Physical & Personnel Security Physical Security Personnel Security.

Physical & Personnel Security

Physical SecurityPersonnel Security

CISA Review Manual 2009

AcknowledgmentsMaterial is from: CISA® Review Manual 2011, © 2010, ISACA. All rights reserved.

Used by permission. CISM® Review Manual 2012, © 2011, ISACA. All rights reserved.

Used by permission.

Author: Susan J Lincke, PhDUniv. of Wisconsin-Parkside

Reviewers: Kahili Cheng

Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

Objectives

The students should be able to:Define power failures: blackout, brownout, sags, spike & surges, electromagnetic interference (EMI)Define protections against power failures: surge protector, universal power supply (UPS) , alternate power generatorsDefine and describe mediums for Fire Suppression System: dry pipe, charged, FM200, ArgoniteDefine physical access controls: biometric door locks, bolting, deadman doorsDescribe the relationship between deadman door and piggybackingDefine and describe security awareness, security training, security education, segregation of duties



Remember Data Criticality Classification?

Critical $$$$: Cannot be performed manually. Tolerance to interruption is very low

Vital $$: Can be performed manually for very short time

Sensitive $: Can be performed manually for a period of time, but may cost more in staff

Nonsensitive ¢: Can be performed manually for an extended period of time with little additional cost and minimal recovery effort


… and Sensitivity Classification?

(Example)

Confidential:Strategic Plan

Private:Salary &

Health Info

Internal:Product Plans

PublicProduct Users Manual

near Release

Internal


Security: Defense in Depth

Border RouterPerimeter firewallInternal firewallIntrusion Detection SystemPolicies & Procedures & AuditsAuthenticationAccess Controls


Not advertising location of sensitive facilities

Controlled single entrypoint & barred windows

Security Guards, manuallogging & photo ID badges

Bonded personnelControlled visitor access

Video cameras &Alarm system

Locked WorkStations

Defense in Depth:Physical access controls with GuardsWhich controls arePreventive?Reactive?Corrective?


Physical Issuesand Controls

Mobile ComputingPower ProtectionFire SuppressionDoor Locks & SecurityIPF Environment


Power Protection Systems

Blackout: Total loss of powerBrownout: Reduced, nonstandard power levels may cause damageSags, spikes & surges: Temporary changes in power level (sag=drop)

may cause damageElectromagnetic Interference (EMI): Fluctuations in power due to

electrical storms or electrical equipment may cause computer crash or damage

< x ms

SurgeProtector

< 30 minutes

UPS:UniversalPowerSupply

Alternate Power Generators

Hours or days


Computer Room Equipped with…

Water Detector: Placed under raised floors Risk of electric shock; training necessary Location of water detectors marked on floor

Manual Fire Alarm: Placed throughout facilitySmoke Detectors: Above & below ceiling tiles, below room floor Emergency Power-Off Switch: Turn off power to all equipmentFire Extinguishers: At strategic locations

Tagged & inspected annuallyAlarms should sound locally, at monitored guard station, and preferably

fire dept.


IPF Environment

Computer room on middle floor Fire department inspects room annually Fire-resistant walls, floor, ceiling, furniture, electrical panel &

conduit Two-hour fire resistance rating for walls

Emergency Power-off switch: Panel in and outside room Redundant power lines reduce risk of environmental hazards Surge protectors & UPS No smoking, food or water in IPFAudit: Observe some, request documentation, may test

batteries, handheld fire extinguishers, ensure fire suppression system is to code


Fire Suppression Systems

watersprinkler

gas

enviro-friendly

dang

erou

s Halon

Carbon Dioxide

FireSuppression

Charged

Dry pipe

FM-200

Argonite

Water sprinkler systemscause water damage when dispersed.Charged pipes contain water andcan break or leak.

Gas systems do not damage equipment during fire.Dangerous systems replace oxygen with another gas, and need lead timefor people to exit.Halon was banned due to damage toozone layer.

FM-200 cools equipment down,lowering combustion probability.Enviro-friendly is safer to humans,does not damage equipment.


