Information Security Principles and Practices

Slides:



Advertisements
Similar presentations
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Advertisements

INTRODUCTION TO INFORMATION SECURITY MANAGEMENT Information Security Management (INFS 5055) & Information Security Management (INFS 3070) Study Period.
Computer Security Computer Security is defined as:
Computer Fraud Chapter 5.
Computer Fraud Chapter 5.
Auditing Computer-Based Information Systems
Copyright 2004 Foreman Architects Engineers School Security From Common Sense to High Tech.
9 - 1 Computer-Based Information Systems Control.
Chapter 5 Enhancing Security Through Physical Controls
Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.
Copyright © Center for Systems Security and Information Assurance Lesson Seven Physical Security.
Stephen S. Yau CSE 465 & CSE591, Fall Physical Security for Information Systems.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 16: Physical and Infrastructure Security.
Factors to be taken into account when designing ICT Security Policies
Information Systems Security Physical Security Domain #4.
Physical Security Chapter 9.
Chapter 3.  Security Framework  Operational Security Lifecycle  Security Perimeter  Access Control  Social Engineering  Environmental Issues.
Security Devices A modern security system, with its array of electronic components, is designed to sense, decide, and act. The security system senses events.
Chapter 8: Disaster Management
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Physical Security SAND No C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States.
每时每刻 可信安全 1 What category of water sprinkler system is currently the most recommended water system for a computer room? A Dry Pipe sprinkler system B Wet.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.
Module 02: 1 Introduction to Computer Security and Information Assurance Objectives Recognize that physical security and cyber security are related Recognize.
Understanding Security Layers
Physical Security By: Christian Hudson. Overview Definition and importance Components Layers Physical Security Briefs Zones Implementation.
Physical Security “Least sexy of the 10 domains but the best firewall in the world will not stand up to a well placed brick.”
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
BUSINESS B1 Information Security.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Information Systems Security Operational Control for Information Security.
Information Systems Security Operations Security Domain #9.
Physical ways of keeping your system secure. Unit 7 – Assignment 2. (Task1) By, Rachel Fiveash.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 16 “Physical and Infrastructure.
SECURITY OF DATA By: ADRIAN PERHAM. Issues of privacy; Threats to IT systems; Data integrity; Standard clerical procedures; Security measures taken to.
Physical (Environmental) Security
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.
Introduction to Information Security
Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,
Site Security Policy Case 01/19/ : Information Assurance Policy Douglas Hines, Jr.
TM 13-1 Copyright © 1999 Addison Wesley Longman, Inc. Data and Database Administration.
1 PROTECTING ORGANIZATION VALUABLE ASSET CASE STUDY: PT XYZ SYSTEM INFORMATION TECHNOLOGY Group Member :  Adhitya Trisnanda  Dini Dieny  Firmando Satryo.
Security and Ethics Safeguards and Codes of Conduct.
CPT 123 Internet Skills Class Notes Internet Security Session B.
Protecting Data. Privacy Everyone has a right to privacy Data is held by many organisations –Employers –Shops –Banks –Insurance companies –etc.
Department of Computer Science Chapter 4 Physical and Environment Security Semester 1.
Physical Security Concerns for LAN Management By: Derek McQuillen.
Physical Security Ch9 Part I Security Methods and Practice CET4884 Principles of Information Security, Fourth Edition.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 13 – Physical and.
Physical Security at Data Center: A survey. Objective of the Survey  1. To identify the current physical security in data centre.  2.To analyse the.
Criminal Justice Intro to Security, Instructor Name Date, Semester Chapter 4: PHYSICAL SECURITY: STRUCTURAL, ELECTRONIC, AND HUMAN PROTECTION SYSTEMS.
Unit 1: Protecting the Facility (Virtual Machines)
TM 13-1 Copyright © 1999 Addison Wesley Longman, Inc. Data and Database Administration.
Onsite CRM Security
Information Systems Security
Risk management.
NETW4005 COMPUTER SECURITY A
Understanding Security Layers
Chapter 10 Physical Security
INFORMATION SYSTEMS SECURITY and CONTROL
Objectives Telecommunications and Network Physical and Personnel
Security of Data  
Physical Security.
Presentation transcript:

Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 8: Physical Security Control

© Pearson Education Information Security: Principles and Practices Objectives Distinguish between logical and physical security, and explain the reasons for placing equal emphasis on both Recognize the importance of the Physical Security domain Outline the major categories of physical security threats © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Objectives cont. Classify the techniques to mitigate risks to an organization’s physical security Classify the five main categories of physical security controls Propose how smart cards can be used for physical access control The following objective has not been clearly addressed in this chapter; it will be addressed in more detail in Chapter 10. Categorize the different types of biometric access controls and determine their respective strengths and weaknesses © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Introduction In order to protect logical systems, the hardware running them must be physically secure Physical security deals with who has access to buildings, computer rooms, and the devices within them © Pearson Education Information Security: Principles and Practices

