Cybersecurity Policies & Issues: EMCS-602

Week (3) Session (1)
Computer science Department

Executive Master in Cyber Security
Cybersecurity Policies
& Issues
EMCS-602
Spring
2020-2021
Physical &
Environmental Security
The slides are taken from the
book “Security Program and
Policies“, by Omar Santos.
Focus of This Session
Securing
Offices, Rooms,
How Is Physical and Facilities
Break
Access
Controlled?
How to Secure
the Site
Working in Secure Areas
Week (3) Session (1) 2

Outline
How to Secure the Site
How Is Physical Access Controlled?
Securing Offices, Rooms, and Facilities
How Dangerous Is Fire?
What About Disposal?

Questions from previous lecture
▪ Which of the following statements best represents the most compelling reason to
have an employee version of the comprehensive cybersecurity policy?
A. Sections of the comprehensive policy may not be applicable to all employees
B. The comprehensive policy may include unknown acronyms
C. The comprehensive document may contain confidential information
D. The more understandable and relevant a policy is, the more likely users will positively
respond to it
▪ Information classification systems are used in which of the following organizations?
A. Government
B. Military
C. Financial institutions
D. All of the above
▪ A published job description for a web designer should not include which of
the following?
A. Job title
B. Salary range
C. Specifics about the web development tool the company is using
D. Company location


▪ All implemented controls to physically protect
information are dictated first by:
▪ Thorough analysis of the company’s risks and vulnerabilities
▪ Along with the value of the information that requires
protection
▪ From what are we protecting information assets?
▪ Theft
▪ Malicious destruction
▪ Accidental damage
▪ Damage that results from natural disasters

▪ The design of a secure site starts with the location
▪ Location-based threats that need to be evaluated:
▪ Political stability
▪ Susceptibility to terrorism
▪ Crime rate in the area
▪ Roadways and flight paths
▪ Utility stability
▪ Vulnerability to natural disasters
▪ Historical and predictive data can be used to establish
both criminal and natural disaster chronology for a
geographic area.
▪ Critical information processing facilities should be
inconspicuous and unremarkable
▪ Crime Prevention Through Environmental Design
(CPTED) has its basic premise that the proper design
and effective use of the physical environment can lead
to a reduction in the incidence and fear of crime
▪ CPTED is a psychological and sociological method of
looking at security based upon three constructs:
▪ People protect territory they feel is their own, and people
have a certain respect for the territory of others.
▪ Intruders do not want to be seen.
▪ Limiting access discourages intruders and/or marks them as
intruders.

▪ The International CPTED Association (ICA) is committed to
creating safer environments and improving the quality of life
through the use of CPTED principles and strategies
http://www.cpted.net
▪ The three elements to security are:

▪ Obstacles that deter trivial attackers and delay serious ones
▪ Detection systems that make it more likely that the attack
will be noticed
▪ A response capability to repel or catch attackers

▪ The physical perimeter can be protected using:
▪ Berms
▪ Fences
▪ Gates
▪ Bollards
▪ Man traps
▪ Illuminated entrances, exits, pathways, and parking areas
▪ Manned reception desk
▪ Cameras, closed-circuit TV, alarms, motion sensors
▪ Security guards

The Three Perimeters
• The Outer Perimeter: Securing this space involves controlling who can move
(walk, drive, fly) across the legal or physical line that marks this perimeter.
• The Inner Perimeter: This perimeter typically involves physical barriers such
as walls, doors, and windows, either exterior or interior, depending on the
context of the outer perimeter.
• The Interior: This is the innermost level of security and consists of the
interior of the building, office, cubicle, etc. that is surrounded by the inner and
outer perimeters.
Infrastructure
Security in the
Real World

Physical Security Perimeter Policy

How Is Physical Access

Controlled?
▪ It needs to consider the following:
▪ Physical entry and exit controls
▪ What does it take to get in and out?
▪ How is trouble detected and reported?
▪ Depending on the site and level of security required, a
plethora of access controls are available
▪ Cameras ▪ Security guards
▪ Metal detectors ▪ Mantraps
▪ Fire-resistant exterior walls that ▪ Barriers
are solid and heavy ▪ Locks
▪ Unbreakable/ shatterproof glass ▪ Biometric scanners

▪ The biggest challenges are:
▪ Authorizing Entry
▪ Background Checks
▪ Securing Offices, Rooms, and Facilities
▪ Working in Secure Areas
▪ Ensuring Clear Desks and Clear Screens