Door Lock Systems

Biometric

Electronic

Combi-nation

Bolting

Door Locks

Which systems… Enable electronic

logging to track who entered at which times?

Can prevent entry by time of day to particular persons?

Are prone to error, theft, or impersonation?

Are expensive to install & maintain?

Which system do you think is best?

3-6-4

key

eye


Deadman Doors

Double set of doors: only one can be open at a time

One person permitted in holding area

Reduces risk of piggybacking: unauthorized person follows authorized person into restricted area

Computers in Public Places

Logical Protections Imaged computers

No client storage for programs and/or data

Antivirus / antispyware Protects users from each other

Web filters Avoid pornography, violence,

adult content Login/passwords

If privileged clientele allowed Firewall protection from rest of

organization

Physical Locks


Mobile Computing

Engrave a serial number and company name/logo on laptop using engraver or tamper-resistant tags

Back up critical/sensitive data Use cable locking system Encrypt sensitive files Allocate passwords to individual files

Consider if password forgotten or person leaves company…? Establish a theft response team for when a laptop is stolen.

Report loss of laptop to police Determine effect of lost or compromised data on company, clients,

third parties


Device Security

PDAs Approved & registered Configuration: controlled,

licensed, & tested S/W Encryption Antivirus

Training & Due Care (including camera use) Easily misplaced

Flash & Mini Hard Drive Banned and USB

disabled

OR Encrypt all data

Workbook: Physical Security

Room ClassificationsSensitivity

Class.Description Special Treatment

Confidential Room contains Confidential info.storage or server

Guard key entry. Badge must be

visible.Visitors must be

escorted

Privileged Room contains computer equipment or controlled substances

Computers are physically secured using cable locking system

Doors locked between 5 PM and 7 AM, and weekends unless class in session.

Physical Workbook:Criticality Table


CriticalityClass.

Description Special Treatment(Controls related to Availability)

Critical Room contains Critical computing resources, which cannot be performed manually.

Availability controls include: Temperature control, UPS, smoke detector, fire suppressant.

Vital Room contains Vital computing resources, which can be performed manually for a short time.

Availability controls include:surge protector, temperature control, fire extinguisher.


Physical Security map

Rm.124

Rm.123

Rm.125

Rm.128

Rm 132Comp.Facility

Criticality Classification: (Availability)Rm 132: CriticalRm 124, 125, 128, 129: Vital

Sensitivity Classification:Black: ConfidentialGray: PrivilegedLight: Public

Rm130

Rm.129

Lobby


Allocation of AssetsRoom Sensitivity &

Crit. ClassSensitive Assets

or Info.Room Controls

Rm 123

Privileged,Vital

Computer Lab:

Computers, Printer

Cable locking system

Doors locked 9PM-8AM by security

Rm 125

Privileged,Vital

Classroom: Computer &

projector

Cable locking system

Teachers have keys to door.

Rm 132

Confidential,

Critical

Servers and critical/sensit

ive information

Key-card entry logs personnel. Badges

required.

Summary of Physical Controls

Physical Access Control Walls, Doors, Locks Badges, smart cards Biometrics Security cameras &

guards Fences, lighting, sensors Cable locking system Computer screen hoods

Environmental Controls Backup power Air conditioning Fire suppressant

Secure procedures Engraved serial numbers Locked files, desks Clean desk Paper shredders Locking screensaver Secure procedures: locked

doors at night

Question

A Fire Suppression system that is environmentally friendly, is not lethal, and does not damage equipment is:

1. Dry Pipe

2. Halon

3. Charged

4. FM-200

Question

The best way to prevent piggybacking into secured areas is:

1. Deadman door

2. Bolting door

3. Guard

4. Camera

Question

A surge protector is the best protection against

1. Electromagnetic interference

2. Loss of power for 10-30 minutes

3. A blackout

4. Sags and spikes

Question

To eliminate problems with incomplete transactions during a sudden power failure, Joe has decided that some form of temporary power supply is necessary to ensure a graceful shut down. The best option for Joe is:

1. UPS

2. Surge protector

3. Alternate power generator

4. Battery supply


Personnel Security

Auditors check for both Physical and Personnel Security too…

Workbook: Personnel Security

Personnel Threats

Threat Role Liability or Cost if threat occurs

Divulging private info

Employee

FERPA violation = loss of federal funds

Grant abuse

Employee with grant

Loss of funds from US granting agencies


Security Awareness & Training

Training covers what is expected of employees Why is policy in place? How is policy enforced?

