CHAPTER 16

Physical and Environmental Security Controls

Since information is frequently in electronic form, organizations seldom recognize the importance of physical and environmental security. Some organizations have the misperception that they have adequately safeguarded their environment by simply placing security guards at the main door or using electronic key badges at the entrances. This is a good start; however, with other threats on the rise, physical and environmental security should be treated as important as other information assurance threats. Implementation of physical and environmental security is part of the fundamental capability an organization should establish in any business continuity management (BCM) initiative. Refer to Chapter 24 for further details on BCM.

Physical and environmental security protects an organization’s physical infrastructure, its equipment, and its facilities, as well as its employees, from physical events, threats, or incidents. The main threats for physical and environmental security are

      • Energy, for example, electricity

      • Equipment, for example, mechanical or electronic component failure

      • Fire and Chemical, for example, explosion, smoke, or industrial pollution

      • Human, for example, riot, war, terrorist attack, or bombing

      • Natural Disaster, for example, earthquake, volcano, landslide, or tornado

      • Pandemic disease, for example, bacteria or virus

      • Radiation, for example, electromagnetic pulse

      • Weather, for example, sandstorm, humidity, flood, or lightning

This chapter explains physical and environmental security controls, media handling controls, and benefits of physical security controls.

Benefits

Organizations benefit by establishing physical and environmental security controls/countermeasures to protect information in storage, transit, and processing. These countermeasures help protect information-processing systems from the following events:

      • Environmental disruption Natural disasters and man-made environmental problems are regarded as some of the most prevalent threats today. For example, fire can destroy buildings. Floods can cause damage to infrastructure, assets, and data.

      • Interruptions to service Serious business interruption may cause business disaster. If an organization faces services disruptions because of breaches of physical security, the organization’s reputation will be at stake. This may lead to loss of public confidence.

      • Loss of system integrity If intruders are able to gain physical access to hardware components, they may be able to bypass logical access controls. With this access, they may perform malicious acts on systems and components. These activities can cause loss of information system availability, confidentiality, and integrity.

      • Physical damage The acts of sabotage or vandalism can impair hardware components. Damaged media may raise concerns on data confidentiality, integrity, and availability.

      • Physical theft In the event of loss of hardware components because of physical theft (or robbery), organizational functions may be interrupted particularly if the organization does not have backup or fails to replace stolen components in a timely manner.

      • Unauthorized disclosure of information Insufficient physical security controls may enable intruders to obtain easy access to an organization’s information assets. This will place the security of classified information at risk.

Physical and Environmental Security Controls

Precede the implementation of physical and environmental security controls with a risk assessment to identify vulnerabilities and sources of threats that place organizations’ operations and individuals’ lives and safety at stake. Refer also to Chapter 11 on risk assessment.

Physical and environmental security is best managed using a layered defense approach. The concept of a layered defense approach (also known as defense-in-depth approach) is that if an intruder successfully manages to penetrate one control layer, there will be other control layers in his way before he can access the organization’s assets. Note that layered defense should be adopted for all aspects of information assurance, not just physical assets. The layered defense approaches for physical and environmental security are divided into two broad areas:

      • Physical security of premises and offices

      • Physical security of equipment

Physical Security of Premises and Offices

Premises, which hold critical information or systems, require special protection. The following controls deal with physical security of premises. One establishes the security perimeter as the outer boundary. That perimeter should contain all your critical assets. Within that perimeter, there may also be more secure areas or enclaves.

Physical Security of Premises

The first line of defense in safeguarding employees, information resources, and property is the security perimeter.

Examples of ways to provide physical protection are fences and creating layered physical barriers around the premises and information-processing facilities, including a manned reception area, security guards, or intrusion alarm systems. Perimeter protection also includes deploying lockable doors and windows, grills for windows, and fire escapes. The impact or value of the assets and the results of a targeted risk assessment are the factors that determine the placement and strength of each physical security perimeter location and related controls.

Physical Entry Controls Physical entry controls restrict access to information-processing resources by allowing only authorized individuals in the area. They control the entry and exit of employees, equipment, and media from an area, such as an office building, data center, and areas that contain critical information-processing resources.

