physical & personnel security physical security personnel security
Post on 28-Mar-2015
294 Views
Preview:
TRANSCRIPT
Physical & Personnel Security
Physical SecurityPersonnel Security
CISA Review Manual 2009
AcknowledgmentsMaterial is from: CISA® Review Manual 2011, © 2010, ISACA. All rights reserved.
Used by permission. CISM® Review Manual 2012, © 2011, ISACA. All rights reserved.
Used by permission.
Author: Susan J Lincke, PhDUniv. of Wisconsin-Parkside
Reviewers: Kahili Cheng
Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
Objectives
The students should be able to:Define power failures: blackout, brownout, sags, spike & surges, electromagnetic interference (EMI)Define protections against power failures: surge protector, universal power supply (UPS) , alternate power generatorsDefine and describe mediums for Fire Suppression System: dry pipe, charged, FM200, ArgoniteDefine physical access controls: biometric door locks, bolting, deadman doorsDescribe the relationship between deadman door and piggybackingDefine and describe security awareness, security training, security education, segregation of duties
CISA Review Manual 2009
CISA Review Manual 2009
Remember Data Criticality Classification?
Critical $$$$: Cannot be performed manually. Tolerance to interruption is very low
Vital $$: Can be performed manually for very short time
Sensitive $: Can be performed manually for a period of time, but may cost more in staff
Nonsensitive ¢: Can be performed manually for an extended period of time with little additional cost and minimal recovery effort
CISA Review Manual 2009
… and Sensitivity Classification?
(Example)
Confidential:Strategic Plan
Private:Salary &
Health Info
Internal:Product Plans
PublicProduct Users Manual
near Release
Internal
CISA Review Manual 2009
Security: Defense in Depth
Border RouterPerimeter firewallInternal firewallIntrusion Detection SystemPolicies & Procedures & AuditsAuthenticationAccess Controls
CISA Review Manual 2009
Not advertising location of sensitive facilities
Controlled single entrypoint & barred windows
Security Guards, manuallogging & photo ID badges
Bonded personnelControlled visitor access
Video cameras &Alarm system
Locked WorkStations
Defense in Depth:Physical access controls with GuardsWhich controls arePreventive?Reactive?Corrective?
CISA Review Manual 2009
Physical Issuesand Controls
Mobile ComputingPower ProtectionFire SuppressionDoor Locks & SecurityIPF Environment
CISA Review Manual 2009
Power Protection Systems
Blackout: Total loss of powerBrownout: Reduced, nonstandard power levels may cause damageSags, spikes & surges: Temporary changes in power level (sag=drop)
may cause damageElectromagnetic Interference (EMI): Fluctuations in power due to
electrical storms or electrical equipment may cause computer crash or damage
< x ms
SurgeProtector
< 30 minutes
UPS:UniversalPowerSupply
Alternate Power Generators
Hours or days
CISA Review Manual 2009
Computer Room Equipped with…
Water Detector: Placed under raised floors Risk of electric shock; training necessary Location of water detectors marked on floor
Manual Fire Alarm: Placed throughout facilitySmoke Detectors: Above & below ceiling tiles, below room floor Emergency Power-Off Switch: Turn off power to all equipmentFire Extinguishers: At strategic locations
Tagged & inspected annuallyAlarms should sound locally, at monitored guard station, and preferably
fire dept.
CISA Review Manual 2009
IPF Environment
Computer room on middle floor Fire department inspects room annually Fire-resistant walls, floor, ceiling, furniture, electrical panel &
conduit Two-hour fire resistance rating for walls
Emergency Power-off switch: Panel in and outside room Redundant power lines reduce risk of environmental hazards Surge protectors & UPS No smoking, food or water in IPFAudit: Observe some, request documentation, may test
batteries, handheld fire extinguishers, ensure fire suppression system is to code
CISA Review Manual 2009
Fire Suppression Systems
watersprinkler
gas
enviro-friendly
dang
erou
s Halon
Carbon Dioxide
FireSuppression
Charged
Dry pipe
FM-200
Argonite
Water sprinkler systemscause water damage when dispersed.Charged pipes contain water andcan break or leak.
