Learning Outcomes. Physical Security. Zoning systems. Zone 1 Open areas. Information Security



Similar documents
Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

CSE 265: System and Network Administration

Information Security Team

MARULENG LOCAL MUNICIPALITY

Security Control Standard

Physical and Environment IT Security Standards

Information Technology Security Procedures

HIPAA Security Alert

HIPAA RISK ASSESSMENT

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

HIPAA Security COMPLIANCE Checklist For Employers

Fax

How To Protect Decd Information From Harm

REVIEWED ICT DATA CENTRE PHYSICAL ACCESS AND ENVIROMENTAL CONTROL POLICY

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Rotherham CCG Network Security Policy V2.0

ABERDARE COMMUNITY SCHOOL

Major Risks and Recommended Solutions

IT Security Standard: Computing Devices

Risk Assessment Guide

ISO IEC ( ) INFORMATION SECURITY AUDIT TOOL

HIPAA Privacy and Security Risk Assessment and Action Planning

Information Security

Document Details. 247Time Backup & Disaster Recovery Plan. Author: Document Tracking. Page 1 of 12

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

Course: Information Security Management in e-governance

SITECATALYST SECURITY

Retention & Destruction

Chapter 8: Security Measures Test your knowledge

Alarm Systems. The purpose of an intruder alarm system is: Commonly utilised detection devices include:

Application Development within University. Security Checklist

Content Index. 1. General Location and Building Telecommunication Feeds Electric Power Climate Control...

Mike Casey Director of IT

ULH-IM&T-ISP06. Information Governance Board

Regulations on Information Systems Security. I. General Provisions

Policy Document. IT Infrastructure Security Policy

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE

DCIM Data Center Infrastructure Monitoring

Dublin Institute of Technology IT Security Policy

Wireless in the Data Centre becomes best practice!

A Systems Approach to HVAC Contractor Security

Zone B: comprises of NOC room, reception area, Help Desk area, Call Centre, Testing/Monitoring room. This zone requires approximately 1500 sq. feet.

Network Router Monitoring & Management Services

Section 12 Setting up a Mission Records Storage Facility

Access Control and Operating Conditions Monitoring System for Telecommunication and Server Racks

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

CPNI VIEWPOINT 02/2010 PROTECTION OF DATA CENTRES

Human Intrusion. Natural Disasters* Attackers looking to perform some sort of damage or obtain useful information

Service Children s Education

Everything you need to know!

Data Management Policies. Sage ERP Online

Sensor Monitoring and Remote Technologies 9 Voyager St, Linbro Park, Johannesburg Tel: ;

Physical Security Policy

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

The EVA Solution to Physical Security

Security. Enalyzer A/S

Physical Security Requirements. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

UBC Technical Guidelines Section Edition Secure Access: General Standards Page 1 of 7


Security Whitepaper: ivvy Products

Georgia Tech Aerospace Server French building Server Room. Server Room Policy Handbook: Scope, Processes and Procedure

INFORMATION TECHNOLOGY POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

GMS GRAPHICAL MANAGEMENT SYSTEM

Technical Standards for Information Security Measures for the Central Government Computer Systems

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA and Network Security Curriculum

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST

Security Service de Services sécurité. Security Alarm Monitoring Protocol

Security Policy JUNE 1, SalesNOW. Security Policy v v

Security and Data Center Overview

PDSA Special Report. Is your Company s Security at Risk

How To Ensure Security At A Site Security Site

Enterprise Security Model in SAS Environment

Version 1.0. Ratified By

IMS [Integrated Management System] Surveillance Solution Segment Focus: Gaming Industry

Corporate ICT Availability

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard

DC-8706K Auto Dial Alarm System

Barrington Hills Police Department

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SAP Cloud: Data Center Security SAP Cloud Data Center Strategy and Security Whitepaper

CITY OF BOULDER *** POLICIES AND PROCEDURES

Network Security Policy

UK Inflammatory Bowel Disease Audit Biologics Audit system and hosted server Security Details

Qualification Specification. Level 4 Certificate in Cyber Security and Intrusion For Business

Session objectives. Access control. Subjects and objects. The request. Information Security

IT - General Controls Questionnaire

Security Alarm Monitoring Protocol

Transcription:

Learning Outcomes Physical Security Information Security Dr Hans Georg Schaathun After this week, students should be able to identify threats and useful controls in the physical environment of an information system Høgskolen i Ålesund Autumn 2011 Week 7 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 1 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 2 / 1 Zoning systems Zone 1 Open areas divided into areas with different security controls. Why may this be a good idea? Assets with different value criticality user access requirements Staff with various access requirements Other people with various access requirements Outer areas Outdoor, maybe reception area Typical controls: good fence CCTV The following is an example. Different operation will have very different needs. Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 5 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 6 / 1

