This lesson discusses implementing physical protection to protect physical assets. In a company. Methods of protection might include: - Closed circuit television - Guards - Traditional tumbler lock (uses a traditional key) - Electronic lock - Cipher locks - Biometrics - Burglar alarms This unit also discusses environmental controls: - Emergency power shut off - Uninterruptable power supply - Standby generator - Dual power leads - Power transfer system - Heating ventilation and air conditioning (HVAC) - Fire smoke and heat detection [toggle_content title="Transcript"] Alright, so we've been talking about some of our logical and technical controls. Now let's speak a little bit about our physical controls. I like to use the phrase gates, guns and guards, as you already know. These are a good way to visualize the basic requirements for sensitive or critical environments. So we have other things to think about. We have closed-circuit TV. We might have guards that are actually watching that and they need to make judgment calls as far as what activity they consider suspicious. Closed-circuit TV can be used very efficiently and rather inexpensively compared to having people walking around all the time. So it's a good complementary control. We have to think about our different types of locks. A tumbler lock is what you normally associate with sticking in a key and turning it. Those are vulnerable to picking depending on the classification of the lock itself. We have electronic locks, these are something that we would normally associate with perhaps a badge where you have a proximity badge or a swipe badge and the electronic lock lets you into the doorway after it validates your access card. We also have cipher locks. These are sometimes designed with some buttons in a circular pattern or maybe it's a regular keypad similar to what you see on a touch-tone telephone. We also might use bio-metrics. It could be a thumbprint or a palm-print or an iris scan. And then something like a burglar alarm - An older technology, of course, but still valuable in detecting problems. Maybe a door or a window is opened and that triggers an alarm. Or there could be pressure plates in the floor, or infra-red beams that notice that somebody has walked through a doorway. We have to think about environmental controls. One of the more important ones is the emergency power shut-off. This EPO, as it's known, is an important component of your fire code. So it could be that you've got a situation where there's electrical fires starting, or something else is happening, and typically by a doorway you might have the EPO. It should be labelled as 'emergency power shut-off'. It's typically a big red button, so you can run over to it and hit it very quickly. You usually don't have to break glass or anything to get at that. A fire alarm, on the other hand, might be a slightly different scenario. UPS systems are also very important to think about. Especially when there's maybe a powerful storm going on, your power might become intermittent, where there might be spikes or there might be dips. Or the power cuts out all together for some period of time. UPS can provide the battery back-up to keep the systems running until the batteries run out. Sometimes you can pair a generator with the UPS system so that when the UPS is nearing its depletion, the batteries are almost dead, the generator starts up and takes over. And then the generator can run until its fuel supply is exhausted. That could be several days, depending on how big the fuel tank is. It could even be the case that more fuel can be added to keep the systems running on the generator until power gets restored. It's an expensive option, but it might be worthwhile if your organization is critical enough. Other things to think about: dual power. You might have power coming from two different sub-stations. In case the one on this side of town gets disabled through, you know, a natural disaster, or electrical storm, the other one can still provide the power that's needed. Of course you need to have some way to transfer that power to your facility correctly, and there are obvious challenges and technical requirements involved there. We need to think about our HVAC; heating, ventilation and air-conditioning. Typically, we're most concerned with HVAC in the data center or the computer room. 70 degrees, 70% humidity is a pretty typical standard. That keeps the computers cool enough and keeps the air humid enough so that we don't have problems with static electricity. It goes without saying that we want to be able to have effective detection of fire, smoke and heat. If you've got a heat detector that can indicate that a fire is imminent, smoke indicates that a fire is already going on, or just about to begin. So these are important considerations for the safety of the staff and for preserving our electronic assets. A couple of different things to think about, speaking of fire. Some organizations use a wet pipe system. This means that the pipes are filled with water and as soon as the alarm gets triggered the valves open up and the water gets released. This is fine to do in areas where electrical equipment is not a large concern. You typically don't want to put water on electrical fire, for obvious reasons. We also have a dry pipe system. So in this case there's a delay between when the alarm gets triggered and the water gets released. The pipe is dry so it's just filled with pressurized air. It could be that the alarm gets triggered and there's some period of time where it takes to push the air out before the pipes can be filled with water. Once the air is pushed out, the water will then come out, and that also gives a time delay that emergency power cut-off switch can actually be triggered. That might actually be done automatically by the air pushing through the pipes in the expectation that the water will soon follow. It just depends on the requirements of your organization, how it's built and where the pipes are located. If the pipes are in a user or worker staff area and not in the data center, then you might not have as much consideration for emergency power cut-off because you've just got low-power devices like desktop computers and lighting, and so on. Also some organizations use a gas or chemical system. This is preferable in data centers, for instance, because we don't want water to cause further problems when it gets sprayed onto electrical equipment. We also have to think about our wiring. Typically, in a data center, the wiring is underneath a raised floor. Other times the wiring is in the ceiling, so it's raised above the level of the floor so that it can be out of reach if there's a flood or water damage and also it might make it more difficult to be tampered with if it's up in the ceiling running through dedicated trays and conduits. The color coding of the wiring should conform to international standards like the Building Industry Consulting Service International, the BICSI. You might also think about the isolation of that wiring for safety concerns. Even low voltage wiring requirements can still cause hazards. What about storing our media safely? Sometimes tapes, if you're still backing up the tapes, are moved off-site. That way they're in a third-party location which has a climate controlled environment and they have their own physical security to protect your valuable back-up data. Of course there's transportation required. The off-site company will typically show up at your location once a week, or twice a month, to pick up those tapes, put them in a special protective container and then take them to the off-site storage. We need to think about the disposal of that media as well. Sometimes media needs to be disposed of because it's reached its age limit, or the data retention limit. So we can degauss the media, basically wiping its electronic signature of data away, although that's not necessarily a very permanent solution. For instance, deleting files doesn't really delete the files. We just delete the pointers to those files. So if you want to follow other standards for more sensitive data, we might actually have to deal with the destruction of that media. So putting hard-drives or back-up tapes into a shredder, which completely obliterates them, is a more permanent solution where that data will never have a chance to be reconstructed. [/toggle_content]
Certified Information System Auditor (CISA)
In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.