Why do most public and private sector organizations still maintain separate security organizations for their physical and cybersecurity functions? > Do you think global businesses sh

15

Physical and environmental security

Control category A.11 deals with physical and environmental security. It deals with what might be called geographic or area security, with equipment security and with general controls to protect physical assets. Large or multi- site organizations might, as discussed in Chapters 5 and 6, need to break themselves down into a number of physical domains (giving due considera- tion to any communication links between them) and then consider each domain on its merits.

Secure areas

Control objective A11.1 deals with secure areas. Its objective is to prevent unauthorized physical access, damage or interference to business premises and information. It has six sub-clauses. Critical or sensitive information and information processing facilities should be housed in secure areas protected by a defined secure perimeter, with appropriate security barriers (eg walls, fixed floors and ceilings, card-controlled entry gates) and controls (eg staffed reception desks) that provide protection against unauthorized access or damage to papers, media or information processing facilities. The protection implemented should be commensurate with the assessed risks and the clas- sification of the information, and should take into account out-of-hours working and similar issues.

Physical security perimeter

Control 11.1.1 of ISO27002 says the organization should use a security perimeter to protect areas that contain information processing facilities. It may be appropriate, depending on the risk assessment and the classification

IT GOVERNANCE206

of the information being protected, for an organization to use more than one physical barrier, as each additional barrier may increase the total protec- tion provided.

The first step is to use a site or floor plan to identify the area that needs to be secured. A copy of this document should be found with the property title deeds. The plan that is with the deeds is there to show clearly the prem- ises that the organization owns or leases, and it is the most appropriate base document to use for defining the secure perimeter as it identifies clearly the property over which the organization has control.

A continuous line should be drawn around the premises on the site plan, including all the information and information processing facilities that need to be protected. This line should follow the existing physical perimeter (and a perimeter in this context is something that provides a physical barrier to entrance) between the organization and the outside world: walls, doors, windows, gates, floors, fixed ceilings (false ceilings hide a multitude of threats), skylights, etc. Special attention should also be given to lifts and lift shafts, risers, maintenance and access shafts, etc. This site plan, showing the defined physical perimeter, should form part of the ISMS records. The ISO27001 auditor will almost certainly want to see it and then to test the effectiveness of the perimeter.

A comprehensive risk assessment should be carried out to identify the weaknesses, vulnerabilities or gaps in this perimeter, and from this assess- ment the appropriate physical controls – the additional physical barriers, such as doors, card-controlled gates, staffed reception desk, etc – can begin to be identified. While not all organizations will have information as valua- ble as that obtained by Tom Cruise’s character, Ethan Hunt, in the first Mission Impossible, the way in which he gained access to the room within which it was kept indicated that the guarding organization’s risk assessment had not been sufficiently thorough. There was a vulnerability in the physical perimeter that Ethan Hunt identified and then exploited in a way that demonstrates that ‘difficult to imagine someone coming in through those ducts’ was an inadequate approach to securing the physical perimeter. The ISO27001 auditor should want to see the documented risk assessment and will analyse its thoroughness and effectiveness, initially by challenging the person responsible for defining it and then, after inspecting likely vulnerable areas, by probing to see how secure it actually is.

The following controls should form part of the implemented security perimeter:

PHYSICAL AND ENVIRONMENTAL SECURITY 207

●● The perimeter itself is defined (and the secure environment within it is an asset that should have been the subject of a risk assessment) in a document and, if possible, by means of appropriate signage, and staff are aware of what and where it is.

●● The perimeter (particularly of a building containing information process- ing facilities) should be physically sound. There should be no gaps in the perimeter (risers, lift shafts, air-conditioning vents, etc should all be assessed) or areas where a break-in could easily occur. The external walls should be of solid construction and all external doors should be protected against unauthorized access using appropriate control mechanisms, one- way bars, alarms, locks, etc.

●● There should be a staffed reception area or other means to control phys- ical access to the site or building. Access to secured premises should be restricted to authorized personnel only.

●● Physical barriers should be extended from real floor to real ceiling (ie below and above any false floor or false ceiling, particularly those installed to provide effective ducting for cabling) to prevent unauthorized entry or environmental contamination such as that caused by fire or flood.

