Physical security measures
This article is part of the Wiki book about information security (the basics).
Physical security measures
The previous chapters examined the organization of the information security and discussed risk analysis. A risk analysis results in a set of security measures that fit with the risk profile determined for the organization.
Some of the measures that result relate to the physical security of the organization. It all depends on the type of organization. For an organization that has a public function, access to the buildings and the site will be fairly unrestricted. An example of this is a public library. On the other hand, there may be organizations that make products only under very strict security. One example is an organization in the pharmaceutical industry that is subject to very stringent requirements in the area of hygiene and confidentiality regarding the formulae used.
This chapter will take a closer look at physical measures.
Physical security is part of information security because all business assets must be physically protected as well. Physical security is older than information security; just think of the protection a castle provides those inside. Protecting information became important later. Traditionally, physical security is provided by the general and technical services managers who use their own particular methods and techniques to set up the physical security. In many organizations, the coordination between those in charge of physical security and information security is of great importance. We will also examine the various areas of responsibilities that those in charge of information security have to take into account.
The world of physical security employs a combination of organizational, structural and electronic measures. Physical measures need to be planned and coordinated in a coherent way. For example, attaching security cameras will only really be effective if structural measures have been taken and if careful thought has been given to their purpose and placement. What’s more, the organization must follow up on anything detected or seen; otherwise installing a camera is totally pointless.
What is often forgotten is that technical measures also apply to temporary (emergency) locations.
Physical security also includes the protection of equipment through climate control (air conditioning, air humidity), the use of special fire extinguishers and the provision of ’clean’ energy. Clean energy refers to the prevention of peaks and troughs (dirty energy) in the power supply and the fact that the power is filtered.
Cables must be laid in such a way that no interference can occur. Interference is when the network cables pick up the noise and static from the power cables that run parallel with them. These effects are often not visible or audible. An example of this effect can be heard when mobile phones cause disturbance in speakers or radios. Cable ducts also have to be protected. Server rooms often use separate power supplies. It is not unusual for a server to have two power supplies, each connected to their own group.
Equipment / media
It must be clear to the employees of an organization how they should deal with storage media. Specific measures may apply to certain equipment; consider, for example, the deletion of confidential information on the storage media when a person leaves the organization. Storage media includes more than just the obvious forms such as USB sticks and hard disks. Many printers can store information on their own hard disk. Documents can be temporarily stored on printers and can be partially retrieved.
It is also possible to store a great deal of information on mobile equipment, such as telephones, USB sticks, memory cards, organizers, blackberries, and laptops. It is important that if an employee leaves the company, that they return all their equipment, and that the information contained on them is deleted. There must also be procedures for when such equipment is lost or stolen.
All business assets have a certain value, and depending on that value, as well as the threats and risks to these assets, measures must be taken. Physical security measures are taken to protect information from fire, theft, vandalism, sabotage, unauthorized access, accidents and natural disasters.
Where does physical security start?
Physical security does not start at the workstation or workplace but outside the premises of the business. It has to be impossible to easily access the company assets that are to be protected. This can be illustrated simply and clearly by thinking in terms of a series of rings:
Outer ring – Area around the premises;
Building – The access to the premises;
Working space – The rooms in the premises;
Object – The asset that is to be protected.
The outer ring
The outer ring that surrounds the business premises can be protected by natural and architectural barriers. Natural barriers can be, for example, thick vegetation or a river. Examples of architectural barriers include fences, barbed wire, and walls. All architectural barriers are subject to strict rules.
The outer ring must allow access to authorized persons, so barriers must always employ personal and/or electronic verification. These days there are many types of electronic sensors that are available, but we will not discuss these here.
The area between the outer ring and the business premises can be used for surveillance by a security guard and for auxiliary services such as, for example, parking, where the parking area is preferably screened off from the building. Such areas must have the appropriate lighting and possibly camera surveillance.
