Physical Security (IT Security Cookbook)
This document is not designed for a detailed study of physical security, however a brief summary of computer related issues are listed here.
- Zones should be defined, for example:
- Zone 1: Areas open to the public.
- Zone 2: Areas not open to the public, open to company staff.
- Zone 3: Protected areas. Only accessible with identification, access strictly controlled. Don't allow externals unaccompanied access.
- Buildings should always be locked, except for access via a reception area during office hours.
- Public areas shouldn't have any computers with access to the internal Data Network, unless through a Firewall.
- Server rooms must be locked, if possible with electronic card access (Audit list) (for class 31)).
- Consider protect sensitive computers against Van Eck radiation (for class 3).
- Consider protecting systems against Electromagnetic Pulses.
- Server rooms must be locked, with electronic card access (Audit list). Very few people should have access (for class 4).
- Buildings must be monitored 24 hrs x 7 days by security personnel (for class 4).
- Access to server rooms should be recorded on Video (for class 4).
- Contingency plans should exist which cover events such as power cuts, theft, fire, flooding, explosions, earthquakes (where necessary) etc (for class 3).
2.Transport of Data
What is the company policy on the use of public, private, company transport as respects the transport of Information (paper, diskettes, disks, tapes, computers..)?
- Backup media should be stored in locked safes or locked rooms (for class 3).
- Regular backups (at least once per month) should be stored off site (for class 3).
- Backups should only be transported by secure methods (like money transport) (for class 3).
Floppy and removable disks are often a source of virus and illegal software (as is Email). They may be also used to illegally copy confidential data. When data is erased from diskettes, it must be completely erased (a standard product should be recommended for PCs). Floppy drives are rarely needed when users have reliable networked printers, file servers and email available.
- Removable hard disks and floppy disks should only be used where absolutely necessary (for class 1).
- Avoid copying data to floppy disk (for class 3).
- Floppy drives should be removed, unless the internal network is considered too insecure. Removable disks can be more secure than using a network server since all data is kept locally. In this case disks must be kept carefully in a locked safe (for class 3).
- Confidential data should be encrypted. If the network server is not considered secure enough, files may be treated locally, encrypted (using DES for example) and then saved on the network server. This is preferable to the use of removable disks since regular backups will be made. The risk of losing data is minimised (unless the DES key is lost or forgotten) (for class 4).
- Forbid repair of confidential disks, they must be destroyed unless it is 100% sure that the disk has been written with nulls or 1s. Products which promise this feature presumably require that the disk can still be accessed (for class 3).
- All disks should be classified and the classification level should be written on the disks (for class 3).
- Consider protecting media against Electromagnetic Pulses.
5.Laptops / mobile computers
- Protect (encrypt) Laptop hard disks or individual files/directories (a standard software should be defined) (for class 3).
- Only Printers in directors offices or restricted access rooms should be used for printing confidential information (for class 3).
- EPROM passwords should be used on PCs and workstations (for class 2).
- Screens not used for 15 min should be blanked automatically with password protection (for class 2).
- Computer housings should be locked if possible (for class 3).
The principle of a «clean desk» each evening when an employee leaves his place of work is used by many corporations. It ensures that confidential data is not made available to (for example) cleaning personnel and encourages methodical management of one's workspace. Confidential information should be always under lock & key.
- This is however, sometimes a difficult policy to implement in development departments, due to the mindset of creative personalities.