●● All fire doors on a security perimeter should open outwards only, should slam shut (because they have working door-closing mechanisms fitted to them) and should be alarmed (and this fact should be advertised on the doors to try to prevent inadvertent false alarms). Some organizations site CCTV cameras to cover these doors to watch for deliberate false alarms that might be designed to distract security staff attention from a planned point of real break-in elsewhere or to enable a perimeter breach before security staff can attend.

●● Appropriate intruder detection systems (which are manufactured to relevant standards) should be professionally installed and maintained. All external doors and accessible windows (particularly on the ground floor) should be covered, and unoccupied areas should probably be alarmed. The alarm cover should be specifically extended to include computer and communications rooms. Copies of test certificates, schedules of key holders and alarm response procedures (who is to do what when an alarm goes, including out of hours) should be retained as part of the ISMS records. Key holders should receive training in how to respond to alarms, what to do to secure the site after a break-in or other incident,

IT GOVERNANCE208

and what the escalation procedure is. The alarm response procedure should be reviewed after every alarm incident, and where a police response service is part of the security set-up, every effort has to be made to avoid false alarms, as these can lead the police to withdraw their cover. This is particularly important where the organization includes a manual alarm trigger at, for instance, the reception desk to help deal with unwanted intruders during opening hours; these alarms can easily be triggered accidentally. However, making them awkward to trigger detracts from their effectiveness in addressing the reason for having them in the first place.

There are particular problems where two or more organizations share phys- ical premises. In these circumstances, more than one secure perimeter may be necessary. For instance, there may be a staffed reception desk that lets employees of both organizations on to the property according to jointly agreed procedures. Each organization might then restrict access to its own floors, either through key cards or through its own reception desk. Where this type of additional perimeter is not possible, there may need to be indi- vidual security perimeters around individual information assets or information processing facilities in order to ensure that the organization’s information processing facilities are physically separated from those managed by any third parties.

Physical entry controls

Control 11.1.2 of ISO27002 says that secure areas (see A.11.1.3, which is discussed below) should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access to the premises. ISO27002 recommends specific controls, some of which are more difficult for smaller companies, but which are nevertheless worth considering and, wherever possible, implementing:

●● Visitors to secure areas – whether the site itself or specific areas within the site – should be supervised, or cleared in advance, and their date and time of arrival and departure recorded. Access should only be granted for specific, authorized purposes and all such visitors should be issued with instructions on the security requirements of the area and on emergency evacuation procedures. These instructions are usually recorded on a standard visitor’s pass, which itself records the date and time of arrival into a ledger on which the departure details can be recorded when the

PHYSICAL AND ENVIRONMENTAL SECURITY 209

visitor leaves. Good practice would usually require the security staff issuing the visitor’s pass to confirm by telephone that the visitor is expected and the purpose of the visit. A more secure set-up would be for the visitor’s details to be notified to the reception desk in advance and for a telephone check to take place when the visitor arrives. In high-security areas, these visitor lists might have to be approved by a senior line manager before they are forwarded to the security desk. Visitors should be accompanied everywhere by a member of staff, and where necessary their identity should be reconfirmed prior to access to other sections of the secure area being granted. Visitors’ passes should use some slightly complex and visible system of demonstrating whether or not they are still valid; for instance, all passes issued on a Monday might have a black dot, those issued on Tuesdays a red square, etc.

●● The selection of security services is itself a security risk. Not all such companies take appropriate steps to vet and train their operatives, and it is therefore essential that appropriate controls in respect of external parties are fully implemented. No matter what their prior training or experience, security guards should also receive training in the internal security procedures of the organization for which they are providing security services.

●● Where access for unauthorized people to the site or building is controlled remotely from the reception desk, there should be an effective communi- cation tool that enables the receptionist to identify (both verbally and visually) the visitor before allowing access.

●● Access to sensitive information, and information processing facilities, should be controlled and restricted to specifically authorized persons only. This is particularly important for the computer server room(s), access to which needs to be severely limited. Authentication controls, such as a swipe card and/or individual PIN codes, should be used to authorize and validate access to secure areas, and to secure areas within the security perimeter. If possible (and if required by the risk assessment), the swipe card entry system should also provide an auditable trail of access. The record of visitor passes issued should be maintained in a secure location, as it might, at some point in the future, be required to identify an intruder.

