
Supply system threats
Power distribution outages, communications
interruptions, and interruption to other naturalenergy resources such as water, steam, andgas, and so forth
8/14/2019 Security System 1 - 02
11/29
Physical Security
The threats that an organization faces
fall into many different categories: ...
Manmade threats
Unauthorized access (both internal andexternal), explosions, damage by angry
employees, employee errors and accidents,
vandalism, fraud, theft, and so forth
Politically motivated threats
Strikes, riots, civil disobedience, terrorist
attacks and bombings, and so forth
8/14/2019 Security System 1 - 02
12/29
Physical Security
Physical security is the first line ofdefense.
Physical security addresses thephysical protection of the resources of
an organization, which include people,data, facilities, equipment, systems, etc. Itconcerns with people safety, how peoplecan physically enter an environment andhow the environmental issues affectequipment and systems. People safetyalways takes precedence over the othersecurity factors.
8/14/2019 Security System 1 - 02
13/29
Planning Process
Physical security is a combination of people,processes, procedures, and equipment toprotect resources. The design of a solidphysical security program should be
methodical and weigh the objectives of theprogram and the available resources.
Although every organization is different, theapproach to constructing and maintaining a
physical security program is the same. Theorganization must first define thevulnerabilities, threats, threat agents, andtargets.
8/14/2019 Security System 1 - 02
14/29
Planning Process
An organizations physical security program shouldaddress the following goals: Crime and disruption prevention through deterrence
Fences, security guards, warning signs, and so forth
Reduction of damage through the use of delaying
mechanisms Layers of defenses that slow down theadversary, such as locks, security personnel, barriers
Crime or disruption detection Smoke detectors, motiondetectors, CCTV, and so forth
Incident assessment Response of security guards todetected incidents and determination of damage level
Response procedures Fire suppression mechanisms,emergency response processes, law enforcementnotification, consultation with outside securityprofessionals
8/14/2019 Security System 1 - 02
15/29
8/14/2019 Security System 1 - 02
16/29
Planning Process
So, before an effective physical securityprogram can be rolled out, the followingsteps must be taken:1. Identify a team of internal employees and/or
external consultants who will build the physicalsecurity program through the following steps.
2. Carry out a risk analysis to identify thevulnerabilities and threats and calculate thebusiness impact of each threat.
3. Work with management to define an acceptablerisk level of the physical security program.
4. Derive the required performance baselines fromthe acceptable risk level.
8/14/2019 Security System 1 - 02
17/29
Planning Process
5. Create countermeasure performance metrics.
6. Develop criteria from the results of the analysis,outlining the level of protection and performancerequired for the following categories of the securityprogram:
Deterrence Delaying
Detection
Assessment
Response
7. Identify and implement countermeasures for eachprogram category.
8. Continuously evaluate countermeasures against theset baselines to ensure that the acceptable risk levelis not exceeded.
8/14/2019 Security System 1 - 02
18/29
Major Sources
Major sources of physical security
threats are:
1. Weather, e.g. temperature, humidity, water,
flood, wind, snow, lightening, etc.2. Fire and Chemical, e.g. explosion, smoke,
toxic material, industrial pollution, etc.
3. Earth movement, e.g. earthquake,
volcano, slide, etc.
8/14/2019 Security System 1 - 02
19/29
Major Sources
4. Object movement, e.g. building collapse,
falling object, car, truck, plane, etc.
5. Energy, e.g. electricity, magnetism, radio
wave anomalies, etc.6. Equipment, e.g. mechanical or electronic
component failure, etc.
7. Organism, e.gvirus, bacteria, animal,
insect, etc.8. Human, e.g. strike, war, sabotage, etc.
8/14/2019 Security System 1 - 02
20/29
Control Mechanism
There are three major types of control
mechanisms for physical security:
1. Administrative controls, e.g. facility
selection, facility construction andmanagement, personnel control,
evacuation procedure, system shutdown
procedure, fire suppression procedure,
handling procedures for other exceptionssuch as hardware failure, bomb threats,
etc.
8/14/2019 Security System 1 - 02
21/29
Control Mechanism
2. Physical controls, e.g. facilityconstruction material, key and lock, accesscard and reader, fence, lighting, etc.
3. Technical controls, e.g. physical access
control and monitoring system, intrusiondetection and alarm system, fire detectionand suppression system, uninterruptedpower supply, heating / ventilation / air
conditioning system (HVAC), diskmirroring, data backup, etc.
Some physical security controls are requiredby laws, e.g. fire exit door, fire alarm, etc.
8/14/2019 Security System 1 - 02
22/29
8/14/2019 Security System 1 - 02
23/29
Facility Requirement
Factors that should be considered whenselecting a site are: Visibility, e.g. surrounding terrain, markings and
signs, etc.
Local considerations, e.g. crime rate, adjacentneighbors, proximity to police and fire station, etc.
Transportation, e.g. road access and trafficcondition, proximity to airport and train station, etc.
Natural threats, e.g. likelihood of flood, earthquake,
or other natural threats.Depending on the needs of a business, some of theabove concerns may be more important than theothers.
8/14/2019 Security System 1 - 02
24/29
Facility Requirement
A data center should be located:
Not on the top floor (for fire consideration).
Not in the basement (for flooding
consideration). In the core of a building (for providing
protection from natural disasters or bomb
attacks).
Not close to a public area (for security
consideration).
8/14/2019 Security System 1 - 02
25/29
Facility Requirement
When designing and building a facility, the
following items should be considered:
Wall - fire rating (level of fire protection and
combustibility), load (the maximum weight it canhold), floor to ceiling barrier, reinforcement for
secured area.
Partition considerations similar to those of
wall, plus the requirement of extension above
drop ceiling (if there is no extension, an intruder
can lift the ceiling panels and climb above the
partition).
8/14/2019 Security System 1 - 02
26/29
8/14/2019 Security System 1 - 02
27/29
Facility Requirement
When designing and building a facility, thefollowing items should be considered: ... Door fire rating (should be equal to that of the
surrounding walls), emergency marking,
directional opening, resistance from beingforced open, intrusion detection alarm, fail-softvs fail-safe lock (i.elock that is unlocked orlocked in a power outage), placement of doors.
Window characteristics of windows material(opaque, translucent, transparent, shatterproof,bulletproof), intrusion detection alarm,placement of windows.
8/14/2019 Security System 1 - 02
28/29
Facility Requirement
When designing and building a facility, thefollowing items should be considered: ... Ceiling fire rating, load, waterproof (preventing
water leakage from the upper floor), drop ceiling.
Floor fire rating, load, raised floor, electricalgrounding (for raised floor), nonconducting material.
Heating, ventilation, and air conditioning (HVAC) independent power source, positive air pressure(i.e. air will flow out of a room when the door is open,
which can avoid contamination of the room),protected intake vents to prevent tampering,monitoring of environmental condition, emergencypower off, placement of HVAC system.
8/14/2019 Security System 1 - 02
29/29
Facility Requirement
In general, a wall should have 1-hour
fireproof rating. For data center or room
which stores paper document, magnetic
media, etc., the walls should have aminimum of 2-hour fireproof rating.