Security System 1 - 02

8/14/2019 Security System 1 - 02

1/29

#2. PHYSICAL SECURITY


2/29

AGENDA

Security Methodology

Physical Security

Introduction

Facility Requirements

Perimeter Security


3/29


Level 0 Physical Security

Level 1 Database Security, Data

Security, Computer Security, Device

Security & Application Security

Level 2 Network Security

Level 3 Information Security

Level 4 - Security


4/29

Database, Data, Computer, Device, Application

Physical

Network

Information

Security



5/29

Physical Security

Security is very important to organizations andtheir infrastructures, and physical security is noexception.

Physical security encompasses a different set of

threats, vulnerabilities, and risks than the othertypes of security that have been addressed sofar. Physical security mechanisms include sitedesign and layout, environmental components,emergency response readiness, training, access

control, intrusion detection, and power and fireprotection. Physical security mechanisms protectpeople, data, equipment, systems, facilities, anda long list of company assets.


6/29

Physical Security

Physical security of computers and their resources in the1960s and 1970s was not as challenging as it is today,because: computers were mostly mainframes that were locked away in

server rooms, and

only a handful of people knew what to do with them anyway.

Today, there is a computer on almost every desk in everycompany, and access to devices and resources is spreadthroughout the environment.

Companies have several wiring closets and server rooms,and remote and mobile users take computers and

resources out of the facility. Properly protecting these computer systems, networks,

facilities, and employees has become an overwhelmingtask to many companies.


7/29

Physical Security

Most people in the information security

field do not think as much aboutphysical

security as they do about computer

security and the associated hackers,ports, viruses, and technology-oriented

security countermeasures. But

information security without properphysical security could be a waste of

time.


8/29

Physical Security

Physical security has a different set of

vulnerabilities, threats, and

countermeasures from that of computer

and information security. The set forphysical security has more to do with

physical destruction, intruders,

environmental issues, theft, andvandalism.


9/29

Physical Security

When security professionals look atinformation security, they think abouthow someone can enter an environment

in an unauthorized manner through aport, modem, or wireless access point.

When security professionals look atphysical security, they are concerned

with how people can physically enter anenvironment and cause an array ofdamages.


10/29

Physical Security

The threats that an organization faces fallinto many different categories: Natural environmental threats

Floods, earthquakes, storms and tornadoes,fires, extreme temperature conditions, and soforth

Supply system threats

Power distribution outages, communications

interruptions, and interruption to other naturalenergy resources such as water, steam, andgas, and so forth


11/29

Physical Security

The threats that an organization faces

fall into many different categories: ...

Manmade threats

Unauthorized access (both internal andexternal), explosions, damage by angry

employees, employee errors and accidents,

vandalism, fraud, theft, and so forth

Politically motivated threats

Strikes, riots, civil disobedience, terrorist

attacks and bombings, and so forth


12/29

Physical Security

Physical security is the first line ofdefense.

Physical security addresses thephysical protection of the resources of

an organization, which include people,data, facilities, equipment, systems, etc. Itconcerns with people safety, how peoplecan physically enter an environment andhow the environmental issues affectequipment and systems. People safetyalways takes precedence over the othersecurity factors.


13/29

Planning Process

Physical security is a combination of people,processes, procedures, and equipment toprotect resources. The design of a solidphysical security program should be

methodical and weigh the objectives of theprogram and the available resources.

Although every organization is different, theapproach to constructing and maintaining a

physical security program is the same. Theorganization must first define thevulnerabilities, threats, threat agents, andtargets.


14/29

Planning Process

An organizations physical security program shouldaddress the following goals: Crime and disruption prevention through deterrence

Fences, security guards, warning signs, and so forth

Reduction of damage through the use of delaying

mechanisms Layers of defenses that slow down theadversary, such as locks, security personnel, barriers

Crime or disruption detection Smoke detectors, motiondetectors, CCTV, and so forth

Incident assessment Response of security guards todetected incidents and determination of damage level

Response procedures Fire suppression mechanisms,emergency response processes, law enforcementnotification, consultation with outside securityprofessionals


15/29


16/29

Planning Process

So, before an effective physical securityprogram can be rolled out, the followingsteps must be taken:1. Identify a team of internal employees and/or

external consultants who will build the physicalsecurity program through the following steps.

