2. Agenda Physical Security – Baseline Definitions and Convergence Drivers What is a Risk Assessment; When Should You Do One; and Why? Determining Your Company’s/Organization’s Unique/Individual Risk Appetite Getting Started – The Project Plan Sample Risk Assessment Tools Your Corrective Action Plan – Basics to Consider
3.
4. Active measures include the use of proven systems and technologies designed to deter, detect, report and react against threats.ISO 27001 role of physical security – Protect the organization’s assets by properly choosing a facility location, maintaining a security perimeter, implementing access control and protecting equipment. The physical security office is usually responsible for developing and enforcing appropriate physical security controls, in consultation with the computer security management, program and functional managers, and others, as appropriate. Physical security should address not only central computer installations, but also backup facilities and office environments. In the government, this office is often responsible for the processing of personnel background checks and security clearances. What is the impact of convergence (merging IT security and physical security) on this role and how does it play into the responsibilities for physical security risk assessments and action plans?
5.
6.
7.
8.
9. When Should You do a Risk Assessment? Your Company has a policy to conduct a periodic or annual enterprise risk assessment You are opening a new facility or moving You have had an audit finding You have had a breach / other identified vulnerability Compliance to legal and regulatory requirements Mergers, acquisitions, divestitures Outsourcing Partnerships and alliances You are implementing a new technology Other?
10.
11. Since 911 everyone is increasingly concerned with safety of tenants and employees
12. If you don’t have an integrated risk assessment, how do you know what your security program should be, what to do first, second, etc.?
13. How do you justify costs, resources, schedules, etc. without the output of a risk assessment?
14. How do you know if you are compliant to legal and regulatory requirements?
15. How do you know what an acceptable level of risk is for your organization and how do you communicate that and implement policies and procedures around that?
16. Through the process of the risk, threat and vulnerability assessment you will learn and discover things about your environment that were previously unknown.
17.
18. What level of risk exposure requires immediate action? Why?
19. What level of risk requires a formal response strategy to mitigate the potentially material impact? Why?
20. What events have occurred in the past, and at what level were they managed? Why?Each question is followed by a “why” because the organization should be able to articulate the quantitative and/or qualitative basis for the appetite, or it will come off as backwards-looking (based only on historical events) or even arbitrary. Develop a risk appetite table.
21. Getting Started Develop a project plan and schedule (follow traditional project management discipline and methodology) Identify policies and guidelines to follow models and methodologies Identify areas to be reviewed, measurement criteria and resources Decide on scoring methodology (quantitative or qualitative analysis) Identify other existing resources/inputs and how that information will factor in Scorecards, metrics, audit findings, compliance assessments, incidents, vulnerability assessments, etc. Define end state and all output (documents, reports, presentations, action plan, etc.)
22. Security Risk Assessment Outline Background Purpose Scope Assumptions Description of System System Attributes System Sensitivity Systems Security Administrative Security Physical Security Technical Security Software Security Telecommunications Security Personnel Security System Vulnerabilities Technical Vulnerability Personnel Vulnerability Telecommunications Vulnerability Environmental Vulnerability Physical Vulnerability Glossary of Terms Acronyms
23. Simple Assessment Checklist Facilities and Physical What preventative measures do you currently have in place? (Yes, No, N/A) Access to secured areas limited to necessary personnel. Monitor and review the distribution of keys and/or access codes. When employee terminates, keys are collected and/or access codes are terminated. Physically secure equipment that is portable and located in open access areas. Use of security cameras in areas where equipment cannot be easily secured or monitored (for example in computer labs and classrooms). Use the 'STOP' Program to track property and equipment. Require employees to attend vehicle safety training offered by Environmental Heath & Safety. Reported previous losses to Public Safety at the time they were discovered. Implement specific preventative measures in direct response to a loss.
24.
25. Is the system safe from excessive sunlight, wind, dust, water, or extreme hot/cold temperatures?
26. Is this system located in a monitored, isolated area that sees little human traffic?
27. Is the room/building in which the system is located secured by lock and alarm system to which only a few trusted / identified personnel have access? Are these locks and alarms locked and armed during off hours?
28. Is the console of the system secured to prevent someone from casually walking up to the system and using it (even if just for a few seconds)? Are all users logged out from the console?
29. Is the power and reset switches protected or disabled?
30. Are any input devices to the system secured/turned off: are all removable disk drives locked/secured? Are the parallel/serial/infrared/Bluetooth/USB/SCSI ports secured or removed? Are any attached hard drives physically locked down to the systems?
43. Policies and Procedures (continued) Involve and cooperate with other organizations that can affect the utility’s security. For example, contact chlorine and other chemical suppliers to discuss the need for adequate security during transport as well as to develop protocols to respond to missing or delayed shipments. Maintain replacement parts and emergency repair kits for critical assets, such as generators, that are important during emergencies. Maintain redundant equipment, critical replacement parts, etc. in a separate or isolated location. It can be on site or nearby, but not within the same building or room. Develop a utility vehicle use policy (including locking vehicles and tool bins, securing tools, etc). Establish procedures for night shift workers, including regular check-ins with supervisors. Establishing published guidelines so that all future procurements and designs address security issues and incorporate solutions. All requests for proposals should include a security portion so that responding consultants are reminded that security must be addressed in their work and in their own operational practices. Continuing to monitor the visitor entrance. Establish a policy for facility tours delineating who is authorized to approve access, areas that can be accessed, and the times that tours are allowed.