Minimal physical entry controls should include the positive identification of all employees, vendors, and visitors at each point of entry. Unauthorized individuals in the facility should be easily identifiable. It should be difficult to confuse them with employees, vendors, and authorized visitors. People who are unable to show proof of identity and area authorization are a physical security risk. They should not be allowed to remain in secured spaces.

The following provides further explanation about access controls for employees and visitors:

      • Employee access Restriction of employee access depends on the need for access, job function, and responsibilities. Positive identification and access control are mandatory; therefore, all employees should be required to wear some form of visible identification (ID badge) at all times whenever they are on the premises. Since the badge may disclose the employee’s identity, role, employer, and access levels of the individual, employees should not display the badge when offsite.

         Employees who work in a restricted area are important participants in physical security. If they notice either strangers or long-time employees behaving suspiciously in the area, they should stop and challenge them or immediately report their presence to their supervisor or security personnel.

      • Visitor access Visitors include vendors, consultants, maintenance personnel, contractors, and other nonemployees. Permit visitor access only to those areas where they have specific and official purposes. A record of visitors who enter the premises should be maintained. Before a visitor can access a restricted area, the visitor should be required to present appropriate credentials and register at a reception area or security guard station. In most cases, they should also be escorted at all times and informed of the physical security requirements of the area and emergency procedures. The dates and times of their admissions and departures should be logged. This recording may be accomplished with a card access control system, a sign-in log, or other mechanisms.

Organizations must periodically assess the effectiveness of physical entry controls in each area to determine whether improvements should be made. Assess the controls’ effectiveness during both normal office hours and when an area is unoccupied. Several factors affect the effectiveness of physical entry controls. These factors include the type of control devices used, the implementation, and the operational use. Organizations should determine the effectiveness of the control procedures and whether intruders can bypass the controls in place. Physical penetration tests are often used to test the resiliency of human, technology, and procedural controls. Based on these assessments, enhance the physical entry controls.

Securing Offices, Rooms, and Facilities Secure areas are frequently called enclaves. Organizations must select the location of the enclaves within the security perimeter carefully. Locked offices or rooms located inside the perimeter may be considered as enclaves. For example, network and communications equipment rooms or human resources offices are enclaves that may require additional controls.

Different risks such as natural or man-made disasters should also be considered in the planning process. When man-made events occur, access to the restricted areas may be compromised during a panic. In some circumstances, the secure area should not be publicized in any manner. Boards, banners, or signs indicating the presence of important facilities or activities should be concealed.

By policy, organizational telephone directories are for internal use only; exceptions can be made for specific purposes. Disclosure of the directory may attract unnecessary attention or expose confidential information about the organizational structure. This is an ideal tool for social engineers to begin their reconnaissance.

To control exfiltration of data on paper, organizations should ensure that equipment such as photocopier machines, printers, scanners, and fax machines are located within secure areas or configured to work only when a password or token is used.

Physical security is an ideal tool for compartmenting information; consider using badge readers or cipher locks that require a unique code, key, and/or badge for entry. This helps ensure that only authorized individuals can gain access, and in the event an incident occurs, these technologies provide logs that can help locate the attacker. By combining a badge with a key code, the organization has a two-factor physical access system.

Working in Secure Areas The physical security should accommodate third parties working in the area. A secure work area may include closed circuit television (CCTV) and card-controlled doors. The personnel working in this area should have adequate training about device operation, as well as awareness of the importance of the physical security controls. Carefully screen personnel working in the secure work areas prior to employment or engagement to ensure the employees and third parties are honest, competent, and aware of their responsibilities. The use of any photographic, audio, video, mobile devices, or other recording equipment in secure areas should be restricted. Exceptions may be authorized based on a demonstrated need and a risk review.

Public Access Delivery and Loading Areas Frequently, there is continuous movement of incoming and outgoing items at several portals on premises. For example, it is important that access to areas such as entry, delivery, and loading areas is limited to authorized individuals. If possible, separate these entrance and exit areas from secure areas to minimize threats.

Establish appropriate physical and inventory controls to ensure that all items are loaded and unloaded at the loading areas only. Prohibit access to other parts of the premises, and before incoming items are allowed within the premises, they should be registered or inventoried and examined for potential threats.