Authorizing Entry and

Background Checks
Authorizing Entry
▪ Tailgating is one of the most common physical security
challenges of all time
▪ A number of visitor management systems facilitate ID
scanning and verification, photo storage, credentialing,
check in and check out, notifications, and monitoring
▪ You can install the most advanced security system in
the industry, but your security measures will fail if
your employees are not educated about the associated
security risks
▪ You need to create a secure building culture and good
security awareness campaigns
Authorizing Entry
▪ Physical entry controls
▪ Access control rules should be designed for:
▪ Employees
▪ Third-party contractors/partners/vendors
▪ Visitors
▪ Access to all nonpublic company locations will be restricted to
authorized persons only
▪ The Office of Human Resources is responsible for providing
access credentials to employees and contractors
▪ The Office of Facilities Management is responsible for
visitor identification, providing access credentials, and
monitoring access

Authorizing Entry
▪ Physical entry controls
▪ Visitors should be required to wear identification that can be
evaluated from a distance, such as a badge
▪ All visitor management activities will be documented.
▪ Employees and contractors are required to visibly display
identification in all company locations.
▪ Visitors are required to display identification in all nonpublic
company locations.
▪ Visitors are to be escorted at all times.
▪ All personnel must be trained to immediately report
unescorted visitors.

Background Checks
The organization should establish formal policies and procedures related to background checks to delineate
the minimum standards for logical and physical access to your premises and infrastructure hosts
Conduct criminal background checks, as permitted by law, as part of pre-employment screening practices
for employees
The policies also identify functional responsibilities for the administration of physical access during working
hours and after hours (weekends and holidays)

Physical Security Controls (601 CyberStrategy)

Physical Security Controls (601 CyberStrategy)

Physical Entry Controls Policy

Securing Offices, Rooms, and

Facilities
▪ The outer physical perimeter is not the only focus of the
physical security policy
▪ Workspaces should be classified based on the level of
protection required. The classification system should
address:
▪ Personnel security
▪ Information systems security
▪ Document security
▪ Some internal rooms and offices must be protected
differently
▪ Parts of individual rooms may also require different
levels of protection, such as cabinets and closets
▪ The security controls must take into consideration
workplace violence, intentional crime, and environmental
hazards.
▪ Secure design controls for spaces within a building
include:
▪ Structural protection, such as full-height walls, fireproof
ceilings, and restricted vent access
▪ Alarmed solid, fireproof, lockable, and observable doors
▪ Alarmed locking, unbreakable windows
▪ Monitored and recorded entry controls (keypad, biometric,
card swipe)
▪ Monitored and recorded activity

Workspace Classification


▪ It is not enough to just physically secure an area
▪ Close attention must be paid to who is allowed to access the area
and what they are allowed to do
▪ Goal: Define behavioral and physical controls for the most sensitive
workspaces within information processing facilities
▪ Access control lists should be reviewed frequently.
▪ If the area is continually monitored, there should be guidelines
specifying what is considered “suspicious” activity.
▪ If the area is videoed and not continually monitored, then there
should be documented procedures regarding how often and by
whom the video should be reviewed.
▪ Depending on the circumstances, it may be prudent to restrict
cameras or recording devices, including smartphones, tablets, and
USB drives, from being taken into the area.

Ensuring Clear Desks and Clear

Screens
Ensuring Clear Desks and Clear Screens
▪ Documents containing protected and confidential
information are subject to intentional or accidental
unauthorized disclosure unless secured from viewing by
unauthorized personnel when not in use.
▪ The same holds true for computer screens.
▪ Companies have a responsibility to protect physical and
digital information both during the workday and during
nonbusiness hours.

Ensuring Clear Desks and Clear Screens

We will come back
After (10) minutes

Protecting Equipment
▪ 89% of companies
experienced a laptop
theft.
▪ 67% of laptop thefts
occurred at the office.
▪ Only 3% of stolen
laptops were recovered
https://www.cases.lu/physicalsec/articles/2019/01/22/PhysicalSecurity.html

Protecting Equipment
▪ Both company and employee-owned equipment should be
protected
▪ Hardware assets must be protected from:
▪ Unauthorized access
▪ Theft
▪ Damage
▪ Destruction

Protecting Equipment- Power Protection
▪ All information systems rely on clean, consistent, and
abundant supplies of electrical power
▪ can be very expensive, and excessive use has an
environmental and geopolitical impact
▪ One way to reduce power consumption is to purchase
Energy Star certified devices

▪ Potential power problems include:
▪ Brownout: Prolonged Period of low voltage (Minuets or
hours)
▪ Sag: Momentary low voltage (Seconds or less)
▪ Power surge: Prolonged increase in voltage (Minuets or
hours)
▪ Power spike: Momentary increase in voltage (Seconds or
less)
▪ Blackout: Prolonged Period of power loss (Hours or days)
▪ fault.: Momentary loss of power(Seconds or minuets )

▪ Common causes of voltage variation include:
▪ Lightning
▪ Trees, birds, or animals
▪ Vehicles striking poles or equipment
▪ Load changes or equipment failure on the network
▪ Heat waves can also contribute to power interruptions
because the demand in electricity (that is, air conditioners)
can sometimes exceed supply.
▪ The variation may be minor or significant.

▪ Power equipment that can be used:
▪ Uninterruptible Power Supply
▪ Back-up power supplies
▪ Power conditioners
▪ Voltage regulators
▪ Isolation transformers
▪ Line filters
▪ Surge protection equipment



▪ Three elements to fire protection
▪ Fire prevention controls
▪ Active
▪ Passive
▪ Fire detection
▪ Fire containment and suppression
▪ Involves responding to the fire
▪ Specific to file classification
▪ Class A
▪ Class B
▪ Class C
▪ Class D

▪ Fire Classification
▪ Class A
▪ Fire with combustible materials as its fuel source, such as wood, cloth,
paper, rubber, and many plastics
▪ Class B
▪ Fire in flammable liquids, oils, greases, tars, oil-based paints, lacquers,
and flammable gases
▪ Class C
▪ Fire that involves electrical equipment
▪ Class D
▪ Combustibles that involve metals


47
▪ The data can be apparent, hidden, temporary, cached,
browser-based, or metadata:
▪ Apparent data files: The authorized users can view and
access
▪ Hidden files: The OS by design does not display
▪ Temporary files: Created to hold information temporarily
while a file is being created
▪ A web cache: The temporary storage of web documents, such
as HTML pages, images, and downloads
▪ A data cache: The temporary storage of data that has
recently been read and, in some cases, adjacent data areas
that are likely to be accessed next

▪ The data can be apparent, hidden, temporary, cached,
browser-based, or metadata:
▪ Browser-based data includes the following items:
▪ Browsing history: The list of sites visited
▪ Download history: The list of files downloaded
▪ Form history: Includes the items entered into web page forms
▪ Search bar history: Includes items entered into the search engines
▪ Cookies: Store information about websites visited, such as site
preferences and login status
▪ Metadata: Details about a file that describes or identifies it,
such as title, author name, subject, and keywords that
identify the document’s topic or contents.

▪ Removing Data from Drives
▪ Deleting (or trashing) a file removes the operating system
pointer to the file.
▪ Formatting a disk erases the operating system address tables.
▪ In both cases, the files still reside on the hard drive, and
system recovery software can be used to restore the data.
▪ NIST Special Publication 800-88 Revision 1 defines data
destruction as “the result of actions taken to ensure that
media cannot be reused as originally intended and that
information is virtually impossible to recover or prohibitively
expensive”

▪ Two methods of permanently removing data from a drive—disk
wiping (also known as scrubbing) and degaussing
▪ Disk wiping
▪ Process of overwrite the master boot record (MBR), partition table,
and every sector of the hard drive with the numerals 0 and 1 several
times
▪ Then the drive is formatted
▪ The more times the disk is overwritten and formatted, the more
secure the disk wipe is
▪ The government medium security standard (DoD 5220.22-M) specifies
three iterations to completely overwrite a hard drive six times.

▪ Two methods of permanently removing data from a drive—disk
wiping (also known as scrubbing) and degaussing
▪ Disk Degaussing
▪ Process wherein a magnetic object, such as a computer tape, hard disk
drive, or CRT monitor, is exposed to a magnetic field of greater,
fluctuating intensity
▪ The National Security Agency (NSA) approves powerful degaussers
that meet their specific standards and that in many cases utilize the
latest technology for top-secret erasure levels
▪ Cryptographic Erase
▪ Technique that uses the encryption of target data by enabling
sanitization of the target data’s encryption key

▪ Destroying Materials
Devices and media can be crushed, shredded, or, in the case of hard drives, drilled in several locations
perpendicular to the platters and penetrating clear through from top to bottom
It is common for organizations to outsource the destruction process, but the downside is that the
organization is transferring responsibility for protecting information
Selecting a destruction service is serious business, and thorough due diligence is in order
NIST Special Publication 800-88 Revision 1 mentions that destructive techniques also render a “device
purged when effectively applied to the appropriate media type, including incineration, shredding,
disintegrating, degaussing, and pulverizing.”


