HABILIDADES LECTORAS, DE LA FLUIDEZ A LA COMPRENSIÓN

When considering the physical access controls that are appropriate for (and consistent with) your organization, we must take into account a number of variables, including the assets to be protected, the potential threat to those assets, and your organization’s attitude toward risk.

7.2.1

Assets to be Protected

Some organizations may decide to centralize operations and, in the course of doing so, build large, expensive “server farms” on their premises. On the other end of the scale, an organization might decide to take a decentralized approach and distribute its computers and computing equip- ment around the organization’s many buildings.

The amount of effort put into protecting physical assets in both of the above scenarios might well come to the same total amount but would be

FIGURE 7.1 Concentric Rings of Protection

Public Area Employees, authorized visitors and vendors Employees and accompanied vendors only Public Area Employees and accompanied vendors only Employees, authorized visitors and vendors

FIGURE 7.2 Outer Ring of Protection

Primary Gate

Secondary Gate

Ground Lighting

Parking Lot Lighting Roof Mounted Lighting

For Parking Lot

Handicapped Entrance/Exit Wooden Fence

Parking Lot Lighting

Fenceline Overgrown with brush Commerical Power Points Entrance/Exit Entrance/Exit Primary Gate Secondary Gate Ground Lighting

Parking Lot Lighting Roof Mounted Lighting

For Parking Lot

Handicapped Entrance/Exit Wooden Fence

Parking Lot Lighting

Fenceline Overgrown with brush Commerical Power

Points

Entrance/Exit Entrance/Exit

spent on different forms of protection. For a large server farm, several concentric rings of technology-based protection and access control might be appropriate whereas, for the distributed version, simply keeping indi- vidual servers in locked rooms might be sufficient. This is one variation to consider when choosing appropriate physical access controls.

7.2.2

Potential Threats

When assessing potential threats, a large dose of common sense is often the best tool. The threats that exist for high-profile commercial or politically sensitive operations differ very much from those faced by, say, a biscuit manufacturer. Likewise, an operations center located in the middle of a turbulent city will face a much greater threat than one sited in an industry park in a semirural setting.

We must also take into account the nature and recent history of the organization itself. For example, if the organization is a stable and long- established one with no history of employee strife, then the threat coun- termeasures (in the form of physical security measures) to take will be a lot less than if the organization has a reputation for having disgruntled employees and disruptive activity on the premises. This is a second variation to consider when choosing physical access controls.

7.2.3

Attitude toward Risk

Perhaps the most common complaint among information security profes- sionals is that “they” do not understand the need for protective controls — “they” most often being management and senior management of the organization. Leaving aside the obvious rejoinder about it being the Information Security Professional’s job to teach “them” about the need for protective controls, we must point out that it is the function of any organization’s senior management to assess risk.

Daily business activities involve constant risk assessment. Every deci- sion that is taken and that will influence how an organization does business involves a form of risk assessment in the act of making the decision.

It is no different with information security decisions. When facts and opinions have been made available to management and senior manage- ment, it is their function to decide on how risks will be managed. It is a fact of life that some organizations are very risk-averse and some are not. It is also a fact of life that individual managers have equally variable attitudes toward risk. These constitute the third set of variations to consider when choosing physical access controls.

7.2.4

Sample Controls

Having looked at the complications involved in choosing appropriate physical access controls, it becomes clear that no “one-size-fits-all” solution exists. Each organization must examine its own particular assets, risks, and attitudes toward risk before deciding on appropriate physical access controls. When that examination has been performed, the organization will want to consider the following list of items when designing controls over physical access:

Physical security protection for IT equipment and systems should

be established, based on defined perimeters through strategically located barriers throughout the organization (already discussed at the start of this chapter).

The security of the protection given must be consistent with the

value of the assets or services being protected (already discussed at the start of this chapter).

Support functions and equipment are sited to minimize the risks

of unauthorized access to secure areas or compromising sensitive information; for example, network engineers who will be called on often to enter the data center should not have their workplace located away from the data center.

Physical barriers, where they are necessary, are extended from

floor to ceiling to prevent unauthorized entry and environmental contamination. That is, walls that are meant to prevent access, slow the spread of fire, or exclude dusty or polluted air must go all the way from the actual ceiling of the building to the solid floor of the building and not just from a false ceiling to the raised floor.

Personnel other than those working in a secure area are not

informed of the activities within the secure area. While no one expects a cloak of secrecy to be hung over the existence of a data center or other sensitive operation, details of the business con- ducted inside a protected perimeter need not be known to anyone who does not have access inside the perimeter.

Unsupervised lone working in sensitive areas must be prohibited

(both for safety and to prevent opportunities for malicious activities).

Computer equipment managed by the organization is housed in

dedicated areas separate from third-party-managed computer equip- ment. Where a process or part of the organization’s computing activity is carried out by a third party, that third party’s equipment should be housed in an area that lets their engineers access the equipment without having access to the organization’s computer AU1957_book.fm Page 169 Friday, September 10, 2004 5:46 PM

equipment. Keeping the two entities’ equipment in separate cages in the same room can usually satisfy this.

Secure areas, when vacated, must be physically locked and peri-

odically checked.

Personnel supplying or maintaining support services are granted

access to secure areas only when required and authorized, and their access is restricted and their activities are monitored.

Unauthorized photography, recording, or video equipment must

be prohibited within the security perimeters.

Entry controls over secure areas must be established to ensure that only authorized personnel can gain access; and a rigorous, audit- able procedure for authorizing access must be put in place.

Visitors to secure areas must be supervised, and their date and

time of entry and departure will be recorded.

Visitors to secure areas are granted access only for specific, autho- rized purposes.

All personnel must be required to wear visible identification within the secure area. The necessary addition to this is that we must foster a culture in which employees feel comfortable in challenging anyone who is in a secure area without visible identification.

Access rights to secure areas will be revoked immediately for staff who leave employment.