325
Appendix H
Physical Security
Before the electronic age, security was essentially physical security. Although new
risks related to electronic security exist today, physical security is still a critical
component of an information security program because it is the first line of defense
for many companies. Weak physical security can negate many of the other informa-
tion security measures a company might have in place. If someone can gain unau-
thorized physical access to company facilities, their chances of doing damage are
increased significantly. Some aspects of physical security that should be considered
include:
•Physical access to facilities
•Physical access to secure areas within facilities
•Physical access to computing resources (e.g., workstations, laptop com-
puters)
•Physical access to paper records
Each of the areas above and others can be critical for a company depending on
the specific risks they face. As with other information security measures, physical
security should be based on the specific risks faced by the particular company.
Lack of physical security measures can have significant impacts including:
Unauthorized access to critical computing resources, which can result in
a compromise of sensitive information or malicious activity on critical
systems
Theft of computing resources
•Regulatory fines resulting from not providing adequate protection for
sensitive information
ORGANIZATION/POLICY
1. Does the company have a physical security policy?
Guidance:
A physical security policy is the foundation of a physical secu-
rity program. It is the foundation for any physical security measures that
are implemented. The policy should outline physical security requirements
AU1706_book.fm Page 325 Tuesday, August 17, 2004 11:02 AM
326
A Practical Guide to Security Assessments
and high-level roles and responsibilities, which can be translated into specif-
ic physical security procedures. The roles and responsibilities can include
those of individuals such as facilities personnel, whose job is physical se-
curity, as well as regular personnel, who might have some level of respon-
sibility as it relates to physical security — e.g., personnel must ensure that
their desks are clean when they leave at the end of the day. The policy
should be updated to reflect changing business requirements and enforced
via regular audits.
Risk:
Without a physical security policy, there are no formal requirements
for what is to be done to physically secure the company. As a result, per-
sonnel will not necessarily know what to do from a physical security per-
spective, and it will difficult to enforce good physical security practices at
the company.
Client Response:
2. Is someone or some group responsible for physical security of the facil-
ities, e.g., a facilities group?
Guidance:
Someone should own the responsibility of physical security to
ensure that accountability exists. Responsibility for physical security can
vary and can include:
Separate department with dedicated personnel
•Part of information technology (IT) security
•Part of facilities management
These groups’ responsibilities should be formally documented in the
physical security policy. In some cases, such as when the facility is in an
office park or building setting, physical security might be handled by a
third party that handles security for all companies in the facility. In these
cases, someone from the company should be responsible for the relation-
ship with the party providing physical security services. The company
will still be responsible for some elements of physical security (e.g., inside
offices, file cabinets). Whether internally or externally performed, respon-
sibility for physical security should be clearly defined.
Risk:
Without a clearly defined owner of physical security, there is a lack
of accountability and a potential that physical security measures will not
be implemented as intended by management.
Client Response:
AU1706_book.fm Page 326 Tuesday, August 17, 2004 11:02 AM
Appendix H
327
3. Is there any awareness training related to physical security?
Guidance:
To help ensure that physical security is effective, personnel
must be made aware of its importance. Some mechanism should be in
place to ensure that employees understand physical security and their role
in achieving it. In addition to awareness, the policy and any procedures
should also be readily accessible, for example on a company intranet. De-
pending on the organization, there are different ways to provide awareness
training to employees including:
As part of new-hire orientation
General companywide security awareness training
Department-level awareness training
Risk:
Without an awareness program related to physical security, employ-
ees may not know the policy and its requirements and therefore may not
follow them, particularly the requirements that pertain to them. Also, as
with other security policies, it is difficult to enforce the policy if employees
are not aware of it.
Client Response:
DETERMINE SCOPE AND CRITICALITY
4. Have there been any physical security–related incidents? If so, how was
the incident handled and what steps have been taken to prevent it from
happening again?
