330
A Practical Guide to Security Assessments
9. Are any valuable paper documents in the facilities? If so, do electronic
copies of the paper documents exist? What would be the impact to the
business if the paper documents were either lost or destroyed?
Guidance:
Even with the increased use of technology, companies are still
generating quite a bit of paper. There is a tendency to focus on securing
electronic information rather than securing physical documents. Aside
from the valuable and sensitive paper documents, employees are constantly
printing e-mails and files that contain sensitive information. As a result, a
slew of sensitive paper documents needs to be protected from unautho-
rized access. In doing this, the physical security of the facility where the
document is stored is an important aspect to consider. For example, many
executives are privy to some very sensitive information (e.g., company
financial data, personnel records) that is in printed format. When perform-
ing an assessment, you should ensure that there are measures to protect
both the confidentiality and availability of these paper documents. In reg-
ulated environments (health care — Health Insurance Portability and Ac-
countability Act [HIPAA], financial services — Gramm–Leach–Bliley Act
[GLBA], education — Family Educational Rights Privacy Act [FERPA])
where companies have certain obligations to protect personally identifi-
able information, safeguarding paper documents is mandated and a failure
to comply can result in financial penalties.
Risk:
Not applicable. The purpose of this question is to further understand
the criticality and risk associated with physical security.
Client Response:
10. For any sensitive physical documents on site:
•How are they protected?
• What physical access measures have been taken to prevent unautho-
rized access to paper documents?
• Are sensitive paper documents shredded before they are thrown away?
• What would the impact be to the company if unauthorized individuals
accessed these documents?
Guidance:
As stated previously, paper documents are often overlooked
when talking about security. Many people have sensitive paper documents
in their possession and do not adequately protect them. If you think about
some of the traditional departments and the paper documents in their pos-
session, you will realize that significant risks exist if these documents are
lost or destroyed or if their confidentiality is compromised. Examples of
departments and sensitive paper documents include:
•
Finance:
Financial data — For publicly traded companies, financial
data should be accessed on a need-to-know basis.
AU1706_book.fm Page 330 Tuesday, August 17, 2004 11:02 AM
Appendix H
331
–
Risk:
Legal exposure if financial data is disclosed in an unautho-
rized manner prior to being released to the public
•
Human Resources:
Employee salary data and personnel folders.
–
Risk:
This is highly sensitive information, which includes such
things as salary data and sensitive personnel information. There is
a legal exposure and potentially, an employee relations nightmare
if the confidentiality of this information is compromised.
•
Executive Management:
Sensitive printed electronic mail communica-
tions.
–
Risk:
Many people print electronic mail instead of reading it on
their personal computers. Because some of the information is of a
very sensitive nature, there is tremendous risk if the wrong people
see the information. Although many executives do not use electronic
mail for highly confidential or sensitive communications, this issue
is worth investigating.
Risk:
The risks related to securing sensitive physical documents include:
• Breach of confidentiality of information
• Impact related to having to recreate the information if it is lost or
destroyed
Client Response:
ACCESS TO PREMISES
11. What is the process for an employee who needs to gain physical access
to facilities? Is physical access restricted to only those individuals who
require it?
Guidance:
Employees are generally given physical access to facilities
when they first join as part of the new hire process. As responsibilities
change, it is possible that the facilities they access may change (this is a
moot point in smaller companies where there is only one building). There
should be a formal process for providing access to employees, which
should include approval from appropriate management and documented
business justification for access. In some cases, it may also be appropriate
to limit access within a facility depending on the business requirements.
For example, a given facility might have general office space and a net-
work operations center that houses systems that support critical operations
for the company. In this case, only a small group of employees would have
AU1706_book.fm Page 331 Tuesday, August 17, 2004 11:02 AM
332
A Practical Guide to Security Assessments
access to the operations center, but all employees would have access to the
office space. For any physical access to facilities, there should be a docu-
mented process with the appropriate approvals to ensure that access is given
only a “need to have” basis.
Risk:
Without a formal process for granting physical access to ensure that
physical access is granted on a “need to have” basis, persons might gain
unauthorized access to facilities. This could lead to theft of information
and assets or other malicious activity.
Client Response:
12. How is physical access to facilities controlled for employees, contractors,
visitors, etc? What physical security measures exist at the perimeter or
when entering the facilities?