Duress In high-risk environments, organizations should establish a duress alarm or code that gives a covert alert about a increased risk situations. A person can use it secretly to indicate that a serious information or physical security event has occurred or is in progress. For example, a physical security alarm causes the security operations center to call a guard station. The operations personnel asks the guard if everything is okay. The guard responds, “Everything is fine; the zebra system is down again.” The operation center immediately dispatches law enforcement to the guard’s location. What happened? The term “zebra system is down” is a predesignated signal to indicate the guard was under duress. Perhaps someone was threatening the guard and telling him he must tell the operations center “everything is fine” while thieves attempted to rob the organization. To be effective, duress codes must be maintained confidentially within the organization, and their implementation must be practiced by those who routinely use them. A duress alarm response procedure should be in place to ensure that every alarm is handled properly and immediately.

Physical Security of Equipment

Organizations should physically protect information-processing equipment to minimize the risk of unauthorized access to information, as well as to safeguard against loss or damage. For example, if someone has physical access to your network equipment, it is easier for them to modify the security profile of the equipment than by trying to do it electronically from offsite. Offsite computing systems for reconstitution or contingency operations should also be addressed in a physical security plan. This is particularly important with cold sites that may be overlooked until they are needed. The following section explains controls that deal with equipment issues concerning physical security.

Equipment Placement and Protection Organizations should secure equipment from environmental threats, hazards, and opportunities for unauthorized access. Organizational assets face destruction from exposure to fire, smoke, water, and other hazards, so information and information processing resources should be protected with a diverse set of countermeasures:

      • Fire Information processing equipment may be damaged in fires. Installing fire sensors, heat sensors, smoke sensors, fire extinguishers, or sprinkler systems can reduce risks from fire hazards.

         Fire alarms should have the feature of both manual and automatic operation, since a person may notice a fire before an automatic smoke alarm. Automatic sensors should be able to detect both visible smoke and ionized particles. Deploy fire sensors and firefighting systems not only in the room but also in the plenum spaces both above and below the room.

         Fire extinguishers should be located in visible locations and near fire exits. They should be easily accessible and readily available at all times for immediate use. To assure optimal operation, inspect and certify the extinguishers periodically; for example, a certified professional or the fire department should do this at least twice a year. It is essential to provide adequate training and appropriate instructions to the employees regarding the use of these devices.

      • Sprinklers Water-based sprinklers should be dry pipe systems that do not have water in normal conditions. In the equipment rooms, avoid water. There are fire-fighting systems that use special gasses to stop fires. They work by displacing the oxygen in the room. However, the gasses may be dangerous to personnel, and special training is necessary. The systems should sound an alarm for the fire, as well as alert personnel to leave the area before the fire-fighting material is deployed.

         Consider using an automated emergency notification system that alerts the police and fire departments of an emergency automatically. Not only can this save lives, but also valuable equipment and facilities may be spared if emergency responders arrive quickly. Notification systems should be tested regularly, and agreements should be worked out with the fire and emergency responders so they understand where people have been instructed to shelter and who they need to meet with in case they need access to restricted locations.

      • Smoke Smoke is hazardous to both personnel and equipment. Smoke may originate from malfunctioning computer systems or electrical fires, such as those caused by power transformers. Video monitors and electronics release an acrid smoke that may be fatal to humans and impair other equipment. Install smoke detectors both inside computer rooms and directly outside; ensure the smoke detectors work in the plenum areas above and below the room. As noted earlier, there are two types of smoke detectors: photoelectric (visible smoke) and ionization (invisible particulate byproducts) detectors. Smoke alarms use one or both methods. In addition, some use a heat detector to warn of a fire. These alarms provide people with critical seconds to escape a burning building by sounding an alarm in the presence of smoke or fire. Another significant danger is smoke that comes from cigarettes. Forbid employees from smoking in computer rooms. Not only can the smoke damage sensitive equipment, but it may also cause a false alarm and set off fire suppression systems.

      • Water Water can damage power supply facilities and information-processing equipment. It may render these devices unserviceable through short-circuits or mechanical damage. There are two types of sprinkler systems: wet and dry. In wet systems, the pipes are always charged with water, while dry systems fill with water only if there is evidence of a fire. A “wet” pipe sprinkler system may cause damage by simple leakage or breakage from natural disasters.