Training may be implemented as: New employee orientation Company newsletters Determine effectiveness by

interviewing employees

Awareness Function:Types of Security TrainingAwareness:

Create security-conscious workforce

Employees, partners & vendors

Newsletters, surveys, quizzes, video training, forums, posters

Training:

Necessary skills for a particular position

HR, legal, middle or top mgmt, IT, programmers

Workshops, conferences

Education: High level skills

High-skilled professions: audit, security admin/mgmt,

Risk mgmt…

Organized and gradual development: teaching & coaching

Awareness Training

Signed employment agreements, video, memos, emails, posters, seminars and training classes

A combination of parallel approaches Knowledge areas:

Back-up work-related files Choosing passwords and avoiding exposure Avoiding email and web viruses Recognizing social engineers Recognizing & reporting security incidents Securing electronic & paper media against theft & exposure Spotting malware that could lead to identity theft & desktop

spying Metrics should be established to determine effectiveness

of change in behavior and workforce attitude


Segregation of Duties

Origination Verification

Authorization Distribution

Double-checks

Approves

Acts on

OrganizationalSegregation of Duties

DevelopmentSystem/Network Admin

Business

Audit

Security/Compliance

QualityControl

advises

deliversS/W to

serves

tests or ensuresquality of S/W or

production

advises &monitors forsecurity

Ensures procedures are professionally done

IT Segregation of Duties

DevelopmentEnvironment:

Application programmerSystems programmer

Production EnvironmentComputer OperatorSystem AdministratorNetwork AdministratorHelp Desk

Test EnvironmentQuality Assurance

SecurityControl GroupSecurity Admin

Requirements/DesignSystems AnalystDatabase Administrator

UserEnd UserData Entry

Segregation of Duties Controls

Transaction AuthorizationCustody of Assets Data owner’s responsibility is specific and documented

Allocates authorization according to least-privilege and segregation of duties

Security Administrator implements physical, system & application security Authorization forms User authorization tables: who can view/update/delete data

at transaction or field level


Personnel ControlsThreat Role Control

Divulging private info

Employee

FERPA training: annual quiz review, new employee training

Grant abuse

Employee with grant

Financial controls: employee and administrator and financial office check


Responsibility of Security to Roles

Role ResponsibilityRegistrar

Establish FERPA trainingData Owner: student scholastic and financial informationOversee FERPA adherence in Registration dept.

Admin. Attend FERPA trainingRetain locked cabinets with student info

Security Admin

Monitor logs, enable/disable permissions,rebuild computers after malware infection, collect security metrics for incident response, ...

Workbook: Personnel SecurityRequirements: Training,

DocumentationRole Requirements: Training,

DocumentationRegistra

rFERPA experience in hiring.Training every 3-5 years at

national conference or workshop

Employee

handling student

data

University FERPA documentation, FERPA web page, annual quizzes, sign

acceptable use policy

Personnel Issues

Background checks can reduce fraud More secure position=more checking required A standard or procedure may be useful

Training & signed contracts Track and document theft

Minor incidents could add up to a major pattern problem

Email can be monitored for potential problem employees Assuming policy is in place and employees are aware

Employee Hiring

Document security responsibilities Screen candidates for sensitive positions Have signed agreements regarding

Job responsibilities, conditions of employmentSecurity responsibilities (incl. copyright)Confidentiality agreement

