Implementing Physical Protection

1. AIS 304 : Week 11
Part II

2. Physical security requires that building site(s) be safeguarded
in a way that minimizes the risk of resource theft and
destruction. To accomplish this, decision-makers must be
concerned about building construction, room assignments,
emergency procedures, regulations governing equipment
placement and use, power supplies, product handling, and
relationships with outside contractors and agencies.

3. The physical plant must be satisfactorily secured to prevent those
people who are not authorized to enter the site and use equipment
from doing so. A building does not need to feel like a fort to be safe.
Well-conceived plans to secure a building can be initiated without
adding undue burden on your staff. After all, if they require access,
they will receive it--as long as they were aware of, and abide by, the
organization's stated security policies and guidelines. The only way to
ensure this is to demand that before any person is given access to
your system, they have first signed and returned a valid Security
Agreement. This necessary security policy is too important to permit
exceptions.

4. Physical Threats (Examples)
Examples of physical threats include:
a. Natural events (e.g., floods, earthquakes, and tornados)
b. Other environmental conditions (e.g., extreme temperatures, high
humidity, heavy rains, and lightning)
c. Intentional acts of destruction (e.g., theft, vandalism, and arson)
d. Unintentionally destructive acts (e.g., spilled drinks, overloaded
electrical outlets, and bad plumbing)

5. Physical Security Countermeasures
The following countermeasures address physical security
concerns that could affect your site(s) and equipment. These
strategies are recommended when risk assessment identifies
or confirms the need to counter potential breaches in the
physical security of your system.

6. Countermeasures come in a variety of sizes, shapes, and levels of
complexity. This document endeavors to describe a range of strategies
that are potentially applicable to life in education organizations. In an
effort to maintain this focus, those countermeasures that are unlikely
to be applied in education organizations are not included here. If after
your risk assessment, for example, your security team determines
that your organization requires high-end countermeasures like retinal
scanners or voice analyzers, you will need to refer to other security
references and perhaps even need to hire a reliable technical
consultant.

7. Create a Secure Environment: Building and Room
Construction
Don't arouse unnecessary interest in your critical facilities: A
secure room should have "low" visibility (e.g., there should
not be signs in front of the building and scattered throughout
the hallways announcing "expensive equipment and sensitive
information this way").

8. Create a Secure Environment: Building and Room
Construction
Maximize structural protection: A secure room should have full height
walls and fireproof ceilings.
Minimize external access (doors): A secure room should only have one
or two doors--they should be solid, fireproof, lockable, and observable
by assigned security staff. Doors to the secure room should never be
propped open.

9. Create a Secure Environment: Building and Room
Construction
Minimize external access (windows): A secure room should not have
excessively large windows. All windows should have locks.
Maintain locking devices responsibly: Locking doors and windows can
be an effective security strategy as long as appropriate authorities
maintain the keys and combinations responsibly. If there is a breach,
each compromised lock should be changed.

10. Investigate options other than traditional keyhole locks for
securing areas as is reasonable: Based on the findings from
your risk assessment, consider alternative physical security
strategies such as window bars, anti-theft cabling (i.e., an
alarm sounds when any piece of equipment is disconnected
from the system), magnetic key cards, and motion detectors.

11. Recognize that some countermeasures are ideals and may not be
feasible if, for example, your organization is housed in an old building.
Be prepared for fire emergencies: In an ideal world, a secure room
should be protected from fire by an automatic fire-fighting system.
Note that water can damage electronic equipment, so carbon dioxide
systems or halogen agents are recommended. If implemented, staff
must be trained to use gas masks and other protective equipment.
Manual fire fighting equipment (i.e., fire extinguishers) should also be
readily available and staff should be properly trained in their use.

