Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 16: Physical and Infrastructure Security.

Slides:



Advertisements
Similar presentations
Museum Presentation Intermuseum Conservation Association.
Advertisements

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Chapter 7: Physical & Environmental Security
Computer Security Computer Security is defined as:
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Facilitating a Dialog between the NSDI and Utility Companies J. Peter Gomez Manager, Information Requirements, Xcel Energy.
9 - 1 Computer-Based Information Systems Control.
Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.
Security Controls – What Works
Security+ Guide to Network Security Fundamentals
Stephen S. Yau CSE 465 & CSE591, Fall Physical Security for Information Systems.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Information Security Principles and Practices
Concepts of Database Management Seventh Edition
Physical Security Chapter 9.
Session 3 – Information Security Policies
Chapter 3.  Security Framework  Operational Security Lifecycle  Security Perimeter  Access Control  Social Engineering  Environmental Issues.
John Graham – STRATEGIC Information Group Steve Lamb - QAD Disaster Recovery Planning MMUG Spring 2013 March 19, 2013 Cleveland, OH 03/19/2013MMUG Cleveland.
Physical Security SAND No C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Session 16: Distribution of Geospatial Data 1 Distribution of Geospatial Data in the Public Environment Hazard Mapping and Modeling.
Module 02: 1 Introduction to Computer Security and Information Assurance Objectives Recognize that physical security and cyber security are related Recognize.
Understanding Security Layers
PROTECTIVE SERVICES MANAGEMENT SYSTEMS The PSMS course was created by our operational management team to fill an identified skill gap in the protective.
Concepts of Database Management Sixth Edition
Confidentiality Integrity Accountability Communications Data Hardware Software Next.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Business Continuity & Disaster recovery
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
By Srosh Abdali.  Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure.
Preparing for Disasters General Liability. Introduction  The one coverage that provides you and your business the most protection is General Liability.
Information Systems Security Operations Security Domain #9.
John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 16 “Physical and Infrastructure.
Physical Security and Contingency Planning CS432 - Security in Computing Copyright © 2008 by Scott Orr and the Trustees of Indiana University.
Physical (Environmental) Security
National Archives and Records Administration, Preparing for the Unexpected ESSENTIAL ELEMENTS: ANALYSIS.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.
Viewing Information Systems Security. The basic objectives of Information Security are the same as the basic objectives of EDP auditing. They are: 1.To.
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
Chap1: Is there a Security Problem in Computing?.
Chapter 15 Managing Information. Agenda Chief Information Officer IS Department and End Users Control & Security Contingency Management.
Physical Security Concerns for LAN Management By: Derek McQuillen.
Access Control Jeff Wicklund Computer Security Fall 2013.
Physical Security Ch9 Part I Security Methods and Practice CET4884 Principles of Information Security, Fourth Edition.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 13 – Physical and.
Process Safety Management Soft Skills Programme Nexus Alliance Ltd.
West Cambridge Data Centre Ian Tasker Information Services.
Welcome to the ICT Department Unit 3_5 Security Policies.
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
Criminal Justice Intro to Security, Instructor Name Date, Semester Chapter 4: PHYSICAL SECURITY: STRUCTURAL, ELECTRONIC, AND HUMAN PROTECTION SYSTEMS.
Information Security Management Goes Global
Cybersecurity: Risk Management
Information Systems Security
CompTIA Security+ Study Guide (SY0-401)
Risk management.
Chapter 8 – Administering Security
NETW4005 COMPUTER SECURITY A
Understanding Security Layers
Physical and Infrastructure Security
CompTIA Security+ Study Guide (SY0-501)
County HIPAA Review All Rights Reserved 2002.
Principles and Practice
Presentation transcript:

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 16: Physical and Infrastructure Security