●● All personnel should be required to wear some form of visible identifica- tion (which could be incorporated with an access card – which might work through swiping, physical proximity or biometric accuracy) and

IT GOVERNANCE210

should be encouraged to challenge or report unescorted strangers or anyone not wearing visible identification. A visible identification badge is a control far more important in a large organization than in a small one, but in any size of organization, unidentified and unaccompanied visitors should always be challenged. There are many organizations for which this, on its own, will require a significant culture change, and this could significantly contribute to improved security. Of course, even in a small organization the fact that visitors have to wear badges acts as a deterrent to opportunist trespassers or intruders, as they will realize that they are obviously out of place without the appropriate visual ‘stamp’ of approval (assuming this control is implemented effectively and passes are retrieved from visitors and staff leavers who no longer have need for them).

●● All staff who might encounter visitors should be trained so that it is diffi- cult for a social engineer to bypass physical security controls.

●● Access rights to secure areas should regularly be reviewed, updated and, where necessary, revoked. This is particularly important for access rights to computer server rooms. The record should be reviewed on a regular basis by the information security management forum, and a record of the forum’s review should form part of the ISMS documentation.

●● Third-party support personnel should have access rights that are, to the greatest extent possible, restricted to those secure areas or information processing facilities they need to access for specific times, and these access rights should be monitored, reviewed and, where necessary, revoked.

Securing offices, rooms and facilities

Control A.11.1.3 requires the organization to create secure areas within the security perimeter to protect offices, rooms and facilities that have addi- tional, special security requirements. A secure room may contain lockable cabinets or safes. Secure rooms could be any rooms within the premises but will certainly include server rooms, telecommunications rooms and plant (power and air-conditioning) rooms. Some other areas (such as accounts or HR, or directors’ offices) might also need to be secured. Many CEOs’ offices should also be treated as secure rooms.

There could be a clash, within organizations that are strongly committed to open-plan working, between the desire for openness and the need for security. This will have to be addressed and solutions found that can be consistently and coherently applied across the whole organization. Part of

PHYSICAL AND ENVIRONMENTAL SECURITY 211

the solution will lie in what sort of meeting rooms or available secured areas can be used by employees, and part will depend on how information is clas- sified and what facilities are made available for its storage.

ISO27002 provides very common-sense advice on the selection and design of a secure area, and this section should be read in conjunction with the next sub-section, ‘Protecting against external and environmental threats’. Secure area design should take account of the possibility of damage from fire, flood, explosion, civil unrest and other forms of natural or human- created disaster. The risks posed by neighbouring premises should be considered, such as potential leakage of water from outside the secure area. Secure storage facilities, such as safes and high-security document stores, also need to be sited in such a way that they can be located on a site map within the business continuity documentation and quickly and easily recov- ered after a disaster. This will require consideration to be given to issues such as the fire-resistance period of surrounding doors and floors; the organ- ization wants to avoid scenarios where, for example, after an explosion in the building, a safe containing all the organization’s insurance documents falls from its location on the first floor right through into the basement of the building and has to be recovered (when it can be found) from among the debris of fire and flood.

The controls that ISO27002 recommends should be considered and, if appropriate, implemented include the following:

●● Key storage areas and keyed entrance areas should be sited to avoid access by unauthorized persons and by the public.

●● Buildings that contain information processing facilities should be unob- trusive and give as little indication as possible of their presence or purpose.

●● Office machinery, such as printers and photocopiers, should be sited within the secure perimeter in such a way that access to more secure rooms is not required. In other words, do not put the scanner or printer machine in the same room as the computer servers, nor in a public area where unauthorized individuals may access the output.

●● Doors and windows should be locked when the building or room is unat- tended. External protection, such as burglar bars, should be considered in the context of the risk assessment for ground-floor and any other acces- sible windows. This is particularly important for the computer server and communications rooms, which should be accessible only to a small number of authorized personnel, each of whom has individual access codes so that a record of access and egress can be maintained at an indi-

IT GOVERNANCE212

vidual level. No one should be allowed into one of these rooms unless accompanied at all times by an authorized person. Externally, any special precautions taken for specific rooms (eg whitewashed windows or bars) should not stand out in comparison to other rooms, as this would clearly indicate to a potential intruder where the most valuable assets might be stored. There should be no obvious signs outside the building to indicate how valuable or important a room is.

●● As discussed earlier, information processing facilities managed by the organization should be physically separate from those managed by third parties, even if this means erecting a cage or some other form of physical security within a shared secure area.

●● Internal directories or telephone books or other guides that identify the location or telephone numbers of secure, sensitive areas should not be accessible by the public or unauthorized persons.

●● Hazardous or combustible material, particularly office stationery, should not be bulk-stored within a secure area. There should be a separate area, some distance away, where such material is stored. Regular inspections of secure rooms, by someone other than those responsible for their day-to- day management, are usually necessary to ensure that this requirement is observed.

●● Back-up equipment and media should not be stored with the equipment that they will back up, in order to ensure that the organization can actually restore operations if it loses or otherwise has compromised its front-line facilities (through, for example, fire in the server room or terrorist activity affecting the whole of the premises).

Finally, a word about keys: keys should not be left in locks, irrespective of whether or not the access route has an automatic door closer. If the lock has not been engaged, it is possible for the key to be used by someone (whether accidentally or maliciously) to activate the lock, thus restricting planned access or egress at a later time.

Protecting against external and environmental threats

Control 11.1.4 of ISO27002 encourages organizations to protect them- selves from damage due to fire, flood, earthquake, explosion, civil unrest and other forms of natural or human-created disaster. The discussion, above, about external threats to secure areas should be applied to the organiza- tion’s general physical locations. In a sense, this control is asking the

PHYSICAL AND ENVIRONMENTAL SECURITY 213

organization to ensure that it has complied with health and safety and fire regulations and that it has carried out all the relevant risk assessments required by these regulations, while the comments, above, about controls against threats to secure areas apply more generally. In particular, there should be an appropriate site-level risk assessment covering the possibility of all these natural or human-created disasters; premises in a known earth- quake area, for instance, face a greater threat than those elsewhere, and the organization’s business continuity plan will need to take appropriate account of the threat. Similarly, likely local activity (including that of neighbours) should be considered, as should the risks of particularly high-profile loca- tions – for instance, there might be protest marches, terrorist atrocities or police activity near government offices. In particular, choice of fall-back locations should be driven by consideration of likely repercussions of particular events: the diameter of the area likely to be affected by a bomb explosion, the likely effect of a police cordon, etc.

The auditor will want to see, and the board will want to know, that an appropriate risk assessment has taken place and that appropriate controls against such disasters have been implemented. Of course, these controls must be consistent with the corporate risk treatment plan.

Working in secure areas

Control 11.1.5 of ISO27002 says the organization should implement controls and guidelines for working in secure areas, to enhance the security provided by being within a secure perimeter and/or a secure area. These additional controls are largely common-sense extensions of the controls discussed earlier. ISO27002 suggests that the organization consider the following additional controls:

●● Only allow employees (or contractors or third parties) to know about the existence of, or activities within, a secure area on a ‘need-to-know’ basis.

●● Avoid unsupervised working within secure areas so as to avoid the oppor- tunity for malicious activities. The extent to which this control is worth implementing does depend on the risk assessment and the size of the organization. At the very least, staff who are being disciplined, or who are on notice, should not be allowed into secure areas unsupervised. This also reduces the health and safety risk for a lone worker, who might have an accident or become ill in an area to which first-aiders may not have access without one of a restricted number of authorized staff being available to open secure doors.

IT GOVERNANCE214

●● Vacant areas should be kept locked and periodically checked. This activ- ity should form part of the schedule of activities of a security guarding company or individual guard.

●● Personnel of contracted third-party service providers should be given only restricted access to secure rooms, and this should always be under supervision.

●● Recording equipment (mobile phones, cameras, videos, photocopiers, etc) of any sort should not be allowed within secure areas; the records could (accidentally or deliberately) come into the hands of someone who wants to gain unauthorized access to the organization’s sensitive infor- mation.

●● Additional security restrictions may become necessary when the organi- zation is working, in a specific area of its site, to develop something that needs to be kept confidential for a period of time.

●● Finally, specific controls might be necessary to ensure that personal mobile devices (eg smartphones) or other recording devices (digital cameras, handheld video cameras, USB flash sticks, smart spectacles, etc) do not collect information from secure areas.