2. Carry out a risk analysis to identify thevulnerabilities and threats and calculate thebusiness impact of each threat.

3. Work with management to define an acceptablerisk level of the physical security program.

4. Derive the required performance baselines fromthe acceptable risk level.


17/29

Planning Process

5. Create countermeasure performance metrics.

6. Develop criteria from the results of the analysis,outlining the level of protection and performancerequired for the following categories of the securityprogram:

Deterrence Delaying

Detection

Assessment

Response

7. Identify and implement countermeasures for eachprogram category.

8. Continuously evaluate countermeasures against theset baselines to ensure that the acceptable risk levelis not exceeded.


18/29

Major Sources

Major sources of physical security

threats are:

1. Weather, e.g. temperature, humidity, water,

flood, wind, snow, lightening, etc.2. Fire and Chemical, e.g. explosion, smoke,

toxic material, industrial pollution, etc.

3. Earth movement, e.g. earthquake,

volcano, slide, etc.


19/29

Major Sources

4. Object movement, e.g. building collapse,

falling object, car, truck, plane, etc.

5. Energy, e.g. electricity, magnetism, radio

wave anomalies, etc.6. Equipment, e.g. mechanical or electronic

component failure, etc.

7. Organism, e.gvirus, bacteria, animal,

insect, etc.8. Human, e.g. strike, war, sabotage, etc.


20/29

Control Mechanism

There are three major types of control

mechanisms for physical security:

1. Administrative controls, e.g. facility

selection, facility construction andmanagement, personnel control,

evacuation procedure, system shutdown

procedure, fire suppression procedure,

handling procedures for other exceptionssuch as hardware failure, bomb threats,

etc.


21/29

Control Mechanism

2. Physical controls, e.g. facilityconstruction material, key and lock, accesscard and reader, fence, lighting, etc.

3. Technical controls, e.g. physical access

control and monitoring system, intrusiondetection and alarm system, fire detectionand suppression system, uninterruptedpower supply, heating / ventilation / air

conditioning system (HVAC), diskmirroring, data backup, etc.

Some physical security controls are requiredby laws, e.g. fire exit door, fire alarm, etc.


22/29


23/29

Facility Requirement

Factors that should be considered whenselecting a site are: Visibility, e.g. surrounding terrain, markings and

signs, etc.

Local considerations, e.g. crime rate, adjacentneighbors, proximity to police and fire station, etc.

Transportation, e.g. road access and trafficcondition, proximity to airport and train station, etc.

Natural threats, e.g. likelihood of flood, earthquake,

or other natural threats.Depending on the needs of a business, some of theabove concerns may be more important than theothers.


24/29


A data center should be located:

Not on the top floor (for fire consideration).

Not in the basement (for flooding

consideration). In the core of a building (for providing

protection from natural disasters or bomb

attacks).

Not close to a public area (for security

consideration).


25/29


When designing and building a facility, the

following items should be considered:

Wall - fire rating (level of fire protection and

combustibility), load (the maximum weight it canhold), floor to ceiling barrier, reinforcement for

secured area.

Partition considerations similar to those of

wall, plus the requirement of extension above

drop ceiling (if there is no extension, an intruder

can lift the ceiling panels and climb above the

partition).


26/29


27/29


When designing and building a facility, thefollowing items should be considered: ... Door fire rating (should be equal to that of the

surrounding walls), emergency marking,

directional opening, resistance from beingforced open, intrusion detection alarm, fail-softvs fail-safe lock (i.elock that is unlocked orlocked in a power outage), placement of doors.

Window characteristics of windows material(opaque, translucent, transparent, shatterproof,bulletproof), intrusion detection alarm,placement of windows.


28/29


When designing and building a facility, thefollowing items should be considered: ... Ceiling fire rating, load, waterproof (preventing

water leakage from the upper floor), drop ceiling.

Floor fire rating, load, raised floor, electricalgrounding (for raised floor), nonconducting material.

Heating, ventilation, and air conditioning (HVAC) independent power source, positive air pressure(i.e. air will flow out of a room when the door is open,

which can avoid contamination of the room),protected intake vents to prevent tampering,monitoring of environmental condition, emergencypower off, placement of HVAC system.


29/29


In general, a wall should have 1-hour

fireproof rating. For data center or room

which stores paper document, magnetic

media, etc., the walls should have aminimum of 2-hour fireproof rating.

Documents

Security System 1 - 02