2 Physical and Infrastructure Security Logical security: Protects computer-based data from software-based and communication-based threats Physical security (also called infrastructure security) – Protects the information systems that contain data and the people who use, operate, and maintain the systems – Must prevent any type of physical access or intrusion that can compromise logical security Premises security (also known as corporate or facilities security) – Protects the people and property within an entire area, facility, or building(s), and is usually required by laws, regulations, and fiduciary obligations – Provides perimeter security, access control, smoke and fire detection, fire suppression, some environmental protection, and usually surveillance systems, alarms, and guards

3 Physical Security Protect physical assets that support the storage and processing of information Involves two complementary requirements – Prevent damage to physical infrastructure: information system hardware, physical facility, supporting facilities, personnel – Prevent physical infrastructure misuse leading to misuse/damage of protected information (e.g., vandalism, theft, copying, unauthorized entry, …)

4 Physical Security Context

5 Physical Security Threats Physical situations and occurrences that threaten information systems – Natural disasters – Environmental threats (e.g., heat) – Technical threats – Human-caused threats

6 Characteristics of Natural Disasters

7 Environmental Threats Inappropriate temperature and humidity Fire and smoke Water Chemical, radiological, biological hazards Dust Infestation

8 Temperature Thresholds for Damage to Computing Resources

9 Temperature Effects

10 Technical Threats Electrical power is essential to run equipment – Power utility problems Under-voltage - dips/brownouts/outages, interrupt service Over-voltage - surges/faults/lightening, can destroy chips Noise - on power lines, may interfere with device operation Electromagnetic interference (EMI) – From line noise, motors, fans, heavy equipment, other computers, nearby radio stations & microwave relays – Can cause intermittent problems with computers

11 Human-Caused Threats Less predictable, may be targeted, harder to deal with Include: – Unauthorized physical access leading to other threats – Theft of equipment / data – Vandalism of equipment/data – Misuse of resources

12 Mitigation Measures Environmental Threats Inappropriate temperature and humidity – Environmental control equipment, power Fire and smoke – Alarms, preventative measures, fire mitigation – Smoke detectors, no smoking Water – Manage lines, equipment location, cutoff sensors Other threats: limit dust entry, pest control

13 Mitigation Measures Technical Threats Electrical power for critical equipment use – Use uninterruptible power supply (UPS) – Emergency power generator Electromagnetic interference (EMI) – Filters and shielding

14 Mitigation Measures Human-Caused Threats Physical access control – IT equipment, wiring, power, comms, media Have a spectrum of approaches – Restrict building access, locked area, secured, power switch secured, tracking device Also need intruder sensors/alarms

15 Recovery from Physical Security Breaches Redundancy – To provide recovery from loss of data – Ideally off-site, updated as often as feasible – Can use batch encrypted remote backup – Extreme: remote hot-site with live data Physical equipment damage recovery – Depends on nature of damage and cleanup – May need disaster recovery specialists

16 Disaster Recovery: Backup facilities Hot sites – ready to run – readiness at high cost Cold sites – Building facilities, power, communications – No computing resources Site sharing – Sharing among firms – Computing incompatibility Need backup tapes/resources at remote site

17 Threat Assessment 1. Set up a steering committee 2. Obtain information and assistance 3. Identify all possible threats 4. Determine the likelihood of each threat 5. Approximate the direct costs 6. Consider cascading costs 7. Prioritize the threats 8. Complete the threat assessment report

18 Example Policy

19 Physical/Logical Security Integration Have many detection / prevention devices More effective if have central control Hence desire to integrate physical and logical security, especially access control Need standards in this area – FIPS “Personal Identity Verification (PIV) of Federal Employees and Contractors”

20 Personal Identity Verification (PIV) Three assurance levels: (1)Some confidence (use of smart cards/PIN) (2) High confidence (plus use of biometrics) (3) Very high (at the presence of an official observer) Identity proofing Access control subsystem

21 PIV (Physical/Logical) Convergence PIV System Model

22 FIPS 201 SP Alternative authentication mechanisms that be used for access to a specific area – CHUID: card holder unique identification identifier – CAK: card authentication key

23 Summary Introduced physical security issues Threats: nature, environmental, technical, human Mitigation measures and recovery Assessment, planning, implementation Physical/logical security integration

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.