Physical security also concerns with the physical protection of equipment as well addressing various security requirements pertaining to the media where the data is stored.
Theft is one of the most important threats that needs to be addressed for personal computer, laptop, and media protection.
Equipment security involves protection from theft and unauthorized access. Some of the controls include the following:
- Cable locks are used to physically secure PCs and laptop computers. These locks prevent the computers or laptops from being detached and taken away.
- Encryption is used to make folders and files secure such that unauthorized disclosure and modification is prevented.
- Full disk encryption is used to encrypt the data in laptops. This is to ensure that even if the laptop is lost, the content is not disclosed. This method is also used to ensure that the system is not compromised using a technique called cold boot attack.
Modern technologies include a security token to control access to laptops as well as remote laptop-security mechanisms that enable the owner to remotely access and disable the laptop over the Internet.
Port protection is used to ensure that media devices, such as CD-ROM, floppy drive, Universal Serial Bus (USB) memory sticks, Wireless-Fidelity (Wi-Fi) ports, and printers and scanners, are not accessible to unauthorized personnel. The purpose of port protection is to prevent downloading or transferring confidential information and/or intellectual property by unauthorized users to a portable medium. Port protection also assists in preventing the spread of malware.
BIOS checks use password protection during the boot up process so that the access to the operating system is controlled. These checks are called pre-boot authentication.
Computer hardware equipment is prone to failure due to various factors such as vibration, electrical fluctuation, electromagnetic interference, and so on. For critical systems such as servers, high availability is a primary requirement.
There are two important parameters used in the IT industry to qualify server grade equipment:
- One is Mean Time Between Failure (MTBF), which is a time measurement that specifies the average time between failures. This time is called the useful life of the device.
- The other parameter is Mean Time To Repair (MTTR), which indicates the downtime or the average time required to repair the device after a failure.
Storage media such as hard disks, backup tapes, CDs/DVDs, and diskettes need additional security measures to ensure the security of the data they contain. The controls should ensure to prevent data disclosure and modification by unauthorized entities.
The following controls need to be considered for media security:
- Storage controls are the primary means to protect the data in storage media such as hard disk, magnetic tapes, CDs, and so on. The primary consideration should be controlling access to the data, which is usually achieved by encryption. Additional security considerations are required when backup media is stored off the site.
- Maintenance is a regular process to ensure that the data in the storage media is not corrupted or damaged. Media handling procedures are used to ensure this.
- The users and operators should be provided with the proper usage instructions to handle the media.
- Media usage should be in accordance with the established policies and procedures.
- Data destruction is done by way of formatting the media. One-time formatting may not completely delete all the data. Degaussing is an effective method of destroying the data in magnetic media.
- Data remanence is the residual data that remains when the data is not completely erased or destroyed. When the media is reused, this may result in unauthorized disclosure of sensitive information. It is a good practice to prevent media reuse by physically destroying the media. In case of reuse, there should be policies and procedures to ensure that the data is destroyed.