Time
8 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Description

This lesson discusses implementing physical protection to protect physical assets. In a company. Methods of protection might include: - Closed circuit television - Guards - Traditional tumbler lock (uses a traditional key) - Electronic lock - Cipher locks - Biometrics - Burglar alarms This unit also discusses environmental controls: - Emergency power shut off - Uninterruptable power supply - Standby generator - Dual power leads - Power transfer system - Heating ventilation and air conditioning (HVAC) - Fire smoke and heat detection [toggle_content title="Transcript"] Alright, so we've been talking about some of our logical and technical controls. Now let's speak a little bit about our physical controls. I like to use the phrase gates, guns and guards, as you already know. These are a good way to visualize the basic requirements for sensitive or critical environments. So we have other things to think about. We have closed-circuit TV. We might have guards that are actually watching that and they need to make judgment calls as far as what activity they consider suspicious. Closed-circuit TV can be used very efficiently and rather inexpensively compared to having people walking around all the time. So it's a good complementary control. We have to think about our different types of locks. A tumbler lock is what you normally associate with sticking in a key and turning it. Those are vulnerable to picking depending on the classification of the lock itself. We have electronic locks, these are something that we would normally associate with perhaps a badge where you have a proximity badge or a swipe badge and the electronic lock lets you into the doorway after it validates your access card. We also have cipher locks. These are sometimes designed with some buttons in a circular pattern or maybe it's a regular keypad similar to what you see on a touch-tone telephone. We also might use bio-metrics. It could be a thumbprint or a palm-print or an iris scan. And then something like a burglar alarm - An older technology, of course, but still valuable in detecting problems. Maybe a door or a window is opened and that triggers an alarm. Or there could be pressure plates in the floor, or infra-red beams that notice that somebody has walked through a doorway. We have to think about environmental controls. One of the more important ones is the emergency power shut-off. This EPO, as it's known, is an important component of your fire code. So it could be that you've got a situation where there's electrical fires starting, or something else is happening, and typically by a doorway you might have the EPO. It should be labelled as 'emergency power shut-off'. It's typically a big red button, so you can run over to it and hit it very quickly. You usually don't have to break glass or anything to get at that. A fire alarm, on the other hand, might be a slightly different scenario. UPS systems are also very important to think about. Especially when there's maybe a powerful storm going on, your power might become intermittent, where there might be spikes or there might be dips. Or the power cuts out all together for some period of time. UPS can provide the battery back-up to keep the systems running until the batteries run out. Sometimes you can pair a generator with the UPS system so that when the UPS is nearing its depletion, the batteries are almost dead, the generator starts up and takes over. And then the generator can run until its fuel supply is exhausted. That could be several days, depending on how big the fuel tank is. It could even be the case that more fuel can be added to keep the systems running on the generator until power gets restored. It's an expensive option, but it might be worthwhile if your organization is critical enough. Other things to think about: dual power. You might have power coming from two different sub-stations. In case the one on this side of town gets disabled through, you know, a natural disaster, or electrical storm, the other one can still provide the power that's needed. Of course you need to have some way to transfer that power to your facility correctly, and there are obvious challenges and technical requirements involved there. We need to think about our HVAC; heating, ventilation and air-conditioning. Typically, we're most concerned with HVAC in the data center or the computer room. 70 degrees, 70% humidity is a pretty typical standard. That keeps the computers cool enough and keeps the air humid enough so that we don't have problems with static electricity. It goes without saying that we want to be able to have effective detection of fire, smoke and heat. If you've got a heat detector that can indicate that a fire is imminent, smoke indicates that a fire is already going on, or just about to begin. So these are important considerations for the safety of the staff and for preserving our electronic assets. A couple of different things to think about, speaking of fire. Some organizations use a wet pipe system. This means that the pipes are filled with water and as soon as the alarm gets triggered the valves open up and the water gets released. This is fine to do in areas where electrical equipment is not a large concern. You typically don't want to put water on electrical fire, for obvious reasons. We also have a dry pipe system. So in this case there's a delay between when the alarm gets triggered and the water gets released. The pipe is dry so it's just filled with pressurized air. It could be that the alarm gets triggered and there's some period of time where it takes to push the air out before the pipes can be filled with water. Once the air is pushed out, the water will then come out, and that also gives a time delay that emergency power cut-off switch can actually be triggered. That might actually be done automatically by the air pushing through the pipes in the expectation that the water will soon follow. It just depends on the requirements of your organization, how it's built and where the pipes are located. If the pipes are in a user or worker staff area and not in the data center, then you might not have as much consideration for emergency power cut-off because you've just got low-power devices like desktop computers and lighting, and so on. Also some organizations use a gas or chemical system. This is preferable in data centers, for instance, because we don't want water to cause further problems when it gets sprayed onto electrical equipment. We also have to think about our wiring. Typically, in a data center, the wiring is underneath a raised floor. Other times the wiring is in the ceiling, so it's raised above the level of the floor so that it can be out of reach if there's a flood or water damage and also it might make it more difficult to be tampered with if it's up in the ceiling running through dedicated trays and conduits. The color coding of the wiring should conform to international standards like the Building Industry Consulting Service International, the BICSI. You might also think about the isolation of that wiring for safety concerns. Even low voltage wiring requirements can still cause hazards. What about storing our media safely? Sometimes tapes, if you're still backing up the tapes, are moved off-site. That way they're in a third-party location which has a climate controlled environment and they have their own physical security to protect your valuable back-up data. Of course there's transportation required. The off-site company will typically show up at your location once a week, or twice a month, to pick up those tapes, put them in a special protective container and then take them to the off-site storage. We need to think about the disposal of that media as well. Sometimes media needs to be disposed of because it's reached its age limit, or the data retention limit. So we can degauss the media, basically wiping its electronic signature of data away, although that's not necessarily a very permanent solution. For instance, deleting files doesn't really delete the files. We just delete the pointers to those files. So if you want to follow other standards for more sensitive data, we might actually have to deal with the destruction of that media. So putting hard-drives or back-up tapes into a shredder, which completely obliterates them, is a more permanent solution where that data will never have a chance to be reconstructed. [/toggle_content]

