Physical and Environmental Security:: Difference between revisions
No edit summary |
|||
Line 21: | Line 21: | ||
Hiding the resources, or hiding the fact that resources are valuable, is also often a good idea as it will reduce the exposure to opponents and will cause further delays during an attack, but should not be relied upon as a principal means of ensuring security (see [[Security through obscurity]] and [[Inside job]]). | Hiding the resources, or hiding the fact that resources are valuable, is also often a good idea as it will reduce the exposure to opponents and will cause further delays during an attack, but should not be relied upon as a principal means of ensuring security (see [[Security through obscurity]] and [[Inside job]]). | ||
==See | ==See Also== | ||
* [[Logical security]] | * [[Logical security]] | ||
* [[Computer security]] | * [[Computer security]] |
Revision as of 13:34, 23 May 2007
Physical and Environmental Security
Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. It can be as simple as a locked door or as elaborate as multiple layers of armed guardposts.
The field of security engineering has identified three elements to physical security:
- obstacles, to frustrate trivial attackers and delay serious ones;
- alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed; and
- security response, to repel, catch or frustrate attackers when an attack is detected.
In a well designed system, these features must complement each other. For example, the response force must be able to arrive on site in less time than it is expected that the attacker will require to breach the barriers; and
- persuading them that the likely costs of attack exceed the value of making the attack.
ISO defines Physical and Environmental Security objectives to prevent unauthorized access, damage and interference to business premises and information; prevent loss, damage or compromise of assets and interruption to business activities; and prevent compromise or theft of information and information processing facilities. This section provides templates for Information Security standards that are required to comply with ISO Physical and Environmental Security objectives and support the objectives established in the Asset Protection Policy.
- 1. Sample ISO Physical Access Standard
- The Physical Access Standard is required to comply with ISO Physical and Environmental Security objectives and builds on the objectives established in the Asset Protection Policy by providing specific requirements for physical access to information assets.
For example, ATMs (cash dispensers) are protected, not by making them invulnerable, but by spoiling the money inside when they are attacked. Attackers quickly learned that it was futile to steal or break into an ATM if all they got was worthless money covered in dye.
Conversely, safes are rated in terms of the time in minutes which a skilled, well equipped safe-breaker is expected to require to open the safe. (These ratings are developed by highly skilled safe breakers employed by insurance agencies, such as Underwriters Laboratories.) In a properly designed system, either the time between inspections by a patrolling guard should be less than that time, or an alarm response force should be able to reach it in less than that time.
Hiding the resources, or hiding the fact that resources are valuable, is also often a good idea as it will reduce the exposure to opponents and will cause further delays during an attack, but should not be relied upon as a principal means of ensuring security (see Security through obscurity and Inside job).
See Also
References
- Anderson, Ross - 'Security Engineering', published by Wiley, 2001, ISBN 0-471-38922-6