Stop, Thief!
▪ According to the Federal Bureau of Investigation (FBI)
▪ On average, a laptop is stolen every 53 seconds
▪ One in ten individuals will have their laptop stolen at some
2017 Global CODB Report Final 3 (ibm.com)
point
▪ The recovery statistics of stolen laptops is even worse, with
only 3% ever being recovered
▪ The statistics for mobile phones and tablets is even worse
▪ The cost of lost and stolen devices is significant
▪ Additional examples of things that are attractive to
thieves are modern portable media theft, such as thumb
or pen drives and SD cards

2017 Global CODB Report Final 3 (ibm.com)

Stop, Thief!
56
In-Class Activities
Discussion Questions
Discussion Questions
▪ Discussion Question 1
▪ Why would a business want critical information processing
facilities to be inconspicuous?
▪ Third-party data centers are not inconspicuous, so how do
businesses protect critical assets located in these places?
▪ Discussion Question 2
▪ Who poses a threat to a business’s physical and environmental
security?

Summary
▪ The objective of physical and environmental security is
to prevent unauthorized access, damage, and
interference to business premises and equipment.
▪ The three elements to security
▪ Obstacles that deter trivial attackers and delay serious ones
▪ Detection systems that make it more likely that the attack
will be noticed
▪ Response capability to repel or catch attackers
▪ Securing starting at the perimeter, moving inside the
building, classifying Workspaces and areas, protecting
equipment from damage.

Summary
▪ It is important to permanently remove data before
handing down, recycling, or discarding devices
▪ DoD-approved disk-wiping software or a degaussing
process can be used to permanently remove data
▪ The most secure method of disposal is destruction, which
renders the device and/or the media unreadable and
unusable
▪ Mobile devices that store, process, or transmit company
data are the newest challenge to physical security
▪ The detection, investigation, notification, and after-the-
fact response cost of a lost or stolen mobile device is
astronomical
Summary
▪ Physical and environmental security policies include
▪ perimeter security,
▪ Entry controls
▪ Workspace classification
▪ Working in secure areas
▪ Clean desk and clean screen,
▪ Power consumption
▪ Data center and communications facilities environmental
safeguards
▪ Secure disposal
▪ Mobile device and media security

Building: 61
Room:
Contact:
Email address:
-----@kau.edu.sa

Cybersecurity Policies & Issues: EMCS-602

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybersecurity Policies & Issues: EMCS-602

Uploaded by

Copyright:

Available Formats

Week (3) Session (1)

Computer science Department

Week (3) Session (1) 2

How Is Physical Access Controlled?

Securing Offices, Rooms, and Facilities

Working in Secure Areas

How Dangerous Is Fire?

What About Disposal?

Week (3) Session (1) 3

Week (3) Session (1) 4

How to Secure the Site

Week (3) Session (1) 6

Week (3) Session (1) 8

▪ The three elements to security are:

Week (3) Session (1) 9

Week (3) Session (1) 10

Week (3) Session (1) 11

Week (3) Session (1) 12

How Is Physical Access

Week (3) Session (1) 14

Week (3) Session (1) 15

Authorizing Entry and

Week (3) Session (1) 18

Week (3) Session (1) 19

Week (3) Session (1) 20

Week (3) Session (1) 21

Week (3) Session (1) 22

Week (3) Session (1) 23

Securing Offices, Rooms, and

Week (3) Session (1) 26

Week (3) Session (1) 27

Working in Secure Areas

Week (3) Session (1) 30

Ensuring Clear Desks and Clear

Week (3) Session (1) 32

Week (3) Session (1) 33

Week (3) Session (1)

Week (3) Session (1) 36

Week (3) Session (1) 37

Week (3) Session (1) 38

Week (3) Session (1) 39

Week (3) Session (1) 40

Week (3) Session (1) 41

Week (3) Session (1) 42

How Dangerous Is Fire?

Week (3) Session (1) 44

Week (3) Session (1) 45

Week (3) Session (1) 46

What About Disposal?

Week (3) Session (1) 48

Week (3) Session (1) 49

Week (3) Session (1) 50

Week (3) Session (1) 51

Week (3) Session (1) 52

Week (3) Session (1) 53

Week (3) Session (1) 54

Week (3) Session (1) 55

Week (3) Session (1)

Week (3) Session (1) 58

Week (3) Session (1) 59

Week (3) Session (1) 61

You might also like