Gas systems do not damage equipment during fire.Dangerous systems replace oxygen with another gas, and need lead timefor people to exit.Halon was banned due to damage toozone layer.
FM-200 cools equipment down,lowering combustion probability.Enviro-friendly is safer to humans,does not damage equipment.
CISA Review Manual 2009
Door Lock Systems
Biometric
Electronic
Combi-nation
Bolting
Door Locks
Which systems… Enable electronic
logging to track who entered at which times?
Can prevent entry by time of day to particular persons?
Are prone to error, theft, or impersonation?
Are expensive to install & maintain?
Which system do you think is best?
3-6-4
key
eye
CISA Review Manual 2009
Deadman Doors
Double set of doors: only one can be open at a time
One person permitted in holding area
Reduces risk of piggybacking: unauthorized person follows authorized person into restricted area
Computers in Public Places
Logical Protections Imaged computers
No client storage for programs and/or data
Antivirus / antispyware Protects users from each other
Web filters Avoid pornography, violence,
adult content Login/passwords
If privileged clientele allowed Firewall protection from rest of
organization
Physical Locks
CISA Review Manual 2009
Mobile Computing
Engrave a serial number and company name/logo on laptop using engraver or tamper-resistant tags
Back up critical/sensitive data Use cable locking system Encrypt sensitive files Allocate passwords to individual files
Consider if password forgotten or person leaves company…? Establish a theft response team for when a laptop is stolen.
Report loss of laptop to police Determine effect of lost or compromised data on company, clients,
third parties
CISA Review Manual 2009
Device Security
PDAs Approved & registered Configuration: controlled,
licensed, & tested S/W Encryption Antivirus
Training & Due Care (including camera use) Easily misplaced
Flash & Mini Hard Drive Banned and USB
disabled
OR Encrypt all data
Workbook: Physical Security
Room ClassificationsSensitivity
Class.Description Special Treatment
Confidential Room contains Confidential info.storage or server
Guard key entry. Badge must be
visible.Visitors must be
escorted
Privileged Room contains computer equipment or controlled substances
Computers are physically secured using cable locking system
Doors locked between 5 PM and 7 AM, and weekends unless class in session.
Physical Workbook:Criticality Table
CISA Review Manual 2009
CriticalityClass.
Description Special Treatment(Controls related to Availability)
Critical Room contains Critical computing resources, which cannot be performed manually.
Availability controls include: Temperature control, UPS, smoke detector, fire suppressant.
Vital Room contains Vital computing resources, which can be performed manually for a short time.
Availability controls include:surge protector, temperature control, fire extinguisher.
Workbook: Physical Security
Physical Security map
Rm.124
Rm.123
Rm.125
Rm.128
Rm 132Comp.Facility
Criticality Classification: (Availability)Rm 132: CriticalRm 124, 125, 128, 129: Vital
Sensitivity Classification:Black: ConfidentialGray: PrivilegedLight: Public
Rm130
Rm.129
Lobby
Workbook: Physical Security
Allocation of AssetsRoom Sensitivity &
Crit. ClassSensitive Assets
or Info.Room Controls
Rm 123
Privileged,Vital
Computer Lab:
Computers, Printer
Cable locking system
Doors locked 9PM-8AM by security
Rm 125
Privileged,Vital
Classroom: Computer &
projector
Cable locking system
Teachers have keys to door.
Rm 132
Confidential,
Critical
Servers and critical/sensit
ive information
Key-card entry logs personnel. Badges
required.
