|
|
Physical Security IssuesAs stated in Chapter 5, it is relatively easy to implement and maintain a tight security policy for your network security. Physical security, on the other handwhich can also be defined using a blueprint, standards, or even modelsis much more difficult to implement in the real world. The implementation can fall short for various reasons, most important being budget constraints. A slight shift in focus is taking place because of the recent effects and threats of global terrorism. This shift might trigger increased attention to the physical security that is necessary for the implementation of comprehensive physical security measures. Such implementations will become as common as encryption, firewalls, VPNs, and others. Physical security is defined as the process of identifying and describing all the measures necessary to protect your facility. This process includes internal and external security measures, disaster-recovery plans, and personnel training. Securing the PerimeterWhen implementing physical security at a company level, the first consideration is the location of your site. In reality, this step might not be an option because a limited budget can force you to use an existing building. A site must meet a minimum set of requirements, which are defined by physical security blueprints or models. NOTE A set of governmental specifications for physical security is available through the directive "The Director of Central Intelligence Directive 1/21: Manual for Physical Security Standards for Sensitive Compartmented Information Facilities (SCIF)." The following link provides a reference guide and checklist for the SCIF construction: Once the facility is built, multiple layers of security are required. The following list is an overview of available layers and options for external physical security:
Achieving maximum external physical security according to these specifications is compromised in many situations because not all layers can be easily implemented. Internal SecurityInternal physical security techniques can be defined by following a layered model approach. Some areas protected by both the external and internal measures overlap. For instance, camera systems can be installed all over the campus and as entrance security for mission-critical areas such as lab space, communication rooms, and server rooms. Just as with external security, internal security is layered. Entrance to low-security areas requires only a PIN code or card reader, and entrance to high-security areas requires card readers in combination with biometrics. High-level security areas can also be equipped with smoke, temperature, and humidity sensors. Personnel TrainingDeveloping a strong security policy helps to protect your resources only if all staff members are properly instructed on all facets and processes of the policy. Most companies have a system in place whereby all employees need to sign a statement confirming that they have read and understood the security policy. The policy should cover all issues the employees encounter in their day-to-day work, such as laptop security, password policy, handling of sensitive information, access levels, tailgating, countermeasures, photo IDs, PIN codes, and security information delivered via newsletters and posters. A top-down approach is required if the policy is to be taken seriously. This means that the security policy should be issued and supported from an executive level downward. NOTE Tailgating occurs when an intruder enters a secured facility by following closely behind an employee as the employee uses a badge to enter a building. As far as physical security goes, many standards and blueprints exist, but implementation costs require compromises. Only serious attacks, intrusions, losses, or the latest threats of global terrorism can change the mindset that allows unreasonable compromises to physical security standards and the complete implementation of the physical security policy measures. Survivability and RecoveryEven for the most protected and secure areas, a strong disaster-recovery plan needs to be defined. The possibility of things going wrong should be addressed upfront. For instance, uninterruptible power supplies (UPSs) are the de facto standard for countering power blackouts. When connecting your site to a service provider's network, only one connection creates a single point of failure. A central backup system is a mandatory service for all servers in the network. Another disaster-recovery service is the implementation of a complete fail-over site. This is a drastic approach, but companies need to consider the loss of not just data but of their complete workplace when defining disaster-recovery plans. The cost of losing your complete workplace, data included, is nothing compared to the cost of installing a fail-over site.  |
|
|