Physical and Environmental Security:
Physical and Environmental Security
Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. It can be as simple as a locked door or as elaborate as multiple layers of armed guard-posts.
Physical security is an often-ignored near first line of defense against unauthorized data access and the physical theft of records. Organizations must understand the need for physical security, conduct thorough risk assessments, and implement physical and environmental controls as required by HIPAA, Gramm-Leach-Bliley, and a plethora of other legislative and industry requirements. The National Institute of Standards and Technology (NIST), CobiT, HIPAA, the Internet Security Forum (ISF), and ISO 27002 each provide robust guidance on physical security; however, it falls to the host organization to assess its unique physical security needs and decipher which or which parts of these and other standards are most applicable.
The field of security engineering has identified three elements to physical security:
- obstacles, to frustrate trivial attackers and delay serious ones
- alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed
- security response, to repel, catch or frustrate attackers when an attack is detected
In a well designed system, these features must complement each other. For example, the response force must be able to arrive on site in less time than it is expected that the attacker will require to breach the barriers and persuading them that the likely costs of attack exceed the value of making the attack.
ISO 27002 defines Physical and Environmental Security objectives to prevent unauthorized access, damage and interference to business premises and information; prevent loss, damage or compromise of assets and interruption to business activities; and prevent compromise or theft of information and information processing facilities. This section provides templates for Information Security standards that are required to comply with ISO Physical and Environmental Security objectives and support the objectives established in the Asset Protection Policy.
- 1. Sample ISO Physical Access Standard
- The Physical Access Standard is required to comply with ISO Physical and Environmental Security objectives and builds on the objectives established in the Asset Protection Policy by providing specific requirements for physical access to information assets.
For example, Automatic Teller Machines (cash dispensers) are protected, not by making them invulnerable, but by spoiling the money inside when they are attacked. Attackers quickly learned that it was futile to steal or break into an ATM if all they got was worthless money covered in dye.
Conversely, safes are rated in terms of the time in minutes which a skilled, well equipped safe-breaker is expected to require to open the safe. (These ratings are developed by highly skilled safe breakers employed by insurance agencies, such as Underwriters Laboratories.) In a properly designed system, either the time between inspections by a patrolling guard should be less than that time, or an alarm response force should be able to reach it in less than that time.
Hiding the resources, or hiding the fact that resources are valuable, is also often a good idea as it will reduce the exposure to opponents and will cause further delays during an attack, but should not be relied upon as a principal means of ensuring security (see Security through obscurity and Inside job).
- Anderson, Ross - 'Security Engineering', published by Wiley, 2001, ISBN 0-471-38922-6