         Disruption of water supply and sewage systems could also contribute to an uncontrolled flow of water. Natural disasters such as rain or floods may also allow uncontrolled flow of water into facilities.

         To mitigate water damage, do not install systems in basements that are prone to flooding. Install water sensors on the floor or under a raised floor near computer equipment. They should be set up so in the event of a flood, they sound an alarm and cut off power automatically.

Supporting Utilities Organizations require supporting utilities such as electric power, heating and air conditioning, and telecommunications equipment, which if disrupted lead to a loss of availability.

      • Electric power Information processing systems fail without a continuous supply of stable power. Thus, they require redundancy in electric power system availability. If electrical power to the building in which information systems are hosted gets cut off, a backup device needs to be ready to take over and keep those systems powered. This can be accomplished using three approaches and combinations thereof: dual main power, a uninterruptible power supply (UPS), or a backup generator.

         The least expensive first line of defense is to have the facility connected to two separate sources of power from the grid. Ideally, the feeds would be able to operate the entire facility even if one failed. Minimally, they should come from two separate branches of the power grid and, if possible, they should come from two separate providers on different power supply grids.

      • Backup generators If a system’s requirements demand uninterrupted processing in the event of a prolonged outage, a backup generator should be considered. Backup generators should be tested on a regular basis in accordance with the manufacturer’s specifications. This will ensure that they will function successfully during an outage. To ensure that generators can sustain operation over a prolonged period, make sure that generators have sufficient supply of fuel. Organizations enter into fuel supply contracts with local fuel wholesalers; however, during an emergency or outage, fuel suppliers are often restricted by a prioritization of customers to deliver whatever fuel they may have. Make sure your contract provides you with priority service. Remember, generators often require fuel tanks that are subject to inspection for safety and environmental regulations.

      • UPS A UPS can be used to support critical business operations. It is designed to protect against a short power outage, and it provides enough time for system administrators to shut down systems and equipment in a systematic manner. Contingency plans should include the action to be taken upon failure of the UPS. All UPS equipment should undergo regular maintenance to ensure it is in good operational condition at all times. Batteries have a finite life and cycle count that must be managed.

      • Heating, ventilation, and air conditioning (HVAC) Computer systems that manage critical information should have air-conditioning units that provide continuous monitoring and recording of temperature and humidity. To avoid computer damage because of temperature fluctuations, maintain all computer equipment in a designated computer room. After determining the temperature and humidity ranges tolerated by the equipment, maintain that temperature and humidity. Humidity must be managed to minimize static electricity from low humidity and equipment damage from condensation from high humidity. Install heat sensors inside the computers, in the computer rooms, and directly outside the rooms to warn of any noticeable rise in temperature, through either an audible or a visible alarm. When designing HVAC systems, it is important to remember they will need power during an outage or emergency. Therefore, the electrical capacity of generators or UPS must consider not only the computer equipment but also the associated HVAC equipment.

Organizations should build all systems with redundancy to provide a resilient information infrastructure. Planning for low-impact systems is typically N-1. This means a system should see no impact for failure of one substantive asset where failure is credible. This planning is part of long-term growth plan. It is a deterministic approach. N-1 criteria cover most creditable asset failures. It depends on the ability to install temporary fixes for damaged assets. Operational processes and practices should be used for restoring the electrical grid on a “business as usual” basis. Critical systems or those that have a history of tight supply should be designed to meet “N-2 plus” requirements. This system would still be able to operate if a major asset failed. Organizations must be careful not to outgrow planning; this requires that the physical security plans and contingency plans be tested and reevaluated often. Compliancy is the enemy of successfully surviving an outage or emergency.

Equipment Maintenance Organizations should perform maintenance of information-processing equipment based on the manufacturer‘s recommended service intervals and specifications. The task of fixing and servicing the equipment should be done only by authorized personnel. Record all faults noticed, documented, and maintained. All maintenance services to the equipment either onsite or sent off the premises also need to be recorded and tracked. Consider statistical process control (SPC) techniques to forecast failures. For example, track the failure rate of disk drives. Based on the analysis, it is sometimes less expensive to perform prospective maintenance by replacing all drives at one time.