Zone 2 Main offices Zone 3 Restricted access Most staff work here Typical controls: locks and alarms on doors and windows Few staff require regular access Typical controls: locks and alarms on doors and windows reinforced windows (security glass) access control with identification and logging Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 7 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 8 / 1 Server halls Zone 4 Data centres and inner sanctums Question Only very few staff require access Typical controls: locks and alarms on doors should not have windows access control with identification and logging motion sensors assault alarms What threats are we concerned with when we design the physical rooms to host a server rack or mainframe? Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 9 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 11 / 1

Server halls Server halls Typical Threats Dedicated server room Unauthorised, physical access (incl. burglary) Interuptions of power supply Fire Flood (rainwater or broken water pipes) Temperature (too high or too low) Humidity, dust, air particles etc. Radiation Peaking Why is a dedicated server room a good idea, even for a local LAN server? Threats by human error: Disconnecting Stumbling in a network cable Moving cables to clean the floor Mistaking the server for a workstation e.g. turning it off at night A dedicated server room is a good control, reducing the strain faced in rooms that are in continuous use. Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 12 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 13 / 1 The context Authorisation versus Identification Consider the physical access control to enter a room (e.g. server room). What do we mean by 1 Identification? 2 Authorisation? 3 Authentication? Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 15 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 16 / 1

Identification and Authentication Authorisation Identification establishing the identity of the person, linking a physical person to a personell record. Authentication verifying the correctness of the identification Why do we use identification in access control? Authorisation privileges specified in personnel record. Audit logs recording access for audit trail Authorisation refers to determining what a given individual is permitted to do. Authorisation does not require identification A mechanical key authorises someone to enter a locked room. The authority is linked to the key not the identity of the person carrying it Mechanical locks give authorisation without identification Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 17 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 18 / 1 To identify or not to identify Principles of identification Two separate controls: Access control (authorisation) Access logging (identification) What challenges are related to logging? Privacy Privacy legislation What are the advantages of logging? Trace abuse Formal agreement between employer and employee can help get acceptance. Something carried a key, a keycard, an identity card, a uniform Something known a password, PIN, pass phrase Something one is fingerprint, palmprint, iris scan, facial recognition voice recognition, signature recognition (behaviourlal) Or any combination of the above Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 19 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 20 / 1

Something carried Something known Advantages and disadvantages? simple relatively cheap loss and theft Advantages and disadvantages? very cheap difficult to remember leading to human errors and possible compromising Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 21 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 22 / 1 Biometrics Advantages and disadvantages? relatively expensive but getting cheaper imperfect authentication but getting better simple for the user nothing to bring, nothing to remember difficult to forge or steal Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 23 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 24 / 1

Privilege Management Power supply Power related threat events Consider many groups of users rank and file staff technical staff specially vetted staff permanent contractors temporary contractors visitors Privilege management is complex who needs what? What threat events may happen relating to power? Variations in voltage or frequency Pulses Power glitches Blackout What happens to the equipment in these cases? Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 25 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 27 / 1 Controls Power supply Cabling Power supply UPS Uninterupted power supply. Prevents loss from glitches and short outages. Generators Prevents loss from blackout. Does not protect against glitches as they take time to start. Transformers Evens out instability to avoid damage from voltage or frequency variations, and from pulses Needs depend on local mains quality Workstations and printers may not require controls Be aware of power instability in the case of inexplicable hardware fault Cables have to be tidy to avoid interuption when installations are upgraded to avoid human error Patch panels 10cm above floor level to avoid damage in case of (minor) flooding Separate, locked areas to avoid casual contact and accidents Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 28 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 29 / 1

Climate Fire Cooling is critical. and the cooling system must be sufficiently reliable Other threats Dust Static electricity Fire detectors Fire alarms alert fire brigade open escape routes and close fire doors control lifts close vents and stop fans Fire extinguishers remember: right type for the situation Collaboration with fire brigade is useful Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 31 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 32 / 1 Flooding Watch surveillance alarm Risks include leakage from higher floors leakage from cooling system leaks from pressurised pipes in adjacent rooms floods and land slides Guards (expensive, especially 24/7) Response teams Surveillance Monitoring incident reports flagging of unusual incidents risk reviews Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 33 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 34 / 1

Radiation Laptop controls Mobile and Portable Systems EMR electromagnetic radiation allows eavesdropping can be shielded (Faraday cage) EMP electromagnetic pulse attack knocks out equipment Burglar alarms Anti-theft software reporting location to a server Invisible markings Cable lock Backup Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 35 / 1 Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 37 / 1 Telecommuting Heimekontor Mobile and Portable Systems What challenges arise when staff work from home? How do you deal with it? additional security at home? restricted information access for home work? Solutions VPN Virtual Private Networks per service remove access Dr Hans Georg Schaathun Physical Security Autumn 2011 Week 7 38 / 1

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information