12. Maintain a reasonable climate within the room: A good rule
of thumb is that if people are comfortable, then equipment is
usually comfortable--but even if people have gone home for
the night, room temperature and humidity cannot be
allowed to reach extremes (i.e., it should be kept between 50
and 80 degrees Fahrenheit and 20 and 80 percent humidity).
Note that it's not freezing temperatures that damage disks,
but the condensation that forms when they thaw out.

13. Be particularly careful with non-essential materials in
a secure computer room: Technically, this guideline should read
"no eating, drinking, or smoking near computers," but it is quite
probably impossible to convince staff to implement such a regulation.

14. Other non-essential materials that can cause problems
in a secure environment and, therefore, should be
eliminated include curtains, reams of paper, and other
flammables.

15. Guard Equipment:
Keep critical systems separate from general systems:
Prioritize equipment based on its criticality and its role
in processing sensitive information. Store it in secured
areas based on those priorities.

16. Guard Equipment:
House computer equipment wisely: Equipment should not be able to
be seen or reached from window and door openings, nor should it be
housed near radiators, heating vents, air conditioners, or other duct
work. Workstations that do not routinely display sensitive information
should always be stored in open, visible spaces to prevent covert use.
Protect cabling, plugs, and other wires from foot traffic: Tripping over
loose wires is dangerous to both personnel and equipment.

17. Guard Equipment:
Keep a record of your equipment: Maintain up-to-date
logs of equipment manufacturers, models, and serial
numbers in a secure location. Be sure to include a list
of all attached peripheral equipment. Consider
videotaping the equipment (including close-up shots)
as well. Such clear evidence of ownership can be
helpful when dealing with insurance companies.

18. Guard Equipment:
Maintain and repair equipment: Have plans in place for emergency
repair of critical equipment. Either have a technician who is trained to
do repairs on staff or make arrangements with someone who has
ready access to the site when repair work is needed. If funds allow,
consider setting up maintenance contracts for your critical
equipment. Local computer suppliers often offer service contracts for
equipment they sell, and many workstation and mainframe vendors
also provide such services.

19. Guard Equipment:
Once you've set up the contract, be sure that contact information is
kept readily available. Technical support telephone numbers,
maintenance contract numbers, customer identification numbers,
equipment serial numbers, and mail-in information should be posted
or kept in a log book near the system for easy reference. Remember
that computer repair technicians may be in a position to access your
confidential information, so make sure that they know and follow
your policies regarding outside employees and contractors who access
your system.

20. Rebuff Theft
Identify your equipment as yours in an overt way: Mark your
equipment in an obvious, permanent, and easily identifiable
way. Use bright (even fluorescent) paint on keyboards,
monitor backs and sides, and computer bodies. It may
decrease the resale value of the components, but thieves
cannot remove these types of identifiers as easily as they can
adhesive labels.

21. Rebuff Theft
Losing a computer to theft has both financial costs
(the replacement value of the equipment) and
information costs (the files contained on the hard
drive).

22. Rebuff Theft
Identify your equipment as yours in a covert way: Label the
inside of equipment with the organization's name and
contact information to serve as powerful evidence of
ownership.
Make unauthorized tampering with equipment difficult:
Replace regular body case screws with Allen-type screws or
comparable devices that require a special tool (e.g., an Allen
wrench) to open them.

23. Rebuff Theft
Limit and monitor access to equipment areas: Keep an up-to-date list
of personnel authorized to access sensitive areas. Never allow
equipment to be moved or serviced unless the task is pre-authorized
and the service personnel can produce an authentic work order and
verify who they are. Require picture or other forms of identification if
necessary. Logs of all such activity should be maintained. Staff should
be trained to always err on the cautious side (and the organization
must support such caution even when it proves to be inconvenient).

24. Attend to Portable Equipment and Computers:
Never leave a laptop computer unattended: Small,
expensive things often disappear very quickly--even
more quickly from public places and vehicles!

25. Attend to Portable Equipment and Computers:
Store laptop computers wisely: Secure laptops in a
hotel safe rather than a hotel room, in a hotel room
rather than a car, and in a car trunk rather than the
back seat.