Physical Security of Equipment Off-Premises Information-processing equipment policies must include personal computers and laptops used for working in an office or home. The organization should apply appropriate information assurance controls to secure equipment off-premises. Use of any equipment outside an organization’s premises should be authorized by management. Prior to granting authorizations, management should carefully consider the risks of working outside the organization. Users should also be educated about the approved methods of handling equipment off-premises, for example, using procedures to respond to locking down, damage, loss, and theft of equipment.

Do not allow personnel to use personal software or data on organization-owned equipment except as provided in BYOD and BYOS policies. All data on the computer should be encrypted and protected to the same level as if it were on an internal system. No encryption should be allowed unless the key is held or escrowed by the organization. No company information should be stored on the system if it is not also backed up internally. The loss of the system should not compromise operations.

Remind employees they are bound by the same rules when using portable, BYOD, BYOS, and off-premises systems as they are when at their desk in the office. Employees forget that portable systems are not theirs and sometimes adopt undesirable habits. Explicitly prohibit the following activities on organization-owned systems, even if off-premises:

      • Becoming involved in partisan politics

      • Causing alteration, congestion, disablement, disruption, or impairment of organization networks or systems

      • Defeating or attempting to defeat security restrictions on company systems and applications

      • Engaging in malicious activities

      • Engaging in personal business

      • Engaging in private activities

      • Engaging in unlawful activities

      • Misrepresenting oneself

      • Misrepresenting the company

      • Sending, receiving, distributing, or accessing pornographic materials

      • Using abusive, profane, threatening, racist, sexist, or otherwise objectionable language in either public or private messages

      • Using recreational games

Secure Disposal and Reuse of Equipment

Careless disposal, disposition, or recycling of equipment can put information at risk. Storage devices have long-term memory, so simple or mere file deletion is insufficient. Destroy them! Recovering overwritten data on hard drives, removable disks, and tapes is not impossible. There are software tools that can be downloaded freely from the Internet that may recover the data easily. Proper protection and disposal of sensitive or confidential information is important. This is the dissolution of the system.

Properly sanitized, obsolete equipment may be donated to charities or for environmental reasons, disposed of by third parties. Take proper precautions to ensure that all information stored in the equipment is eradicated prior to donation or disposal. Prior to disposal, a thorough check should be made to verify that any sensitive information and licensed software are completely erased or overwritten. It is advisable that equipment with hard disks containing sensitive information should not be passed on. If the data is valuable, it is less expensive to buy a new drive for any machine you donate.

Equipment sent for repair is equally prone to unauthorized reading of data from deleted storage devices. Therefore, the device should undergo thorough erasing and overwriting to wipe out the data instead of via the standard delete function. If this is not practical, ship it for repair without the disk drive.

Clear Desk and Clear Screen Policy

On another physical security front, the implementation of a clear desk and clear screen policy is an effective control for organization information assets. Not only information-processing resources, but also printed papers or media containing confidential information will be protected. When developing the policy, the organization should consider such matters as information assurance classifications and the organization’s risk assessment results.

Apply the following guidelines:

      • Lock away classified material when not in the area.

      • Do not leave classified information on unattended printers.

      • Log off sessions or protect the system with a key lock whenever personal computers or computer terminals are left unattended; use passwords and protected screensavers to provide protection.

      • Secure incoming and outgoing mail boxes and unattended fax machines to avoid unauthorized access.

      • Use a suitable storage place (ideally in a cabinet or fire-resistant safe) when paper or electronic storage media that holds sensitive information is not needed.

Handling of Media

Protect all media used to store information. In addition to data storage media, remember other devices that create processes or transmit the information may also store information. Apply a method appropriate to the sensitivity and value of the information to safeguard it from the time of creation to the time of disposal and dissolution of the system.

Employ suitable procedures to protect all media from physical damage, theft, loss, unauthorized access, or other attacks. To preserve the confidentiality of information stored in media, exercise methods to remove the data completely prior to discarding media or any other devices. The following sections discuss the physical security controls to protect media.

