Secured View
Secure physical infrastructure too

CIOs should not be content with only a good data security frame work. They should also devise a good physical security infrastructure. by Avinash Kadam

All of us are concerned about physical and environmental security. We may not always do a formal risk assessment exercise, but intuitively, we try to ensure that we are secure. BS 7799 is very explicit about the requirements of this domain, which is applicable to the business premises and business information processing facilities. Design, implementation and monitoring of many controls for this domain will have to be jointly done with the physical security department.

Security can be best achieved by ensuring multiple layers of security and not depending on a single measure. This principle is very evident here. The controls for physical and environmental security are defined in three areas:

• Security of the premise
• Security of the equipment
• Secure behavior

SECURITY OF THE PREMISE

Physical security perimeter
We begin by defining the boundary of the premises and examining the security requirement, based on the risk assessment. The best way to do this will be to walk around the premises and 'case the joint.' Evaluate all the entry points through which an intruder could come in. Take help of a security agency to do this. Do not depend on your skills as an arm chair detective. The classical approach to securing the premises is to create multiple barriers.

Start with the outermost perimeter. How much resistance this perimeter is expected to provide? Based on risk assessment, you need to decide all the physical specifications like height, width for the protective wall. Next, consider all the entry points. Are the doors strong enough? Are the door frames strong enough? Are the windows, ventilators, air-conditioning firmly secured with grills? Do the physical barriers extend from real floor to real ceiling or is there a gap between false ceiling and real ceiling through which somebody could crawl in? We need to detect the weakest link while assessing the perimeter defense. How are the access points guarded? Are they controlled through card controlled entry gates? Are watchmen, guards or receptionist monitoring the entry points?

Physical entry controls
Only authorized persons should be allowed access to the secure areas. This objective could be achieved by having a clear access control policy defining the access rights. Based on this policy, appropriate measures should be in place. These measures may take the form of access controlled devices like swipe card controlled doors, logging information about visitors and visible identification badges.

Securing offices, rooms and facilities
Location of the secure office within the physically secure perimeter should be chosen with care. All the risks pertaining to fire, flood, explosion, civil unrest and other forms of natural or man made disaster should be considered. There could also be threat from neighboring premises caused by leakage of water, spreading of fire or storage of toxic/inflammable/explosive material. Even bulk supplies like stationery should not be stored within the secure premises.

The secure location should not be publicized in any manner. No display board, banners, signs to indicate the presence of any important information processing activity. Even the internal telephone directories should not be readily accessible to outsiders.

Support facilities like photocopier, fax machines, which are constantly accessed by everyone, should be located away from the secure area. Suitable intruder detection systems like CCTV, motion sensors etc. should be installed and regularly tested.

Working in secure areas
Security equipment like CCTV and swipe-card controlled gates are of no use if the persons working in these locations are not trustworthy, or incompetent or simply lack awareness of their responsibility. They should be handpicked and trained for these operations. They should not brag about their nature of work or location. Also, information should be provided on need-to-know basis. Segregation of duties should be scrupulously followed with strict supervision. Third-party personnel should be granted restricted access. No photographic, video, audio or other recording equipment must be allowed inside the premises, unless authorized.

Isolated delivery and loading areas
We have taken care of every aspect of physical security in the above paragraphs, but do we know how canteen facilities get into secured premises? How the trash is taken out? How the courier delivers the parcels? In industrial premises there could be constant movement of incoming and outgoing material. All this traffic needs to be isolated from the secure office area so that it does not pose a threat.

SECURITY OF THE EQUIPMENT

Equipment sitting and protection
Our next concern is appropriate security of the equipment. Information processing equipment needs to be handled carefully. The first level of equipment protection depends on physical location. The location should minimize the need for unnecessary access as well as prevent snooping. It should be such as to minimize the risk of theft as well as the risk from natural disasters like fire, flood, chemicals etc. Also consider risks like electrical and electromagnetic interference, humidity etc.

Power supplies
Information processing will come to a halt in the absence of a suitable power supply. This could be the worst type of a denial-of-service attack. A thorough business risks assessment is necessary to understand the impact on non availability of power for certain durations. Based on the evaluation, appropriate measures need to be taken.

These could be:
1. Taking power from multiple feeds of electric supply.
2. In case all the electric supplies fail simultaneously, you need to have an uninterruptible power supply (UPS) with adequate battery capacity capable of sustaining the initial load.
3. The UPS could in-turn be supported by backup generator sets.
4. The backup generator would require adequate supply of fuel, which also needs to be stored with replenishment assured from the suppliers.
5. Proper installation of emergency lights should also be planned; lightning protection should be provided to the power installation and the communication lines.

Cabling Security
We really need to remember every detail including the proverbial last nail. Do we know the physical layout of power cables and communication cables in our premises? The first step will be to obtain wiring diagrams and update them. Then do a physical inspection and assess the protection needs against damage, interference or interception.

Establish the best practices for laying the network cables as well as power cables and ensure that these are actually implemented. The next step is to decide on additional security protection required for the network. This could be expensive for an old installation. Safety measures like use of armored conduit cables, underground ducts or fiber optic cabling will require huge investment and need to be justified based on risk assessment. But simple measures like providing locks to the communication cable patch board, which are often overlooked, should be immediately implemented.

Equipment Maintenance
It is normally expected that due care is taken for equipment maintenance and proper records are maintained. From a security angle, two more measures are required. One is to maintain record of faults that were noticed and the second step is to maintain records of all equipment sent off the premises for maintenance.

Security of equipment off premises
Shrinking size of computers and expanding wide area networks have made the computer equipment extremely mobile. Processing as well as storage capacity of mobile devices has been following Moore's law of doubling every 18 months. Securing these devices is as important as securing the data center. Various controls that should be considered are: administrative controls like permissions and corporate policy on use of mobile computers in places like airplanes, physical controls like securing the devices with security chains, alarms, and storing them at non obvious places, using access control devices like USB tokens and finally taking adequate insurance cover.

Secure disposal or re-use of equipment
Storage devices have long memory, unless specifically destroyed. Mere deletion is not enough. This becomes important when an old computer equipment is disposed off or transferred to another location. Equipment sent for repair are equally susceptible to reading of data from the 'deleted' storage devices. Every such device should be subjected to a thorough erasing and overwriting to destroy the data. Since some reports claim that the data could be recovered even after multiple overwriting and formatting, it may be desirable to physically destroy the media containing top secret information.

SECURE BEHAVIOUR

Clear desk and clear screen policy
Our concern for information security should not stop at securing the premises and equipment. Sensitive information could be accessible in many forms and it is necessary to identify and protect the information in all its incarnations. Classification of information will help to identify the sensitivity but having an organizational "clear desk and clear screen policy" could ensure actual protection. In brief, it means keep everything under lock and key and do not allow anybody to snoop. The following guidelines should be issued:

• Lock up all documents and media when not used.
• Protect the computers and terminals through use of key locks, passwords, and screen savers.
• Fax and telex machines used for confidential information should not be left unattended.
• Access to photocopiers and scanners is restricted after office hours.
• Printing of classified information should be supervised and all printouts must be removed immediately.

Removal of property
Any movement of equipment, information or software should be only with proper authorization. All these movements should be logged and records maintained for all outgoing and incoming items. In these days of storage media capable of containing gigabytes of information, this procedure becomes very important. Employees should be made aware that spot checks would be carried out to ensure full compliance.

Security is being paranoid about threats. Physical security is very demonstrative about this paranoia. But, it also sets the tone about the organization's concern about information security.