Video Transcription

00:04
all right, so we've been talking about some of our logical technical controls. Now let's speak a little bit about our physical controls.
00:12
I like to use the phrase gates, guns and guards, as you already know,
00:16
but these are a good way to visualize the basic requirements for sensitive or critical environments.
00:25
So we have other things to think about. We have closed circuit TV. We might have guards that are actually watching that, and they need to make judgment calls as faras What activity they consider a suspicious
00:36
closer Circuit TV can be used very efficiently and
00:41
rather inexpensively compared to having people walking around all the time.
00:45
So it's a good, complimentary control.
00:49
We have to think about our different types of locks.
00:53
Tumbler lock is what you normally associate with sticking in a key and turning it.
00:58
Those are vulnerable to picking,
01:00
depending on the classification of the loch itself.
01:04
We have Elektronik locks.
01:07
These are something that we would normally associate with perhaps a badge or you have a proximity badge or swipe badge, and the electronic lock lets you into the doorway after it validates your access card.
01:23
We also have cipher locks.
01:25
These are sometimes designed with some buttons in a circular pattern. Or maybe it's a regular keypad, similar to what you see on a touch tone telephone.
01:36
We also might use biometrics
01:38
could be a thumbprint or a palm print or an iris scan, and then something like a burglar alarm.
01:45
Older technology, of course, but still valuable in detecting problems. Maybe a door or window is opened, and that triggers an alarm. Or there could be pressure plates in the floor
01:57
or
01:59
infrared beams that noticed that somebody has walked through a doorway. We have to think about environmental controls.
02:06
One of the more important ones is the emergency power Shut off.
02:10
This E P O, as it's known, isn't important
02:14
component of your fire code.
02:16
So it could be that you've got a situation where there's electrical fire starting or something else is happening,
02:23
and typically by a doorway, you might have the e. P o. It should be labeled as emergency power. Shut off. It's typically a big red button so you can run over to it and
02:32
and hit it very quickly.
02:35
You
02:36
usually don't have to break glass or anything to get at that fire alarm On the other hand,
02:40
it might be a little slightly different scenario.
02:45
UPS systems are also very important to think about,
02:49
especially when there's maybe, ah, powerful storm going on. Your power might become intermittent
02:55
where there might be spike so there might be dips or the power cuts out all together for some period of time.
03:01
Ups can provide the battery backup to keep the systems running
03:07
until the batteries
03:08
run out.
03:09
Sometimes you compare a generator with the U. P s system
03:15
so that when the UPS is nearing its depletion, the battery's almost dead. The generator starts up and takes over,
03:23
and then the generator can run until its fuel supply is exhausted.
03:28
That could be several days, depending on how big the fuel tank ISS.
03:34
It could even be the case that more fuel can be added to keep systems running on the generator until power gets restored.
03:40
It's an expensive option, but it might be worthwhile. If you're
03:45
organization is critical. Enough
03:46
other things to think about dual power.
03:51
You might have power coming from two different substations
03:53
in case
03:54
the one on this side of town gets disabled through,
04:00
you know, a natural disaster or electrical storm. The other one can still provide the power that's needed
04:06
Course you need to have some wayto transfer that power to your facility correctly, and there are obvious challenges and technical requirements involved there.
04:17
We need to think about her H back
04:19
heating, ventilation and air conditioning.
04:23
Typically, we're most concerned with
04:26
H back in the data center or the computer room.
04:29
70 degrees, 70% Humidity is a pretty typical standard
04:33
that keeps the computer is cool enough and keeps the air human enough so that we don't have problems with static electricity.
04:42