Understanding the Physical Security Domain Four focus areas How to choose a secure site (location) and guarantee the correct design How to secure a site against unauthorized access How to protect equipment against theft How to protect the people and property within an installation © Pearson Education Information Security: Principles and Practices

Physical Security Threats Weather: tornadoes, hurricanes, floods, fire, snow, ice, heat, cold, humidity, and so forth Fire/chemical: explosions, toxic waste/gases, smoke, fire Earth movement: earthquakes, mudslides Structural failure: building collapse because of snow/ice or moving objects (cars, trucks, airplanes, and so forth) © Pearson Education Information Security: Principles and Practices

Physical Security Threats cont. Energy: loss of power, radiation, magnetic wave interference, and so forth Biological: virus, bacteria, infestations of animals or insects. Human: strikes, sabotage, terrorism, and war © Pearson Education Information Security: Principles and Practices

Providing Physical Security Five Areas of Physical Security educating personnel administrative controls, such as site selection physical controls, such as keys and locks, fencing, lighting, and guards technical controls, such as smart cards, audit trails, intrusion detection systems, and biometrics environmental/life-safety control © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Educating Personnel An educated staff is the best weapon a company can have against illegitimate and accidental acts by others Being mindful of physical and environmental considerations required to protect the computer systems Adhering to emergency and disaster plans Monitoring the unauthorized use of equipment and services Recognizing the security objectives of the organization Accepting individual responsibilities associated with their own security as well as the equipment they use © Pearson Education Information Security: Principles and Practices

Administrative Access Controls Restricting Work Areas Escort Requirements and Visitor Control Site Selection Visibility Locale considerations Natural disasters Transportation A physical security plan should first identify the access rights to the site (e.g., campus) in general and then the various access rights required by each location (building) within the site. Visitors typically must have a clear purpose for their visit and a confirmed contact within the site such as an employee or another individual with the appropriate clearance. Site designers and planners must make at least the following considerations: Visibility: How conspicuous will the facility be at a particular site? Locale considerations: The wise prospective homeowner should always inspect the neighborhood before purchasing a new house. Natural disasters: Site planners can minimize risk by examining local weather patterns, the history of weather-related disasters, and determining their risk tolerance. Transportation: A good transportation system is important not only for the delivery of goods and services but also for emergency evacuation procedures as part of a disaster recovery plan. © Pearson Education Information Security: Principles and Practices

Physical Security Controls Perimeter Security Controls Controls on the perimeter of the data center are designed to prevent unauthorized access to the facility Badging The photo identification badge is a perimeter security control mechanism that not only authenticates an individual but also continues to identify the individual while inside the facility Keys and Combination Locks Keys and combination locks are the least complicated and least expensive devices © Pearson Education Information Security: Principles and Practices

Physical Security Controls Security Dogs Dogs are a highly effective and threatening perimeter security control when handled properly and humanely Lighting Lighting is another form of perimeter protection that discourages intruders or other unauthorized individuals from entering restricted areas © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Technical Controls The more prominent technical controls include smart/dumb cards audit trails/access logs intrusion detection biometric access controls © Pearson Education Information Security: Principles and Practices

Technical Controls cont. Smart Cards The smart card has many purposes Storing value for consumer purchases Medical identification Travel ticketing and identification Building access control The smart card can facilitate file encryption and digital signature The use of smart cards in conjunction with biometrics authentication can be extremely effective © Pearson Education Information Security: Principles and Practices

Technical Controls cont. © Pearson Education Information Security: Principles and Practices

Technical Controls cont. Audit Trails/Access Logs Should contain The user ID or name of the individual who performed the transaction Where the transaction was performed The time and date of the transaction A description of the transaction—what function did the user perform, and on what The retention period of the audit logs, recovery time, and the integrity of the data must also be considered and the logging system designed appropriately. © Pearson Education Information Security: Principles and Practices

Technical Controls cont. Intrusion Detection Perimeter intrusion detectors These devices are based on dry contact switches or photoelectric sensors. An alarm is set off when the switches are disturbed or the beam of light is broken Motion detectors These devices detect unusual movements within a well-defined interior space, including wave pattern detectors that detect changes to light-wave patterns audio detectors that passively receive un-usual sound waves and set off an alarm © Pearson Education Information Security: Principles and Practices

Technical Controls cont. Biometrics Biometrics authentication uses physiological or behavioral characteristics such as the human face, eyes, voice, fingerprints, hands, signature, and even body temperature Biometric is data stored and used for the authentication procedure © Pearson Education Information Security: Principles and Practices

Environmental/Life-Safety Controls The three most critical areas are power (electrical, diesel) fire detection and suppression heating, ventilation, and air conditioning (HVAC) © Pearson Education Information Security: Principles and Practices

© Pearson Education Information Security: Principles and Practices Summary Physical security is often underemphasized by security experts when discussing strategies for protecting critical resources Physical security domain includes traditional safeguards against intentional and unintentional threats Physical security addresses the following areas educating personnel administrative controls physical controls technical controls environmental/life-safety controls © Pearson Education Information Security: Principles and Practices