Annually, when reviewing and updating your policies, and as needed.
Of the five protection zones, perhaps the one considered least technical is physical security, and as a result, many technical books gloss over it. And as industry experts generally agree the insider threat is the more prevalent, it makes sense that physical security is your first ring of protection. (Visit the Information Security Protection Matrix.)
Using the matrix referenced above, examine your physical security across the four information security tenets. What measures or countermeasures do you have in place to protect the confidentiality of your systems? Typical approaches include biometric scanners, badges, badge readers, and separate facilities for racks and servers. What measures do you have protecting the integrity of your systems? If you use subcontractors, how is their access limited? What measures do you have protecting the availability of your systems? The most common measure is an uninterruptible power supply (UPS) for at least a graceful shutdown. Theft of any part of the system, damage or technical failure of any system component -- especially a security-related component -- also affects availability of service. What measures do you have protecting the accountability of your systems? Countermeasures can overlap and do double-duty: server rooms with limited recorded access and locked racks help ensure accountability.
Physical security is more than "guns, gates and guards." What does it take to get to your systems? Can people talk their way in? Encourage badges, and challenge both employees and strangers without them. If part of your physical defense perimeter includes badge readers, ensure they record entries and exits.
General facility documentation should include factors like location near towers, flood zones, where you fall in the local power and backup grids, preventive maintenance and unscheduled maintenance provisions. Does your company own the space or rent? Just as you probably have a service agreement with your ISP, so should you have something similar regarding your office and system spaces if you subcontract those services. For example, can you override a false alarm if the fire alarm goes off?
Issues related to power include surge, brownout, outage, interference, eavesdropping and electromagnetic pulse (EMP). For biometrics, for example, what is your backup method of accessing these systems if the power fails? Many security systems fail in a closed mode to prevent compromise. Know how your systems work because if you can't get into your facility to shut down the system gracefully, that UPS won't be useful.
Natural disasters include fire, smoke, earthquake, storm, tornados, flooding and lightning strikes. Temperature extremes are problematic as well; cold equipment brought into a warm room will cause condensation inside the box, possibly damaging components. Prolonged vibration will do the same. Smoke detectors should also be installed in raised flooring and lowered ceilings.
Acts of war and terrorism usually have their own category. And while you're protecting all of these systems, don't forget to physically protect backup data as well.
American Society of Industrial Security (ASIS)
About the author
Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:firstname.lastname@example.org.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
Last week: Privacy Impact Assessments
Next week: Wireless -- Less wires, more issues