It goes without saying that we want to be able to have effective detection of fire, smoke and heat
04:48
if you got ah, heat detector that can indicate that a fire is imminent.
04:54
Smoke indicates that it fires is already going on or or just about to begin. So these air important considerations for the safety of the staff
05:02
and for preserving our electronic assets
05:06
a couple different things to think about. Speaking of fire,
05:10
some organizations use a wet pipe system.
05:13
This means that the pipes are filled with water,
05:15
and as soon as the alarm gets triggered, the valves open up and the water gets released.
05:21
This is find to do in areas where electrical equipment is not a large concern.
05:29
You typically don't want to put water on electrical fire for obvious reasons.
05:33
We also have a dry pipe system.
05:36
So in this case there's a delay between when the
05:40
the alarm gets triggered and the water gets released. The pipe is dry, so it's just filled with pressurized air.
05:46
It could be that the longest trigger,
05:49
and there's some period of time where it takes to push the air out before the pipes can be filled with water.
05:59
Once the air is pushed out, the water will then come out.
06:01
And that also gives,
06:03
ah, time delay that emergency power cutoffs, which can actually be triggered,
06:10
that might actually be done automatically by the air, pushing through the pipes in the expectation that the water will soon follow.
06:15
It just depends on the requirements of your organization, how it's built and where the pipes are located.
06:23
If if the pipes airmen, a user,
06:26
our worker staff area and not in the data center,
06:30
then you might not have as much consideration for emergency power cut off because you've just got low power devices like desktop computers and
06:39
and lighting, and so on.
06:42
Also, some organizations use a gas
06:44
or chemical system.
06:46
This is a preferable
06:47
in data centers, for instance, because we don't want water
06:50
to cause further problems
06:53
when it gets sprayed onto electrical equipment. We also have to think about our wiring.
06:59
Typically in a data center, the wiring is underneath a raised floor.
07:02
Other times, the wiring is in
07:05
the ceiling. So it's raised above the the level of the floor so that it could be out of reach if there's a flawed or water damage,
07:15
and also it might make it more difficult to be tampered with. If it's up in the ceiling running through dedicated trays and conduits,
07:24
the color coding of the wiring
07:26
should conform to international standards like the Building Industry Consulting Service International,
07:32
the B. I. C. S. I.
07:35
You might also think about the isolation of that wiring for safety concerns.
07:42
Even low voltage wiring requirements can still cause
07:46
hazards. What about storing our
07:48
media safely?
07:50
Sometimes tapes. If you're still backing up, the tapes are moved off site.
07:56
That way, they're in 1/3 party location, which has a climate controlled environment and their have their own physical security. To protect your valuable backup data
08:05
course, there's transportation required.
08:09
The uh, the offsite company will typically show up at your location once a week or two twice a month. To pick up those tapes, put them in a special protective container and then take them to the offside storage.
08:22
We need to think about the disposal of that media as well.
08:26
Sometimes media needs to be disposed of because it's reached its age limit or the data retention limit.
08:33
So we can just we can
08:35
de Gaulle. Is the media
08:37
basically wiping? It's Elektronik signature of data away,
08:43
although that's not a very
08:43
necessarily a very permanent solution. First, since deleting files doesn't really delete the files, we just delete the pointers to those files.
08:54
So if you want to follow other standards for more sensitive data, we might actually have to deal with the destruction of that media.
09:01
So putting hard drives or backup tapes into a shredder
09:05
which completely obliterates them
09:07
is a more permanent solution where that data will never have a chance to be reconstructed

Up Next

Certified Information System Auditor (CISA)

In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor