Physical Security Assessment

Agenda

• Physical Security – Baseline Definitions and Convergence Drivers

• What is a Risk Assessment; When Should You Do One; and Why?

• Determining Your Company’s/Organization’s Unique/Individual Risk Appetite

• Getting Started – The Project Plan

• Sample Risk Assessment Tools

• Your Corrective Action Plan – Basics to Consider

Physical Security Baseline Definitions• Physical security involves measures undertaken to protect personnel, equipment and

property against anticipated threats.

• Passive measures include the effective use of architecture, landscaping and lighting to achieve improved security by deterring, disrupting or mitigating potential threats.

• Active measures include the use of proven systems and technologies designed to deter, detect, report and react against threats.

• ISO 27001 role of physical security – Protect the organization’s assets by properly choosing a facility location, maintaining a security perimeter, implementing access control and protecting equipment.

• The physical security office is usually responsible for developing and enforcing appropriate physical security controls, in consultation with the computer security management, program and functional managers, and others, as appropriate. Physical security should address not only central computer installations, but also backup facilities and office environments. In the government, this office is often responsible for the processing of personnel background checks and security clearances.

• What is the impact of convergence (merging IT security and physical security) on this role and how does it play into the responsibilities for physical security risk assessments and action plans?

• Operational Security

• The process of creating policies and procedures and establishing controls to preserve privileged information regarding organizational capabilities and vulnerabilities. This is done by identifying, controlling and protecting those interests associated with the integrity and the unimpeded performance of a facility. Includes, training, policies and procedures, facilities access, tenant space.

• Facilities Management

• This role is almost exclusively planted in the world of physical security management. Key skills are the ability to run and maintain crucial environmental systems, mechanical processes, HVAC, fire alarms, etc. Facility Managers can extend their knowledge through teaming with other security professionals to understand risk management and technical security advances that will enhance the overall security posture of their organization.

• Information Security

• The process of protecting the confidentiality, integrity and availability of data from accidental or intentional misuse by people inside or outside the organization or facility. Key elements, limiting/managing access to informational and Information Technology resources, ensuring data is protected in transmission, developing and enforcing policies, audit and compliance, incident management.

Security Roles and Responsibilities

What is a Risk Assessment?

• Prior to embarking on the risk assessment, ensure that policies and procedures are in place and have been updated recently and ensure that an effective security program is in place.

• The purpose of the risk assessment is to assess the system’s use of resources and controls (implemented and planned) to eliminate and/or manage vulnerabilities that are exploitable by threats to the organization. It will also identify any of the following vulnerabilities:

– Risks associated with the system operational configuration– System’s safeguards, threats and vulnerabilities– New threats and risks that might exist and, therefore, will need to be addressed in the corrective

action plan

• View the system relative to its conformance with corporate policies and procedures and all applicable legal and regulatory requirements

• The risk assessment should:– Provide a clear definition of the scope of the assessment such as present configuration, physical,

environmental, personnel, telecommunications, and administrative security services provided– Identify which assets need to be protected and assign a value to each asset, identify owners and

label its business criticality.– Identify any and all threats.

• Identified threats can be incorporated into a dynamic threat model/digital dashboard and integrated to other threat and vulnerability models, data, etc.

• Once identified, prioritize threats along with means to counter and respond to them

A typical weakness to most security programs/plans is the lack of a comprehensive risk and vulnerability assessment and most only address

security from an electronics systems perspective

When Should You do a Risk Assessment?• Your Company has a policy to conduct a periodic or annual enterprise risk assessment

• You are opening a new facility or moving

• You have had an audit finding

• You have had a breach / other identified vulnerability

• Compliance to legal and regulatory requirements

• Mergers, acquisitions, divestitures

• Outsourcing

• Partnerships and alliances

• You are implementing a new technology

• Other?

Why Should You Do a Risk Assessment?• A comprehensive integrated risk and vulnerability assessment will assist management in critical

financial decisions as well as budgeting

• Since 911 everyone is increasingly concerned with safety of tenants and employees

• If you don’t have an integrated risk assessment, how do you know what your security program should be, what to do first, second, etc.?

• How do you justify costs, resources, schedules, etc. without the output of a risk assessment?

• How do you know if you are compliant to legal and regulatory requirements?

• How do you know what an acceptable level of risk is for your organization and how do you communicate that and implement policies and procedures around that?

• Through the process of the risk, threat and vulnerability assessment you will learn and discover things about your environment that were previously unknown.

• Depending on time and available resources, quantitative and qualitative assessments both have value. There are pros and cons to each.

•To define your organization’s risk appetite and determine the acceptable level of risk, you should answer the following questions:

• Where do we feel we should allocate our limited time and resources to minimize risk exposures? Why?

• What level of risk exposure requires immediate action? Why?

• What level of risk requires a formal response strategy to mitigate the potentially material impact? Why?

• What events have occurred in the past, and at what level were they managed? Why?

• Each question is followed by a “why” because the organization should be able to articulate the quantitative and/or qualitative basis for the appetite, or it will come off as backwards-looking (based only on historical events) or even arbitrary.

• Develop a risk appetite table.

Determining Your Unique/Individual Risk Appetite

Getting Started• Develop a project plan and schedule (follow traditional project management

discipline and methodology)

• Identify policies and guidelines to follow models and methodologies

• Identify areas to be reviewed, measurement criteria and resources

• Decide on scoring methodology (quantitative or qualitative analysis)

• Identify other existing resources/inputs and how that information will factor in Scorecards, metrics, audit findings, compliance assessments, incidents, vulnerability assessments, etc.

• Define end state and all output (documents, reports, presentations, action plan, etc.)

Security Risk Assessment OutlineI. Background

II. Purpose

III. Scope

IV. Assumptions

V. Description of System

I. System Attributes

II. System Sensitivity

VI. Systems Security

I. Administrative Security

II. Physical Security

III. Technical Security

IV. Software Security

V. Telecommunications Security

VI. Personnel Security

VII. System Vulnerabilities

I. Technical Vulnerability

II. Personnel Vulnerability

III. Telecommunications Vulnerability

IV. Environmental Vulnerability

V. Physical Vulnerability

VIII. Glossary of Terms

IX. Acronyms

Simple Assessment Checklist• Facilities and Physical• What preventative measures do you currently have in place? (Yes, No, N/A)

1. Access to secured areas limited to necessary personnel.

2. Monitor and review the distribution of keys and/or access codes.

3. When employee terminates, keys are collected and/or access codes are terminated.

4. Physically secure equipment that is portable and located in open access areas.

5. Use of security cameras in areas where equipment cannot be easily secured or monitored (for example in computer labs and classrooms).

6. Use the 'STOP' Program to track property and equipment.

7. Require employees to attend vehicle safety training offered by Environmental Heath & Safety.

8. Reported previous losses to Public Safety at the time they were discovered.

9. Implement specific preventative measures in direct response to a loss.

Another Assessment / C heck list• I T Facilities or Computer Room• Security is the most important part of maintaining the security of a computer system, and is often

overlooked by careless system administrators who assume their occasional proximity to a system is enough protection. This may be sufficient for some systems, but in most cases, there are more factors to be considered before a system can be called physically safe and secure.

• Is the system located on a sturdy, stable surface as close to the ground as possible?

• Is the system safe from excessive sunlight, wind, dust, water, or extreme hot/cold temperatures?

• Is this system located in a monitored, isolated area that sees little human traffic?

• Is the room/building in which the system is located secured by lock and alarm system to which only a few trusted / identified personnel have access? Are these locks and alarms locked and armed during off hours?

• Is the console of the system secured to prevent someone from casually walking up to the system and using it (even if just for a few seconds)? Are all users logged out from the console?

• Is the power and reset switches protected or disabled?

• Are any input devices to the system secured/turned off: are all removable disk drives locked/secured? Are the parallel/serial/infrared/Bluetooth/USB/SCSI ports secured or removed? Are any attached hard drives physically locked down to the systems?

• Is your physical network secured with no danger of unauthorized wiring?

Secure Assess – GSA (Software Tool)• General Security Assessment (GSA)

• General Facility Information

• Physical Security Protections – Facility

• Information System(s) Network – Physical Security

• Security Support Functions

• Administrative Security

• Document Security

• Organizational Security

Additional if missed in your review1. Lock up the Server Room

2. Set up surveillance

3. Make sure the most vulnerable devices are in that locked room

4. Use rack mount servers

5. Don’t forget the workstations

6. Keep intruders from opening the case

7. Protect the portables and remote access devices

8. Pack up the backups

9. Disable decommissioned drives

10. Protect your Printers and FAX machines

Use These Tools to Remediate Weaknesses• Security systems with features such as access control and CCTV were designed and installed to help deter

criminal activity, record entry and exit, and protect employees while on the job. In addition to providing employee protection, these security tactics serve the dual purpose of protecting the company against fraudulent lawsuits filed by employees or visitors.

• Badging (access cards, picture badges, color code non-employees, temporary visitor badges/process)

• Card Readers (integration of physical and logical access)

• Integration of physical and electronic security (IBM and CISCO)– If three people try to enter a door with only one security card recorded upon entry, the image

from the security camera can alert the guards to investigate a possible intrusion.

• Surveillance Systems / Digital Cameras

• Receptionist desk at main entry point

• Security Guards

Policies and Procedures• Simple and effective changes to a company’s policies and procedures can often have just as great an impact

on risk reduction as capital improvements or installation of security devices.

• Policy and procedure changes are generally quick to implement and low in cost, making them an extremely effective way to improve security.

• The key to the success of any change is to make sure that the staff understands and accepts the new policies and procedures.

• It is imperative that the staff is well informed of the policies and procedures and the reason that these are important.

• Policies and procedures can only be effective when they are consistently implemented. Some general policy and procedural recommendations provided below.

– Track keys issued to personnel.

– Retrieve keys when no longer needed, including those instances when personnel are reassigned.

– Replace locks on an as-needed basis to reduce the likelihood of security breaches due to lost keys, unauthorized duplicate keys, keys held by former employees, etc.

– Replace of the traditional key systems with a card reader system for better control options.

– Implement random, but frequent, inspections of the security perimeter at critical facilities identified in the vulnerability assessment and designating appropriate review intervals for inspections of security equipment at other facilities. Establish a minimum number of personnel in the inspection crew in procedures, safety plans, etc.

– Implement a formal annual review of the adequacy of security plans, procedures, and equipment.

Policies and Procedures (continued)– Involve and cooperate with other organizations that can affect the utility’s security.

For example, contact chlorine and other chemical suppliers to discuss the need for adequate security during transport as well as to develop protocols to respond to missing or delayed shipments.

– Maintain replacement parts and emergency repair kits for critical assets, such as generators, that are important during emergencies. Maintain redundant equipment, critical replacement parts, etc. in a separate or isolated location. It can be on site or nearby, but not within the same building or room.

– Develop a utility vehicle use policy (including locking vehicles and tool bins, securing tools, etc).

– Establish procedures for night shift workers, including regular check-ins with supervisors.

– Establishing published guidelines so that all future procurements and designs address security issues and incorporate solutions. All requests for proposals should include a security portion so that responding consultants are reminded that security must be addressed in their work and in their own operational practices.

– Continuing to monitor the visitor entrance. Establish a policy for facility tours delineating who is authorized to approve access, areas that can be accessed, and the times that tours are allowed.

Impact of Information Security Legislation

Thorny Solutions – Landscape Security

• Reinforced planters, light posts and benches are often used to enhance site security, making it impossible for a bomb-laden car to get close to a building.

• What landscape options are available for companies that are concerned about individual trespassers accessing high-security areas?

• Some trees and scrubs can be useful in this case.

– Hawthorne

– Hardy Orange

– Black Locust

– Pyracantha

– Barberry

– Roses