Indicate corrective actions taken if security requirements not followed

New Employee Orientation

New employee signs Privacy Policy document: Has read and agreed to follow security policies Conform to laws and regulations Promise to not divulge logon IDs and passwords Create quality passwords Lock terminal when not present Report suspected violations of security Maintain good physical security (locked doors, private

keys) Use IT resources only for authorized business purposes


Employee TerminationUnless continued relationship expected: Return equipment Revoke access Return all access keys, ID cards and

budgets Notify all staff and security personnel Arrange final pay Perform termination interview

Third Party Agreements

Define information security policy Define procedures to implement policy Deploy controls to protect against malicious software Publish restrictions on copying/distributing information Implement procedures to determine whether assets

were compromised Ensure return or destruction of data at end of job

Summary of Personnel Controls

Segregation of Duties Mandatory vacations or job rotation Training and written policies and procedures Background checks Need to Know/Least Privilege Fraud reporting mechanism Transaction logs

Question

Which of the following duties can be performed by one person in a well-controlled IS environment?

1. Software Developer and System Administration

2. Database administration and Data Entry

3. System Administrator and Quality Assurance

4. Quality Assurance and Software Developer

Question

Which is MOST important for a successful security awareness program?

1. Technical training for security administrators

2. Aligning the training to organization requirements

3. Training management for security awareness

4. Using metrics to ensure that training is effective

Question

To detect fraud, the BEST type of audit trail to log would be:

1. User session logs

2. Firewall incidents

3. Operating system incidents

4. Application transactions

Vocabulary

Blackout, brownout, sag, spike, surge, electromagnetic interference

Surge protector, UPS, alternate power generator Fire suppression: charged, dry pipe, FM200, Argonite Deadman door, piggybacking Security awareness, security training, security education Segregation of duties

HEALTH FIRST CASE STUDY

Designing Physical Security

Jamie Ramon MDDoctor

Chris Ramon RDDietician

TerryLicensed

Practicing Nurse

PatSoftware Consultant

Defining Room Classifications and Controls

Sensitivity

Classification

Description Special Treatment

(Examples)Proprietary Room contains Propriety information storage. Room and all cabinets

remained locked.Confidential Room contains Confidential information

storage. Workstation monitor has hood.

Private Room contains computer with access to sensitive data or room contains controlled substances.

Room remains locked when not attended. No visitors are allowed in these areas unescorted

Privileged Room contains computer with access to sensitive data but public has access when escorted.

Public The public is free to spend time in this room, without escort.

Criticality ClassificationCritical Room contains Critical computing resources,

which cannot be performed manually.

Vital Room contains Vital computing resources, which can be performed manually for a short time.

Physical Security Map

Sensitivity Classification Color Key:•Green: Public•Yellow: Privileged•Orange: Private•Red: Confidential


Allocation of AssetsRoom Sensitive Assets or

InformationRoom Controls

Rm 123 Computer Lab: Computers, Printer

Cable locking systemDoors locked 9PM-8AM by security

Rm 125 Classroom: Computer & projector

Cable locking systemTeachers have keys to door.

Rm 132 Servers and critical/sensitive information

Key-card entry logs personnel. Badges required.

ReferenceSlide # Slide Title Source of Information

4 Criticality Classification CISA: page 127 Exhibit 2.18

6 Security: Defense in Depth CISM: page 60, 61 Exhibit 1.16

7 Defense in Depth: Physical access controls with Guards CISM: page 61 Exhibit 1.16

9 Power Protection Systems CISA: page 381, 383

10 Computer Room Equipped with CISA: page 382

12 Fire Suppression Systems CISA: page 382

13 Door Lock Systems CISA: page 385

14 Deadman Doors CISA: page 386

16 Mobile Computing CISA: page 386, 387

17 Device Security CISA: page 256, 256, 344

29 Security Awareness & Training CISA: page 321, 369

32 Segregation of Duties CISA: page 117, 118

35 Segregation of Duties Controls CISA: page 119, 120

40 Employee Hiring CISA: page 105

42 Employee Termination CISA: page 106

Physical & Personnel Security Physical Security Personnel Security.

Documents

Transcript of Physical & Personnel Security Physical Security Personnel Security.