Professional Documents
Culture Documents
Cybersecurity Policies
& Issues
EMCS-602
Spring
2020-2021
Physical &
Environmental Security
The slides are taken from the
book “Security Program and
Policies“, by Omar Santos.
Focus of This Session
Securing
Offices, Rooms,
How Is Physical and Facilities
Break
Access
Controlled?
How to Secure
the Site
Working in Secure Areas
Infrastructure
Security in the
Real World
The organization should establish formal policies and procedures related to background checks to delineate
the minimum standards for logical and physical access to your premises and infrastructure hosts
Conduct criminal background checks, as permitted by law, as part of pre-employment screening practices
for employees
The policies also identify functional responsibilities for the administration of physical access during working
hours and after hours (weekends and holidays)
Protecting Equipment
▪ 89% of companies
experienced a laptop
theft.
▪ 67% of laptop thefts
occurred at the office.
▪ Only 3% of stolen
laptops were recovered
https://www.cases.lu/physicalsec/articles/2019/01/22/PhysicalSecurity.html
47
What About Disposal?
▪ The data can be apparent, hidden, temporary, cached,
browser-based, or metadata:
▪ Apparent data files: The authorized users can view and
access
▪ Hidden files: The OS by design does not display
▪ Temporary files: Created to hold information temporarily
while a file is being created
▪ A web cache: The temporary storage of web documents, such
as HTML pages, images, and downloads
▪ A data cache: The temporary storage of data that has
recently been read and, in some cases, adjacent data areas
that are likely to be accessed next
Devices and media can be crushed, shredded, or, in the case of hard drives, drilled in several locations
perpendicular to the platters and penetrating clear through from top to bottom
It is common for organizations to outsource the destruction process, but the downside is that the
organization is transferring responsibility for protecting information
Selecting a destruction service is serious business, and thorough due diligence is in order
NIST Special Publication 800-88 Revision 1 mentions that destructive techniques also render a “device
purged when effectively applied to the appropriate media type, including incineration, shredding,
disintegrating, degaussing, and pulverizing.”
point
▪ The recovery statistics of stolen laptops is even worse, with
only 3% ever being recovered
▪ The statistics for mobile phones and tablets is even worse
▪ The cost of lost and stolen devices is significant
▪ Additional examples of things that are attractive to
thieves are modern portable media theft, such as thumb
or pen drives and SD cards
56
Computer science Department
Executive Master in Cyber Security
In-Class Activities
Discussion Questions
Discussion Questions
▪ Discussion Question 1
▪ Why would a business want critical information processing
facilities to be inconspicuous?
▪ Third-party data centers are not inconspicuous, so how do
businesses protect critical assets located in these places?
▪ Discussion Question 2
▪ Who poses a threat to a business’s physical and environmental
security?
Contact:
Email address:
-----@kau.edu.sa