Summary of Physical Controls
Physical Access Control Walls, Doors, Locks Badges, smart cards Biometrics Security cameras &
guards Fences, lighting, sensors Cable locking system Computer screen hoods
Environmental Controls Backup power Air conditioning Fire suppressant
Secure procedures Engraved serial numbers Locked files, desks Clean desk Paper shredders Locking screensaver Secure procedures: locked
doors at night
Question
A Fire Suppression system that is environmentally friendly, is not lethal, and does not damage equipment is:
1. Dry Pipe
2. Halon
3. Charged
4. FM-200
Question
The best way to prevent piggybacking into secured areas is:
1. Deadman door
2. Bolting door
3. Guard
4. Camera
Question
A surge protector is the best protection against
1. Electromagnetic interference
2. Loss of power for 10-30 minutes
3. A blackout
4. Sags and spikes
Question
To eliminate problems with incomplete transactions during a sudden power failure, Joe has decided that some form of temporary power supply is necessary to ensure a graceful shut down. The best option for Joe is:
1. UPS
2. Surge protector
3. Alternate power generator
4. Battery supply
CISA Review Manual 2009
Personnel Security
Auditors check for both Physical and Personnel Security too…
Workbook: Personnel Security
Personnel Threats
Threat Role Liability or Cost if threat occurs
Divulging private info
Employee
FERPA violation = loss of federal funds
Grant abuse
Employee with grant
Loss of funds from US granting agencies
CISA Review Manual 2009
Security Awareness & Training
Training covers what is expected of employees Why is policy in place? How is policy enforced?
Training may be implemented as: New employee orientation Company newsletters Determine effectiveness by
interviewing employees
Awareness Function:Types of Security TrainingAwareness:
Create security-conscious workforce
Employees, partners & vendors
Newsletters, surveys, quizzes, video training, forums, posters
Training:
Necessary skills for a particular position
HR, legal, middle or top mgmt, IT, programmers
Workshops, conferences
Education: High level skills
High-skilled professions: audit, security admin/mgmt,
Risk mgmt…
Organized and gradual development: teaching & coaching
Awareness Training
Signed employment agreements, video, memos, emails, posters, seminars and training classes
A combination of parallel approaches Knowledge areas:
Back-up work-related files Choosing passwords and avoiding exposure Avoiding email and web viruses Recognizing social engineers Recognizing & reporting security incidents Securing electronic & paper media against theft & exposure Spotting malware that could lead to identity theft & desktop
spying Metrics should be established to determine effectiveness
of change in behavior and workforce attitude
CISA Review Manual 2009
Segregation of Duties
Origination Verification
Authorization Distribution
Double-checks
Approves
Acts on
OrganizationalSegregation of Duties
DevelopmentSystem/Network Admin
Business
Audit
Security/Compliance
QualityControl
advises
deliversS/W to
serves
tests or ensuresquality of S/W or
production
advises &monitors forsecurity
Ensures procedures are professionally done
IT Segregation of Duties
DevelopmentEnvironment:
Application programmerSystems programmer
Production EnvironmentComputer OperatorSystem AdministratorNetwork AdministratorHelp Desk
Test EnvironmentQuality Assurance
SecurityControl GroupSecurity Admin
Requirements/DesignSystems AnalystDatabase Administrator
UserEnd UserData Entry
Segregation of Duties Controls
Transaction AuthorizationCustody of Assets Data owner’s responsibility is specific and documented
Allocates authorization according to least-privilege and segregation of duties
Security Administrator implements physical, system & application security Authorization forms User authorization tables: who can view/update/delete data
at transaction or field level
Workbook: Personnel Security
Personnel ControlsThreat Role Control
Divulging private info
Employee
FERPA training: annual quiz review, new employee training
Grant abuse
Employee with grant
Financial controls: employee and administrator and financial office check
Workbook: Personnel Security
Responsibility of Security to Roles
Role ResponsibilityRegistrar
Establish FERPA trainingData Owner: student scholastic and financial informationOversee FERPA adherence in Registration dept.
Admin. Attend FERPA trainingRetain locked cabinets with student info
Security Admin
Monitor logs, enable/disable permissions,rebuild computers after malware infection, collect security metrics for incident response, ...