There are situations where there is no outer ring. In these cases architectural measures such as windows, doors and other openings are important. It is, of course, best that these measures are taken whilst the premises are being built, as modifying an existing building can be very expensive.
Architectural measures are also subject to strict regulations. There are various ways of making openings in the premises secure; for example the use of break-resistant glass and doors with the correct frame and hinge mechanisms. The measures must be in line with the level of protection required by the organization.
In addition to the traditional locks, of which there are many types, in recent years increasing use has been made of electronic means to control access to buildings. Such means include card systems and code locks. Biometric equipment is still not commonly used.
In protecting the building, attention must also be given to the roof and walls. Cameras can again help with this.
There are various options available to manage the access to a business premises:
Electronic access management
Many organizations use pass systems with wireless RFID passes. These are currently the most widely used systems, but are being widely discussed as they can be ’tapped’, copied and mimicked.
|In the news|
In more than half of the maternity wards in the American state of Ohio, both mother and child are given an RFID tag in the form of a wrist band or ankle band. In this way the wards hope to ensure that babies do not go missing, be abducted or given to the wrong parents.
In addition to RFID passes, there are other sorts of passes that cannot be tapped.
When using access passes, one must take a few rules into account:
1. Put a photo on the pass. This makes copying a little more difficult. Both the security system and the personnel are then able to check whether the pass belongs to the bearer;
2. Do not put the company name or logo on the pass, use a neutral design. If someone finds the pass, its purpose must not be obvious;
3. Require staff to wear the pass visibly. This should also apply to visitors, so that security and personnel can detect and approach anyone not wearing such a pass. Ensure that a system is set up whereby people who do not have a pass are escorted to the security staff.
For special rooms, vigorous authentication measures can also be used, where, in addition to the access passes, additional security measures are taken. Such as:
1. Something that you know, for example a PIN code
2. Something that you have, for example a pass
3. Something that is part of you, therefore biometrics such as a fingerprint or an iris scan
|In the news|
In 2006, it was still something futuristic, but today the Dutch supermarket chain Albert Heijn and Equens have started a pilot whereby consumers can pay for their shopping using their fingerprint. The test will run for six months and will reveal what consumers think about this new payment method. "With Tip2Pay consumers can pay quickly, simply and safely by placing their finger on the scanner in the checkout lane." The fingerprint is linked to the address, bank account number and supermarket bonus card of the customer. At the end of the pilot, an evaluation will be carried out.
The use of security guards is the most expensive physical security measure. This measure can be supplemented by cheaper measures such as sensors and cameras that can be remotely monitored. In this case, there should always be a follow-up if an alarm were to go off.
It is best for the security personnel to also personally verify the access passes of those entering the building. This way it is harder to use fake passes.
The working space
Each working space may have its own particular function and so would be subject to its own security measures. For example, take a public building such as a town hall. We can enter the public areas of the town hall, but the offices are not accessible by everyone.
In rooms on the ground floor and other special rooms, various types of intruder detection are possible. This depends on the type of room (size, type of wall, height, contents). The most commonly used method is passive infrared detection. Of course, if the intruder detection system sets off an alarm, it requires an immediate response.
It is recommended that an organization set up special rooms and areas for suppliers to pick up and deliver goods so that they do not have access to the same business assets and information as the company’s employees. The restriction of access is a preventive measure. There are a number of other important special rooms:
Server rooms and network rooms deserve a separate mention as they have to be approached separately when considering physical security. Server rooms and network rooms contain sensitive equipment that is vulnerable to humidity and warmth, and produce heat themselves. Also, an information system can stop functioning due to a power failure. One of the greatest threats to a server room is fire.
In addition to architectural requirements, server and network rooms also have special access control requirements.
Media such as backup tapes must not be stored in network rooms. It is best to store the tapes elsewhere, so that the tapes are not damaged in the event of a disaster. There’s nothing worse than discovering after a fire that none of the information can be recovered because the backups have also been destroyed.
