More about physical security

In my last tip, I mentioned some of the concerns related to physical security, which might be loosely defined as the kinds of controls an organization might impose over access to its premises, its networking infrastructure, its systems and equipment rooms, and other areas where sensitive information or assets might reside. That tip generated a fair amount of e-mail, partly to remind me of other aspects of physical security also worthy of mention. Others asked how they can learn more about this surprisingly difficult and interesting topic.

Looking at physical security invariably involves multiple topics and concerns:

• General access to an organization's premises: Often this represents the first level of physical security, where it's not uncommon for personnel to either display (or scan) valid ID to gain entry, and where guests or visitors must register at an entry location, given a temporary badge or ID, and perhaps even be escorted while on the organization's premises.
• Increasing levels of access control: Because security badges, smart cards or other electronic forms of identification that personnel carry can be scanned repeatedly, additional access controls can be erected around server or equipment rooms, test labs or other areas where sensitive or proprietary information or assets are used or stored.
• Just as electronic intrusion-detection systems can look for odd or abnormal patterns of access or use, so can physical security-monitoring systems. This is essential in situations when valid IDs are being misused, either by their owners or by someone else who's gained possession of those credentials.
• Physical security also involves careful premises planning so that locked or isolated areas still comply with fire and emergency exit requirements. Often, this involves the use of "crash doors" to allow insiders easy exit in emergency situations; sometimes, it involves considerable extra expense for additional fire prevention and emergency exit provisions.
• Video and other electronic forms of surveillance, or multi-factor authentication systems, are essential to verify that proofs of identity offered by individuals who access sensitive areas are indeed the people they purport to be. Several e-mailers reminded me that highly sensitive areas are routinely subject to video surveillance as well as other forms of monitoring, just to keep things as much under control as possible.
• Use of physical demilitarized zones, patrolled no-access zones and other kinds of well-understood physical barriers is perhaps most associated with prisons or other maximum security facilities where those inside must be kept there. But the same principles work when the contents of the "inner keep" are extremely valuable or sensitive, and unauthorized outsiders need to be kept out.

My point is that any savvy system wizard who can gain physical access to a computer can take that machine over in less than half an hour under most circumstances. This helps to explain why physical security -- or managing control over the space where systems and other key aspects of IT infrastructure reside in the real world -- is such an important component of a well-designed and -executed security policy. If you don't maintain physical security in the real world, any and all safeguards you erect in the virtual world may be meaningless.

There are also a surprising number of opportunities for those interested in working in the area of physical security, both in the private and public sectors. Interested professionals should consult the American Society of Industrial Security's Web site at www.asisonline.org to learn more about that organization's Physical Security Professional (PSP) certification. In addition to requiring five years of relevant on-the-job experience with physical security, the organization has mapped out a comprehensive set of examination requirements that cover the subject matter both thoroughly and well. ASIS reports strong interest in the PSP, which makes its debut at the organization's annual conference in New Orleans Sept. 15-18, 2003. Please visit www.asisonline.org/certification/pspabout.xml for more details.

Please feel free to e-mail me with feedback, comments or questions at etittel@lanw.com.

About the author
Ed Tittel is a principal at a content development division based in Austin, Texas, and the creator of the Exam Cram series. He's worked on numerous certification titles on Microsoft, Novell, CompTIA and security topics, including Security+, CISSP and TICSA.

• Security Policies Tip: Policy for the real world: Physical security
• Tech Tip: Physically secure your backups
• News & Analysis: Converging worlds: IT and traditional security