Workbook: Personnel SecurityRequirements: Training,
DocumentationRole Requirements: Training,
DocumentationRegistra
rFERPA experience in hiring.Training every 3-5 years at
national conference or workshop
Employee
handling student
data
University FERPA documentation, FERPA web page, annual quizzes, sign
acceptable use policy
Personnel Issues
Background checks can reduce fraud More secure position=more checking required A standard or procedure may be useful
Training & signed contracts Track and document theft
Minor incidents could add up to a major pattern problem
Email can be monitored for potential problem employees Assuming policy is in place and employees are aware
Employee Hiring
Document security responsibilities Screen candidates for sensitive positions Have signed agreements regarding
Job responsibilities, conditions of employmentSecurity responsibilities (incl. copyright)Confidentiality agreement
Indicate corrective actions taken if security requirements not followed
New Employee Orientation
New employee signs Privacy Policy document: Has read and agreed to follow security policies Conform to laws and regulations Promise to not divulge logon IDs and passwords Create quality passwords Lock terminal when not present Report suspected violations of security Maintain good physical security (locked doors, private
keys) Use IT resources only for authorized business purposes
CISA Review Manual 2009
Employee TerminationUnless continued relationship expected: Return equipment Revoke access Return all access keys, ID cards and
budgets Notify all staff and security personnel Arrange final pay Perform termination interview
Third Party Agreements
Define information security policy Define procedures to implement policy Deploy controls to protect against malicious software Publish restrictions on copying/distributing information Implement procedures to determine whether assets
were compromised Ensure return or destruction of data at end of job
Summary of Personnel Controls
Segregation of Duties Mandatory vacations or job rotation Training and written policies and procedures Background checks Need to Know/Least Privilege Fraud reporting mechanism Transaction logs
Question
Which of the following duties can be performed by one person in a well-controlled IS environment?
1. Software Developer and System Administration
2. Database administration and Data Entry
3. System Administrator and Quality Assurance
4. Quality Assurance and Software Developer
Question
Which is MOST important for a successful security awareness program?
1. Technical training for security administrators
2. Aligning the training to organization requirements
3. Training management for security awareness
4. Using metrics to ensure that training is effective
Question
To detect fraud, the BEST type of audit trail to log would be:
1. User session logs
2. Firewall incidents
3. Operating system incidents
4. Application transactions
Vocabulary
Blackout, brownout, sag, spike, surge, electromagnetic interference
Surge protector, UPS, alternate power generator Fire suppression: charged, dry pipe, FM200, Argonite Deadman door, piggybacking Security awareness, security training, security education Segregation of duties
HEALTH FIRST CASE STUDY
Designing Physical Security
Jamie Ramon MDDoctor
Chris Ramon RDDietician
TerryLicensed
Practicing Nurse
PatSoftware Consultant
Defining Room Classifications and Controls
Sensitivity
Classification
Description Special Treatment
(Examples)Proprietary Room contains Propriety information storage. Room and all cabinets
remained locked.Confidential Room contains Confidential information
storage. Workstation monitor has hood.
Private Room contains computer with access to sensitive data or room contains controlled substances.
Room remains locked when not attended. No visitors are allowed in these areas unescorted
Privileged Room contains computer with access to sensitive data but public has access when escorted.
Public The public is free to spend time in this room, without escort.
Criticality ClassificationCritical Room contains Critical computing resources,
which cannot be performed manually.
Vital Room contains Vital computing resources, which can be performed manually for a short time.
Physical Security Map
Sensitivity Classification Color Key:•Green: Public•Yellow: Privileged•Orange: Private•Red: Confidential
Workbook: Physical Security
Allocation of AssetsRoom Sensitive Assets or
InformationRoom Controls
Rm 123 Computer Lab: Computers, Printer
Cable locking systemDoors locked 9PM-8AM by security
Rm 125 Classroom: Computer & projector
Cable locking systemTeachers have keys to door.
Rm 132 Servers and critical/sensitive information
Key-card entry logs personnel. Badges required.
ReferenceSlide # Slide Title Source of Information
4 Criticality Classification CISA: page 127 Exhibit 2.18
6 Security: Defense in Depth CISM: page 60, 61 Exhibit 1.16
7 Defense in Depth: Physical access controls with Guards CISM: page 61 Exhibit 1.16
9 Power Protection Systems CISA: page 381, 383
10 Computer Room Equipped with CISA: page 382
12 Fire Suppression Systems CISA: page 382
13 Door Lock Systems CISA: page 385
14 Deadman Doors CISA: page 386
16 Mobile Computing CISA: page 386, 387
17 Device Security CISA: page 256, 256, 344
29 Security Awareness & Training CISA: page 321, 369
32 Segregation of Duties CISA: page 117, 118
35 Segregation of Duties Controls CISA: page 119, 120
40 Employee Hiring CISA: page 105
42 Employee Termination CISA: page 106
top related