Delivery and loading areas

Control 11.1.6 of ISO27002 says the organization should control delivery and loading areas as well as any other areas to which unauthorized persons (such as members of the public) might have access and, if possible, to keep them isolated from information processing facilities in order to limit the danger of unauthorized access to those facilities. This control will have a different importance for different types of organization. A manufacturing or retailing organization is, for instance, likely to have more significant public access, loading and delivery issues than a straightforward office-based organization. The risks range from unauthorized personnel (customers, delivery drivers, etc) to dangerous deliveries (eg bombs, anthrax), any of which might compromise the organization’s information security. A risk assessment should, as with every other area to be controlled, be used to determine the security requirements.

The measures that ISO27002 wants to be considered are as follows:

PHYSICAL AND ENVIRONMENTAL SECURITY 215

●● Access to a holding area from outside the secure perimeter should be restricted to identified and authorized delivery staff or other personnel.

●● The delivery and holding area should be designed so that delivery staff cannot gain access from it to other parts of the building.

●● The external doors of a delivery or holding area should be closed when the internal one is open.

●● Incoming material should be inspected for potential hazards or threats before it is moved elsewhere or to the point of use.

●● Incoming material should, if appropriate, be registered on arrival.

●● Incoming and outgoing shipments should, where possible, be physically segregated.

Implementation of these measures can require significant reorganization of existing delivery facilities and procedures with potentially a significant capi- tal expenditure on the physical set-up. The risk assessment should reflect the fact that as security controls are improved in other parts of the organization, so remaining vulnerabilities become more significant because they provide the few remaining ways in which unauthorized access to information can be gained. In other words, once an organization has started down the road to ISO27001, it should be thorough and complete the journey.

16

Equipment security

Control A.11.2 deals with equipment security. It says the organization should take steps to prevent loss, damage, theft or compromise of its assets and the consequential interruption to its activities. It is broken down into nine sub-clauses, each of which deals with aspects of equipment security and disposal.

Equipment siting and protection

Control A.11.2.1 requires equipment to be sited, or protected, in such a way that risks from environmental threats and hazards, or unauthorized access, are reduced. ISO27002 identifies a number of measures to be considered, including the following:

●● Equipment should be sited so as to minimize unnecessary, unauthorized access into work areas. For example, refreshment units or office machinery designed for use by visitors to premises should be sited within a designated and supervised public area; unauthorized personnel should not have to access secure offices in order to use these facilities. How visitors access toilets will need consideration. Clearly, if the only toilets are within a secure area, visitors will either have to be denied the use of them or will have to be escorted at all times! Doors to computer rooms should have, depending on the risk assessment, mechanisms for ensuring that they are kept shut and locked at all times, with any deviations notified on an alarm system.

●● Information processing and storage facilities handling sensitive data should be positioned so as to reduce the risk of being seen by members of the public while in use. This applies, for instance, to workstation monitors in a ground-floor office, where passers-by could look through a window

IT GOVERNANCE218

and see what is on the screen. (Alternatively, windows could be screened.) This may not be relevant if the information that is likely to appear on the computer screen is not sensitive, but if it is, a simple solution might be the installation of window blinds. This would also apply to a wall or floor safe, in retail premises, which has been located so that it could be seen by a member of the public on the premises – it should be hidden in another room. Entrances to computer server rooms, and the security locks that protect them, should not be visible from the street, or through a window that would enable someone with a telescope potentially to see a code being input into a door lock. It all depends on the risk assessment; one should be carried out for each circumstance in which this control might need to be implemented and action then taken in the light of that assessment and in proportion to the risk identified. Decisions should, as usual, be documented.

●● Items requiring special protection should be isolated so as to reduce the general level of protection required. Only a risk assessment will establish what type of equipment falls into this category; it is clearly sensible that, for instance, the fuse board that controls the power into the computer server room should be sited away from public places and away from places that even authorized staff access on a regular basis. An opportunist thief passing an office containing a notebook that is docked at a workstation but not otherwise secured might find it difficult to resist the temptation to add the notebook to his or her

The post Why do most public and private sector organizations still maintain separate security organizations for their physical and cybersecurity functions? > Do you think global businesses sh first appeared on Nursingdemy.