Management of Removable Media

Removable media is the most common form of storage devices today. A few examples of commonly used removable media are USB flash drives, memory cards, mobile phones, digital cameras, and MP3 players. Since these devices are cheap, they are the obvious way to store information such as business proposals, accounts, clients’ details, and marketing plans.

Current popular media, such as iPods, USB flash drives, mobile phones with a removable SD cards, and even digital cameras with flash memory, can be used to transport confidential information away from an organization’s network (exfiltration). Another potential danger of portable media storage devices is that they can completely bypass perimeter defenses such as firewalls and antivirus software on a mail server and introduce malicious software such as Trojan horse or viruses onto organizations’ networks. In late 2008 and early 2009, these attacks became more effective.

Organizations should ensure that the correct physical and information assurance controls are implemented to manage the use of removable media devices securely. This will aid in minimizing damage from malicious code and loss of proprietary information or intellectual property and consequently avoid lawsuits and loss of reputation.

Inform employees about policies about removable media. With policies and procedures in place, restrictions or prohibition of removable media usage from critical activities can be enforced. As mentioned earlier, encryption and key escrow for authorized copying of corporate information to removable media are mandatory. Aligning this policy and procedure with other corporate policies and procedures will assist in enforcing controls.

Disposal of Media

Disposal of media means the same procedures as mentioned in the section “Secure Disposal and Reuse of Equipment” earlier in the chapter. To guard against exposing and damaging an organization’s image and reputation, the organization should practice proper methods for disposing of media. Management should establish procedures for disposing of and destroying media containing sensitive information. These procedures should be risk-based relative to the sensitivity of information and the types of media used to store it. Disposal procedures should acknowledge that records kept on media such as tapes and disk drives could cause disposal problems because residual data can remain on the media even after erasure. Since such data can be retrieved, additional disposal techniques should be applied to remove sensitive information entirely.

The following are some guidelines of proper media disposal:

      • Electronic media containing sensitive customer information should be degaussed prior to disposal. Degaussing completely erases the information stored on the magnetic surface.

      • Printed materials, which hold confidential and restricted data, should be destroyed in a secure way, such as by shredding or burning.

Further Reading

      • Bowen, P., et al. Information Security: A Guide for Managers (Special Publication 800-100). NIST, 2006.

      • International Organization Standardization and the International Electrotechnical Commission. Information Technology – Security Techniques – Information Security Management Systems – Requirements (ISO/IEC 27001). ISO/IEC, 2005.

      • NSTISSI-4011, National Training Standard for Information Systems Security (INFOSEC) Professionals, CNSS, 2004. https://www.cnss.gov/CNSS/issuances/Instructions.cfm.

      • Nichols, R., D. Ryan, and J. Ryan. Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves. McGraw-Hill Education, 2000.

      • Physical and Environmental Security Guideline. Information Technology at Emory University, Atlanta. http://it.emory.edu/showdoc.cfm?docid=1860.

      • Ross, R., et al. Guide for Assessing the Security Controls in Federal Information Systems, (Special Publication 800-53 Rev 1). NIST, 2008.

      • Schou, Corey D., and D.P. Shoemaker. Information Assurance for the Enterprise: A Roadmap to Information Security. McGraw-Hill Education, 2007.

      • Tipton, Harold F., and M. Krause. Information Security Management Handbook, 5th edition. Auerbach, United States, 2006.

      • Tipton, Harold F., and S. Hernandez, ed. Official (ISC)² Guide to the CISSP CBK 3rd edition. ((ISC)²) Press, 2012.

Critical Thinking Exercises

        1. An organization is renting office space and has noticed several new building maintenance personnel requesting access above and below the organization’s server room. An employee thinks she saw one of them plugging a cable into a “box” in the server room when she was in the room trying to get a system to restart. What should the organization do?

        2. An organization has just finished implementing its contingency plan. It has a large data center and has installed several generators, fuel tanks, two power supplies from MEGA Power Company, and UPS devices. After installing the new UPS devices, the organization also noted it needed to update its chillers because the UPS systems were generating more heat than the chillers could cool. Once the chillers were finished being installed, the senior leadership of the organization announced they were prepared for the worst! Are they correct?