Guidance:
Past incidents are an excellent source of information in a secu-
rity assessment. The cause of the incident can provide a basis for findings
as part of the security assessment. In addition, how the incident was han-
dled can provide insight into the client’s incident handling process. If a
physical security incident occurred, you should try to quantify the damage
and determine whether sensible cost-effective steps were taken to prevent
the same thing from happening again.
Risk:
Not applicable. This question is to gather information about past se-
curity incidents, which can potentially lead to a finding if the cause of the
incident was not addressed.
Client Response:
AU1706_book.fm Page 327 Tuesday, August 17, 2004 11:02 AM
328
A Practical Guide to Security Assessments
5. What business functions occur at the facility and what is the criticality
of these functions?
Guidance:
The purpose of this question is to gain an understanding of
the different functions at the facility (or facilities). Have the client consider
the operations that take place at each of the different facilities and their
importance to the business. For example, one facility might house the data
center, which serves all other facilities and is a critical facility. Another
example is a location that is a satellite office with some desk space where
some people occasionally work, which is not that important. With this
question, you should have a sense for the importance of each facility and
where to focus your efforts as it relates to assessing physical security.
Based on what you learn, it might also be appropriate to visit a critical site
to observe what physical security measures are in place.
Risk:
Not applicable. The purpose of this question is to gain a high-level
understanding of what is happening at each location, its criticality, and
how critical physical security is at each location.
Client Response:
6. How are security incidents handled? Is there an incident handling method
or policy that is documented and is part of a security awareness program?
Guidance:
Incident handling is something that all personnel should be
knowledgeable about as any employee can potentially be involved in re-
sponding to an incident. In terms of incident handling, there should be
clear roles and responsibilities as related to employee communications
(should be done through a single point of contact), communication with
law enforcement, and communication with the press. Personnel should
know to whom to report a physical security incident. In addition, guidelines
should exist to help personnel classify the incident in terms of severity. All
of this should be documented in an incident handling policy. Incident han-
dling is discussed in more detail in a separate, specific questionnaire
(Apendix J).
Risk:
If incidents are not handled properly — i.e., in an organized and con-
trolled manner, there is a risk of increased damage related to an incident.
Client Response:
AU1706_book.fm Page 328 Tuesday, August 17, 2004 11:02 AM
Appendix H
329
7. What would be the impact to the business if personnel could not access
the facility? What is the tolerable downtime?
Guidance:
Access to some facilities can be critical. Consider the critical-
ity of the operations at a given facility and the related interdependencies.
For a manufacturing company, this could be a plant, an office where orders
are taken and processed, or a distribution center from which orders are
shipped. If any of these facilities were inaccessible, this could seriously
impact revenue. On the other hand, a consulting company may not be
heavily dependent on any facility if its core operations involve consultants
working at client sites or from home. When determining the importance of
accessibility to a site, think in terms of tolerable time — i.e., what is the
tolerable time frame for which a site can remain inaccessible? When cli-
ents answer this question, they should understand that are cost implica-
tions associated with the tolerable downtime — e.g., there is difference in
cost between four hours and eight hours of tolerable time of inaccessibility.
Impact should be quantified to the extent possible (e.g., if a company can-
not take orders for a day, potential loss of revenue can be estimated).
Risk:
Not applicable. The purpose of this question is to determine the
impact to the business, which will help assess the risks associated with
physical security.
Client Response:
8. What physical assets (e.g., computers, equipment, proprietary informa-
tion) are in the facility and what is their value?
Guidance:
The value of the physical assets within a facility is another
piece of information to help establish the criticality of a facility. The risk
associated with physical security at a given facility is largely dependent on
the value of the items inside the facility. What is contained in the facilities
will help determine the level of physical security required.
Risk:
Not applicable. The purpose of this question is to understand the val-
ue of items at each facility to help determine whether physical security
measures are adequate.
Client Response:
AU1706_book.fm Page 329 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.133.147.252