26. Attend to Portable Equipment and Computers:
Stow laptop computers appropriately: Just because a
car trunk is safer than its back seat doesn't mean that
the laptop won't be damaged by an unsecured tire
jack. Even if the machine isn't stolen, it can be ruined
all the same. Stow the laptop and its battery safely!

27. Attend to Portable Equipment and Computers:
Don't leave a laptop computer in a car trunk overnight
or for long periods of time: In cold weather,
condensation can form and damage the machine. In
warm weather, high temperatures (amplified by the
confined space) can also damage hard drives.

28. Regulate Power Supplies:
Be prepared for fluctuations in the electrical power
supply: Do so by (1) plugging all electrical equipment
into surge suppressors or electrical power filters; and
(2) using Uninterruptible Power Sources (UPSs) to
serve as auxiliary electrical supplies to critical
equipment in the event of power outages.

29. Regulate Power Supplies:
Pay attention to the manufacturer's recommendations
for storing portable computer batteries--they carry
live charges and are capable of igniting fires if not
handled properly.

30. Regulate Power Supplies:
Protect power supplies from environmental threats:
Consider having a professional electrician design or
redesign your electrical system to better withstand
fires, floods, and other disasters.

31. Regulate Power Supplies:
Select outlet use carefully: Although little thought
generally goes into plugging equipment into an outlet,
machines that draw heavily from a power source can
affect, and be affected by, smaller equipment that
draws energy from the same outlet.

32. Regulate Power Supplies:
Guard against the negative effects of static electricity
in the office place: Install anti-static carpeting and
anti-static pads, use anti-static sprays, and encourage
staff to refrain from touching metal and other static-
causing agents before using computer equipment.

33. Protect Output:
Keep photocopiers, fax machines, and scanners in
public view: These types of equipment are very
powerful tools for disseminating information--so
powerful, in fact, that their use must be monitored.

34. Protect Output:
Assign printers to users with similar security clearances: You
don't want employees looking at sensitive financial information
(e.g., staff salaries) or confidential student information (e.g.,
individual records) while they are waiting for their documents
to print. It is better to dedicate a printer to the Director of
Finance than to have sensitive data scattered around a general
use printer. Don't hesitate to put printers in locked rooms if
that is what the situation demands.

35. Protect Output:
Label printed information appropriately: Confidential
printouts should be clearly identified as such.

36. Protect Output:
Demand suitable security procedures of common
carriers when shipping/receiving confidential
information: Mail, delivery, messenger, and courier
services should be required to meet your
organization's security standards when handling your
confidential information.

37. Protect Output:
Dispose of confidential waste adequately: Print copies
of confidential information should not be placed in
common dumpsters unless shredded.

38. Trent couldn't believe his eyes. Displayed before him on a monitor in the high school computer lab were the grades of
every student in Mr. Russo's sophomore English classes:
Student Name Grades Comments
Linda Foster: C-, C, C+, CImproving slightly, but unable to make sufficient gains; a candidate for learning disability
testing?
All Trent had done was hit the “Restore" function in the word processing software to correct a saving mistake he had
made, and suddenly a hard drive full of Mr. Russo's files were there for the taking. Luckily for Mr. Russo, his sophomores,
and the school, Trent realized that something was very wrong. He asked the lab supervisor, Ms. Jackson, where the
computers had come from.
"Most of them have been recycled," she admitted. "Teachers and administrators were given upgrades this year, so their old
machines were put to good use in the labs. They should still be powerful enough to handle your word processing. Why?"
Trent showed Ms. Jackson what he had uncovered about the sophomore English students. She gasped, "Oh my goodness,
they gave us all these computers without clearing the hard drives properly. I bet it's that way across the district. Trent, you
may have just saved us from a potentially disastrous situation. That information is private and certainly shouldn't be sitting
here for anyone in the computer lab to see. I've got some phone calls to make!"