A11 Physical and Environmental Security

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:02
Listen 11.7
00:04
11
00:06
physical and environmental security
00:11
In this lesson, we will cover control set 11
00:16
in relation to your ice amis,
00:18
as well as what evidence can be used to support these controls when you are going through your eyes, so ordered
00:30
control said. 8 11. Physical environmental security is made up of two control areas.
00:37
The first control area
00:39
is a 11.1 point one secure areas.
00:45
This is made up of six controls.
00:48
Thes controls are as follows.
00:52
A 11.1 point one
00:55
The physical security perimeter,
00:59
a 11.1 point two
01:03
physical entry controls
01:07
a 11.1 point three
01:10
securing officers rooms and facilities,
01:15
a 11.1 point four
01:19
protecting against external and environmental threats,
01:25
a 11.1 point five
01:27
working insecure areas
01:30
and a 11.1 point six
01:34
delivery and loading areas.
01:41
The second control area
01:42
is a 11.2
01:46
equipment,
01:47
and this is made up of nine controls.
01:51
These controls are as follows.
01:53
A 11.2 point one
01:57
equipment citing and protection,
02:01
a 11.2 point two
02:06
supporting utilities,
02:08
a 11.2 point three
02:13
cabling security,
02:15
a 11.2 point four
02:20
equipment maintenance.
02:23
A 11.2 point five.
02:27
Removal of assets.
02:30
A 11.2 point six.
02:34
Security of equipment and assets off premises.
02:38
A 11.2 point seven.
02:43
Secure disposal or reuse of equipment.
02:47
A 11.2 point eight
02:52
unattended user equipment.
02:55
A 11.2 point nine
03:00
clear and desk and clear screen policy.
03:07
So some of the evidence here that you can use
03:09
during an audit, whether it be for your ice 0 27,001 certification into an audit
03:16
as well as any general I T controls ordered that you go through.
03:23
So most of the evidence for this control area is either plain to see
03:28
or it is conspicuous by its absence.
03:32
Controls and vulnerabilities can be identified through a physical site inspection or a walk through.
03:39
Even if physical penetration test for your networks,
03:44
your auditor would want to take a site, walk through
03:49
and examine fences, signs, barriers,
03:53
what your reception area looks like and how
03:55
energy and exit is controlled,
03:59
as well as if your company has any loading bays,
04:02
all warehouses attached to it.
04:08
The order to may also want to have discussions with your site or security guards and facility facilities management teams.
04:19
If your organization regularly inspects its physical security arrangements,
04:26
then there would be reports generated from those reviews diary entries. Any incident reports, off control breakdowns, detected
04:34
maintenance logs and so forth
04:36
that can all serve as evidence
04:41
and especially evidence off your company proactively reviewing and maintaining its physical security.
04:49
If your security God control is outsourced
04:54
projects as well as any security procedures that you have in place with the company can serve as evidence.
05:01
It is important that these clarify the expected controls
05:06
in terms of patrol logs, shift changes, the requirements of the security guards. And so
05:16
it is important that you, if you have
05:19
visitors books
05:21
where people enter their personal information,
05:26
that these controls are also complained with privacy requirements
05:30
and this and that. This information is appropriately classified, protected,
05:34
and once it has reached its end of life or has exceeded its retention period,
05:41
that is it. It is securely disposed off.
05:49
There would also be policies, procedures or notices concerning access to your secure zones.
05:58
For example, visitors must be accompanied at all times.
06:08
Site maps and physical inspections should confirm that I t equipment storage media,
06:15
computer facilities, your paper or filing cabinets. Any archives or storerooms. Videoconferencing facilities
06:25
are perfectly cited.
06:27
Well bar coded
06:28
installed in adequately secure areas.
06:32
If you have a clean desk and policy in place,
06:35
your order to would want to take a walk through various office areas
06:40
and determined through inspection that this is actually in place.
06:49
Your order to would also want to view your environmental controls
06:55
such as UPS and generated devices,
06:59
air conditioning,
07:00
fire suppression and alarms, and so
07:10
to confirm maintenance activities.
07:13
Evidence such as policies, procedures,
07:15
guidelines and records
07:17
such as your installation inspections, maintenance logs, test reports and fire certificates will help to confirm that maintenance activities are in place
07:29
and are being conducted periodically
07:35
with regards to the removal of I T equipment and storage media
07:40
from storage or from your organization site.
07:44
There should be sufficient policies, procedures and guidelines as well as records
07:48
to ensure that this is conducted in a secure way and as per your policy,
08:01
you would most likely also have policies, procedures or guidelines
08:07
which specify the protection of information on smartphones, laptops, tablets, USB sticks, portable hard drives, valuable papers,
08:18
knowledgeable workers, etcetera.
08:22
This little start.
08:24
Provide information about working off site and maintaining security,
08:30
such a security in your home in vehicles
08:33
and when you are traveling abroad.
08:46
Lastly, any policies, procedures or guidelines for the Secure IHR Asia Off storage media or the use of strong encryption with appropriate key management
08:56
may include secure archival prior to disposal or reuse.
09:09
In this lesson, we looked at the to control areas that make up controls it a 11 physical and environmental security.
09:18
We discussed the six
09:20
and nine controls in each control area,
09:26
and we also discussed what types off documentation can be used as evidence during orders
09:33
to demonstrate the auditors that these controls are in place and have been operating during your order period under review.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By