In server rooms, the air has to be cooled and the heat produced by the equipment must be transported away. This air is also dehumidified and filtered. What often happens is that extra equipment is placed in the room without then adjusting the cooling capacity of the room.
In an organization a cooling installation was placed in the server room many years ago. In the years that followed more equipment was placed in the room, but the cooling capacity of the room was not increased. Eventually the cooling system broke down, causing the temperature to rise. As a result, the servers failed, leaving the business without any central computer system for several days.
Equipment uses power, often a lot of power. In server rooms, it is advisable to use several independent power supplies. A number of other measures are used in addition to this:
Battery packs or an Uninterruptible Power Supply (UPS) which, in addition to adjusting for dips in the power, filters the power and absorbs any peaks.
Battery packs do not last forever, so it is wise to also have an emergency generator to provide power for outage longer than that battery can supply. The generator needs to be tested regularly and must be supplied with sufficient fuel for a sufficiently long period of time.
Power failures are a problem not only for computers but also production companies.
|In the news|
STEENWIJK, the Netherlands – On Thursday morning, households from some areas in the provinces of Overijssel and Drenthe were hit by a power failure. Households and businesses now have their power back. The power failure was caused by a fire that started at 8:40 in the morning in the main power station of the energy supplier in Steenwijk. It affected more than 10,000 homes and business. The residents were kept up to date on events by the police who drove around in sound trucks. Extra police had to be called in.
The management of a plastics company in Steenwijk is now experiencing problems with the continuity of its business. They are able to accommodate a dip in the power for a maximum of ten minutes, but after that the plastic begins to harden in the moulds and, in doing so, produces by-products that damage the moulds. The power had failed once before this week.
Some shops were not able to open, and those that did manage to open could only deal with payments manually and had to take cash. The stock inventory system could not be adjusted, which made the logistics planning a nightmare.
Server rooms must not contain any moisture. For this reason, the air in these rooms is dehumidified. We must also ensure that no water pipes and central heating equipment have been fitted in the server rooms. These days it is possible to water-cool equipment, but such solutions must be inspected very carefully.
See also: Fire safety
Fire is one of the biggest threats that a special room, such as a server room or network room, can face. Certain measures are relevant here at all times:
- Smoke alarms to detect the smoke;
- Fire extinguishing equipment. If a fire breaks out, it must be extinguished quickly with the appropriate fire extinguishing equipment;
- No packaging material should be stored in these rooms. A server room is not a warehouse;
- Backup tapes should not be stored in the server room or the building itself;
- The cables used can be made extra fire-resistant.
Storage of sensitive materials
Separate rooms can also be used to store sensitive materials. This can be information, but also medicines or expensive items. These rooms require extra measures to ensure their security. Access to special rooms must be checked, preferably by including these rooms in the access control system of the premises.
The "object" refers to the most sensitive part that has to be protected, the inner ring. Various options are available for storing and protecting sensitive materials:
'Clear desk policy'
In order to ensure that sensitive materials cannot be easily removed, a clear desk policy is necessary. No information should be left unattended on a desk, and after working hours all information must be stored in something that can be locked.
A cabinet is the simplest way of storing things. It has to be possible to lock the cabinet, and the key must not be kept nearby. A cabinet is not particularly resistant against fire and can be relatively easily broken into.
Fire-resistant cabinets or security cabinets
A fire-resistant cabinet protects the contents against fire. Fire-resistant cabinets are available in various classes that indicate the degree to which they are fire resistant. Fire-resistant cabinets are not safes but they can also have burglary-resistant properties.
Fire-resistant cabinets are a good means for storing, for example, backup tapes, paper documents and money. It should be pointed out here that the backup tapes of a system must not be stored in the same premises as the information system. If a premises were to be completely destroyed, the tapes have to be still intact.
Fire-resistant cabinets or safes can be cemented in and can sometimes be entire rooms.
Fire-resistant cabinets or safes can have a variety of locks and protections against break-in.