Guidance:
Depending on the environment, the method for gaining physi-
cal access can vary. Some of the methods you might see include:
• Manned desk where someone is checking IDs
•Visitors required to log in, stating their purpose for the visit and who
they are there to see
•Turnstiles where employees must swipe an ID card to enter the facilities
• Biometric authentication (e.g., fingerprints used to gain access to a
facility)
You may also see facilities where no controls exist to screen people
entering a facility, which is definitely a cause for concern. Based on the
importance of the facility, an appropriate level of control for allowing
physical access to facilities should exist. Some facilities might justify
more stringent controls, but others will require less. You should at least
see some type of authentication, whether it is manual (e.g., manned desk)
or automated (e.g., scanning badges).
Risk:
If the process for gaining access to physical facilities is not con-
trolled, there is a risk of individuals having unauthorized physical access
to facilities, which could lead to theft of information and assets or other
malicious activity.
Client Response:
AU1706_book.fm Page 332 Tuesday, August 17, 2004 11:02 AM
Appendix H
333
13. Is there a formal, documented process for granting access for contractors?
Guidance:
Similar to the situation with regular employees, a formal,
almost identical process should exist for granting access to contractors —
i.e., access should be given on a “need to have” basis with approval from
appropriate management and business justification. Some other aspects to
consider with contractors include:
• Has the contractor been appropriately screened?
• Access should be given only for the period of time that contractors are
working. If they are long term, consider automatically expiring access
(e.g., every six months) and then renewing access.
Risk:
If physical access to facilities for contractors is not properly con-
trolled, there is a risk of individuals having unauthorized access to physical
facilities, which could lead to theft of information and assets or other ma-
licious activity.
Client Response:
14. When physically working at a site, do people in the facility (employees,
contractors, and visitors) display a badge or something else that identifies
them at all times?
Guidance:
Having people display identification is effective, especially in
large environments with many employees, where people do not know every-
one. It is another layer of security in the event someone gains unauthorized
physical access to a facility. For employees and some contractors, badges
can be given as part of a new hire orientation process. If badges are used,
employees should be made aware that anyone without a badge is potential-
ly not authorized. As part of awareness training, employees should bring it
to management’s attention if they see someone without any kind of identi-
fication. If individuals lose their badges, they should wear temporary ones
issued by the appropriate group (e.g., security, facilities).
Risk:
Requiring employees to display identification badges helps reduce
the risk of individuals gaining unauthorized physical access to a facility.
Client Response:
AU1706_book.fm Page 333 Tuesday, August 17, 2004 11:02 AM
334
A Practical Guide to Security Assessments
15. Are visitors required to sign in?
• Are visitors required to have temporary badges that are displayed when
in the facility?
• Are visitors required to be escorted by authorized personnel while in
the facility?
Guidance:
Visitors represent a significant risk to a company if not handled
properly. They often just walk right into some facilities without being
questioned. A visitor like this with malicious intent can cause significant
damage to a company. Ideally, visitors should be required to wear some
visible identification (such as a badge) and be escorted by authorized per-
sonnel. Visitors should have identification and also be required to sign in
to a logbook where they document time in and out, the person they are
there to see, and the purpose of their visit. The guard or receptionist who
is the first person that a visitor sees when entering the facility should enforce
these rules. Being able to “trick” or “finesse” the guard or receptionist into
giving physical access is a social engineering technique that can be used to
gain unauthorized access to facilities. On this topic, it is worth discussing
the process of visitors gaining access, In addition, if badges are used, em-
ployees should be aware that everyone in the facility should have some
form of identification at all times.
Risk:
If visitors are not required to present identification, have a legitimate
purpose for their visit, and have some specific person in the company that
they are there to see, there is a risk that visitors can gain unauthorized access
to facilities and the company’s systems and cause damage.
Client Response:
16. Does the termination process include discontinuing physical access to
company facilities?
• Are identification badges returned?
• If electronic access mechanisms are in place, is terminated employees’
access removed?
• Are names of terminated employees removed from the appropriate
lists?
• Are terminations proactively communicated to guards so they know
about them?
Guidance:
Terminated employees represent a very significant risk to com-
panies — especially when the termination involves a disgruntled employee.
AU1706_book.fm Page 334 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.