should not be content with only a good data security
frame work. They should also devise a good physical
security infrastructure. by Avinash Kadam
of us are concerned about physical and environmental
security. We may not always do a formal risk assessment
exercise, but intuitively, we try to ensure that we
are secure. BS 7799 is very explicit about the requirements
of this domain, which is applicable to the business
premises and business information processing facilities.
Design, implementation and monitoring of many controls
for this domain will have to be jointly done with the
physical security department.
Security can be best achieved by ensuring multiple layers
of security and not depending on a single measure. This
principle is very evident here. The controls for physical
and environmental security are defined in three areas:
Security of the premise
Security of the equipment
SECURITY OF THE PREMISE
Physical security perimeter
We begin by defining the boundary of the premises and
examining the security requirement, based on the risk
assessment. The best way to do this will be to walk
around the premises and 'case the joint.' Evaluate all
the entry points through which an intruder could come
in. Take help of a security agency to do this. Do not
depend on your skills as an arm chair detective. The
classical approach to securing the premises is to create
Start with the outermost perimeter. How much resistance
this perimeter is expected to provide? Based on risk
assessment, you need to decide all the physical specifications
like height, width for the protective wall. Next, consider
all the entry points. Are the doors strong enough? Are
the door frames strong enough? Are the windows, ventilators,
air-conditioning firmly secured with grills? Do the
physical barriers extend from real floor to real ceiling
or is there a gap between false ceiling and real ceiling
through which somebody could crawl in? We need to detect
the weakest link while assessing the perimeter defense.
How are the access points guarded? Are they controlled
through card controlled entry gates? Are watchmen, guards
or receptionist monitoring the entry points?
Physical entry controls
Only authorized persons should be allowed access to
the secure areas. This objective could be achieved by
having a clear access control policy defining the access
rights. Based on this policy, appropriate measures should
be in place. These measures may take the form of access
controlled devices like swipe card controlled doors,
logging information about visitors and visible identification
Securing offices, rooms and facilities
Location of the secure office within the physically
secure perimeter should be chosen with care. All the
risks pertaining to fire, flood, explosion, civil unrest
and other forms of natural or man made disaster should
be considered. There could also be threat from neighboring
premises caused by leakage of water, spreading of fire
or storage of toxic/inflammable/explosive material.
Even bulk supplies like stationery should not be stored
within the secure premises.
The secure location should not be publicized in any
manner. No display board, banners, signs to indicate
the presence of any important information processing
activity. Even the internal telephone directories should
not be readily accessible to outsiders.
Support facilities like photocopier, fax machines, which
are constantly accessed by everyone, should be located
away from the secure area. Suitable intruder detection
systems like CCTV, motion sensors etc. should be installed
and regularly tested.
Working in secure areas
Security equipment like CCTV and swipe-card controlled
gates are of no use if the persons working in these
locations are not trustworthy, or incompetent or simply
lack awareness of their responsibility. They should
be handpicked and trained for these operations. They
should not brag about their nature of work or location.
Also, information should be provided on need-to-know
basis. Segregation of duties should be scrupulously
followed with strict supervision. Third-party personnel
should be granted restricted access. No photographic,
video, audio or other recording equipment must be allowed
inside the premises, unless authorized.
Isolated delivery and loading areas
We have taken care of every aspect of physical security
in the above paragraphs, but do we know how canteen
facilities get into secured premises? How the trash
is taken out? How the courier delivers the parcels?
In industrial premises there could be constant movement
of incoming and outgoing material. All this traffic
needs to be isolated from the secure office area so
that it does not pose a threat.
SECURITY OF THE EQUIPMENT
Equipment sitting and protection
Our next concern is appropriate security of the equipment.
Information processing equipment needs to be handled
carefully. The first level of equipment protection depends
on physical location. The location should minimize the
need for unnecessary access as well as prevent snooping.
It should be such as to minimize the risk of theft as
well as the risk from natural disasters like fire, flood,
chemicals etc. Also consider risks like electrical and
electromagnetic interference, humidity etc.
Information processing will come to a halt in the absence
of a suitable power supply. This could be the worst
type of a denial-of-service attack. A thorough business
risks assessment is necessary to understand the impact
on non availability of power for certain durations.
Based on the evaluation, appropriate measures need to
These could be:
1. Taking power from multiple feeds of electric supply.
2. In case all the electric supplies fail simultaneously,
you need to have an uninterruptible power supply (UPS)
with adequate battery capacity capable of sustaining
the initial load.
3. The UPS could in-turn be supported by backup generator
4. The backup generator would require adequate supply
of fuel, which also needs to be stored with replenishment
assured from the suppliers.
5. Proper installation of emergency lights should also
be planned; lightning protection should be provided
to the power installation and the communication lines.
We really need to remember every detail including the
proverbial last nail. Do we know the physical layout
of power cables and communication cables in our premises?
The first step will be to obtain wiring diagrams and
update them. Then do a physical inspection and assess
the protection needs against damage, interference or
the best practices for laying the network cables as
well as power cables and ensure that these are actually
implemented. The next step is to decide on additional
security protection required for the network. This could
be expensive for an old installation. Safety measures
like use of armored conduit cables, underground ducts
or fiber optic cabling will require huge investment
and need to be justified based on risk assessment. But
simple measures like providing locks to the communication
cable patch board, which are often overlooked, should
be immediately implemented.
It is normally expected that due care is taken for equipment
maintenance and proper records are maintained. From
a security angle, two more measures are required. One
is to maintain record of faults that were noticed and
the second step is to maintain records of all equipment
sent off the premises for maintenance.
Security of equipment off premises
Shrinking size of computers and expanding wide area
networks have made the computer equipment extremely
mobile. Processing as well as storage capacity of mobile
devices has been following Moore's law of doubling every
18 months. Securing these devices is as important as
securing the data center. Various controls that should
be considered are: administrative controls like permissions
and corporate policy on use of mobile computers in places
like airplanes, physical controls like securing the
devices with security chains, alarms, and storing them
at non obvious places, using access control devices
like USB tokens and finally taking adequate insurance
Secure disposal or re-use of equipment
Storage devices have long memory, unless specifically
destroyed. Mere deletion is not enough. This becomes
important when an old computer equipment is disposed
off or transferred to another location. Equipment sent
for repair are equally susceptible to reading of data
from the 'deleted' storage devices. Every such device
should be subjected to a thorough erasing and overwriting
to destroy the data. Since some reports claim that the
data could be recovered even after multiple overwriting
and formatting, it may be desirable to physically destroy
the media containing top secret information.
Clear desk and clear screen policy
Our concern for information security should not stop
at securing the premises and equipment. Sensitive information
could be accessible in many forms and it is necessary
to identify and protect the information in all its incarnations.
Classification of information will help to identify
the sensitivity but having an organizational "clear
desk and clear screen policy" could ensure actual
protection. In brief, it means keep everything under
lock and key and do not allow anybody to snoop. The
following guidelines should be issued:
Lock up all documents and media when not used.
Protect the computers and terminals through use of
key locks, passwords, and screen savers.
Fax and telex machines used for confidential information
should not be left unattended.
Access to photocopiers and scanners is restricted
after office hours.
Printing of classified information should be supervised
printouts must be removed immediately.
Removal of property
Any movement of equipment, information or software should
be only with proper authorization. All these movements
should be logged and records maintained for all outgoing
and incoming items. In these days of storage media capable
of containing gigabytes of information, this procedure
becomes very important. Employees should be made aware
that spot checks would be carried out to ensure full
Security is being paranoid about threats. Physical security
is very demonstrative about this paranoia. But, it also
sets the tone about the organization's concern about