Physical security uses various types of sensors. The most common are:
- Passive infrared detection. These sensors are usually used indoors and detect temperature changes within a certain distance of the sensor;
- Cameras. These sensors record images which can be viewed at a later time. Certain smart software allows automatic checks to be carried out;
- Vibration detection. These sensors detect vibrations;
- Glass break sensors. These sensors detect when a window has been broken;
- Magnetic contacts. These sensors detect when a door or window is opened.
The sensors must be connected to an intruder detection system and should be well monitored. There are some systems that can even automatically contact an emergency center of a third party such as a security firm which is responsible for the monitoring. In any case, whenever an alarm is set off, the cause must be investigated. A logbook should be kept of all alarms.
Fire protection is a special area within physical security. There are compulsory fire protection requirements that must be met.
Fire is a threat that can always occur. Measures therefore must be taken at all times to protect against it. Fires can start in various ways, such as short circuits, defective boilers, human action, faulty equipment, etc. Fires require the following components: flammable material, oxygen and ignition temperature. This is the ’fire triangle’. A fire can be combated using an extinguishing agent, the purpose of which is to break this fire triangle.
What sort of damage can be caused by fire?
- Damage by burning;
- Damage by heat;
- Damage by smoke;
- Damage by the extinguishing agents used.
In order to signal the presence of fire, smoke alarms are usually used and are usually connected to a separate system. It is very important that the smoke alarms are checked regularly.
Organizations should regularly carry out fire and evacuation drills so that everyone is familiar with the sound of the alarm and the evacuation procedures.
Fire extinguishing agents
Fire extinguishing agents are aimed at combating one or more of the three components of fire, and, in doing so, put out the fire. There are different sorts of fires, and therefore also different methods of putting out these fires. Examples of various sorts of fires include: fire caused by electricity, chemical substances that burn or flammable liquids. The various fire extinguishing agents include:
- Inert gases (a gas that suppresses oxygen) such as: Carbon dioxide, Argon (noble gas), Halons (no longer permitted), Inergen (brand name) and Argonite (brand name).
- Foam (water-based, not suitable for electricity);
- Powder (suitable for electricity, but damages metal);
- Water (not suitable for electricity);
Below we can see the fire extinguishing installation of a server room.
Emergency planning is the process that ensures that, in the event of an emergency such as the failure of an entire server room, measures are taken. We will take a closer look at the emergency planning process when we discuss Business Contingency Planning.
|The chapter on Physical Security covers quite a lot of ground. In essence, you have been introduced to the manner in which we try to protect our property.|
We first determine who is allowed to enter our grounds, whereby we decide whether or not to place a fence around the area. If we do, how high does the fence have to be? Do we install cameras inside and outside the building? Is everyone allowed to walk around the building, or do we use access control systems inside the building as well?
As you have read, physical security is by no means just protection against theft. It also has to do with the cooling of machines. An overheated server will quickly break down, which would then affect the continuity. Protecting cables against any form of disruption means a better working environment.
Emergency power equipment ensures that we can continue working if the power were to fail (temporarily).
Ultimately the various areas, such as availability, physical security and ICT security, are very closely linked to one another.
A large pharmaceutical company is going to build a new location at an industrial park for clean industries. It will have a campus-like layout with a park structure. The buildings must appear fairly accessible to the public, but visitors must not be able to approach the buildings unseen.
The access to the buildings must be arranged in a friendly yet secure manner, so that people only have access to those parts of the buildings for which they are authorized.
The confidentiality of the information, for example the formula used, is a top priority. If third parties were to gain access to this information this could cause serious damage to the competitive position of the company.
Various zones will be introduced within the buildings: a public zone and various increasingly confidential zones. In the production area absolute hygiene is required, as everything there is free of dust. The air has to be continually purified and kept at the correct temperature, pressure and humidity.
The computerized systems are controlled by the company in its own computing center. This equipment is of great importance to the production process and for the development of new products.
You are given the task to formulate a watertight plan, in consultation with the architects and subcontractors, in which all the above requirements are met.