1 hour 27 minutes
domain 12 brings us to physical protection
and physical protection of the facility. Physical protection of the systems of the surroundings where we told or house. See you. I data very, very important. So we have a couple of basic security requirements.
Uh, limit the physical access to the information systems, the equipment
operating environments, and make sure that's limited toe authorized individuals. Well, how do we do that? Well, that's where the garage security requirements are gonna come in. But basically, what this is saying is making sure anybody that has access to the systems, the data of the surroundings, that physical access is gonna be controlled.
We're also gonna protected monitor all physical access to the facility
and the supporting infrastructure off the system. So the way that's gonna come about is we're gonna make sure that visitors don't come and go freely. We're gonna have them escorted. We're gonna monitor what our visitors do. You know, you'll go into a protected facility, and, uh, often you have to have a sponsor there at the organization.
Uh, you provide them with your driver's license, they give you a visitor's badge. You either escorted
to and from depending on you know, your credentials and your criteria, but ultimately it comes down to let's protect the physical building. So first and foremost, we gotta think about visitors. We've got allowed him access to a building. They should be escorted.
All right. Maintain audit balls on physical access. Who comes in the building? You know, for our employees that have smart card access that's automatically keeping track. Um, you've gotta watch for things like piggyback. You know, people will often follow someone else in on the card swipe.
So we need a security guard who's monitoring that.
Um, one of the things I noticed that a lot of facilities is I signed in to come into the building. I never get asked to sign out. You know, if you're gonna care that I come in, you want to make sure that I'd leave as well, So we really need to strengthen those procedures on both ends.
All right. My audit log should show Here's what time Kelly Hander Han came in. Here's what time Kelly Hanrahan left,
um, control and manage physical access devices, you know, think about those thumb drives. And there's removable hard drives. But also don't forget about things like rewriteable DVD. He's many organizations. They were strict thumb drives. But I could do the same damage with the DVR. I can
take away or I can bring in.
So we want a little bit more comprehensive off a solution than just saying thumb drives or bad thumb drives can have a negative effect that I can also download things from the Internet, bring him in on DVR. That could be every bit as damaging, enforced safeguarding measures for See You, I at alternate work sites.
So, for instance, if you tell a work,
I want to make sure that I restrict access, maybe too remote users and limit that I forced encryption. Make sure there's an encrypted tunnel across which were communicating also, things like making sure that we don't have multiple sessions open. So I have
maybe a VPN connection to the office
and in another window I'm browsing the Internet or doing other things. You know, that really can kind of create sort of a pipeline and from the Internet to the VPN to the internal organization. So I just have to be very careful and very thoughtful. But physical access protection really is the starting point of security