2. Objective
To address the threats, vulnerabilities, and
countermeasures which can be utilized to physically protect
an enterprise’s resources and sensitive information to
include people, facilities, data, equipment, support
systems, media, and supplies.
To discuss considerations for choosing a secure site, its
design and configuration, and the methods for securing the
facility against unauthorized access, theft of equipment and
information, and the environmental and safety measures
needed to protect people, the facility, and its resources.
3. Physical Security
Physical Security Threats
Site Design and Configuration
Physical Security Requirements
– For Centralized Computing Facilities
– For Distributed Processing Facilities
– For Extended Processing
5. Information Protection Environment
Crime Prevention through Environmental Design
(CPTED)
• Concept that, as its basic premise, states that the
physical environment of a building can be changed
or managed to produce behavioral effects that will
reduce the incidence and fear of crime
• Territoriality
• Surveillance
• Access control
6. Information Protection Environment Cont…
Site Location
• Specific physical security concerns
• Vulnerable to crime, riots, demonstrations, or terrorism
attacks
• Neighborhood crime rates and types
• Vulnerable to natural disasters
Construction Impacts
Facility Impacts
• Entry points
• Infrastructure support systems
• Electrical power
• Heating, ventilation, air conditioning (and refrigeration)
• Internal sensitive or compartmentalized areas
• Portable computing
7. Information Protection Environment Cont…
Electrical Power
– Vulnerabilities include total power loss of short or long duration
or degradation in power quality, such as brownouts, spikes, or
sags
• Blackout - complete loss of commercial power
• Fault - momentary power outage
• Brownout - an intentional reduction of voltage by a utility company
• Sag/dip - a short period of low voltage
• Surge - a sudden rise in voltage in the power supply
• Transient - line noise or disturbance is superimposed on the supply
circuit and can cause fluctuations in electrical power
• In-rush current - the initial surge of current required by a load before
it reaches normal operation
• Electrostatic discharge - another type of electrical surge can occur
when two non-conducting materials rub together, causing electrons
to transfer from one material to another
8. The Layered Defense
Perimeter and building grounds
– Landscaping, Fences, Gates, Bollards, Walls, and Doors
• 1 meter/3–4 feet - Deters casual trespassers
• 2 meters/6–7 feet - Too high to climb easily
• 2.4 meters/8 feet with top guard - Deters
determined intruder
Building entry points
Inside the building - building floors, office suites,
and offices
9. Fire Protection
Fire Prevention
– Fireproof Construction materials
– False ceiling should not be flammable
– Magnetic tapes, if ignited, produce poisonous gases
– fire-prevention training
Fire Detection
– Ionization-type smoke detectors
– Photoelectric detectors
– Heat detectors
“The first rule is to get the people out”
11. Fire Protection Cont…
Portable Extinguishers
At Exits
Mark Locations and Type
Types A, B & C
Need to Inspect
Water Sprinkler Systems
Works to Lower Temperature
Most Damaging to Equipment
Conventional Systems
“Dry Pipe” Systems: Less Risk of Leakage
Employ in Throughout Building and in all Spaces
12. Fire Protection Cont…
Carbon Dioxide (CO2)
Colorless/Odorless
Potentially Lethal
Removes Oxygen
Best for Unattended Facilities
Delayed-Activation in Manned Facilities
Halon
Best Protection for Equipment
Concentrations <10% are Safe
Becomes Toxic at 900o
Depletes Ozone (CFCs)
Montreal Protocol (1987)
Halon 1301: Requires Pressurization
Halon 1211: Self-Pressurization (Portable Extinguishers)
19. Computing Facility Requirements
Walls
True Floor to Ceiling
Fire Rating (at least 1 hour)
Penetrations
Adjacent Areas
Doors
Interior/Exterior
Hinges
Fire Rating
Alarms
Monitoring
20. Computing Facility Requirements Cont…
Windows/Openings
Interior/Exterior
Fixed
Shatterproof
Computer and Equipment Room Lay Out
Equipment Access
Storage
Occupied Areas
Water Sources
Cable Routing
21. Computing Facility Requirements Cont…
Dedicated Circuits
Controlled Access to
Power Distribution Panels
Master Circuit Breakers
Transformers
Feeder Cables
Emergency Power Off Controls
Voltage Monitoring/Recording
Surge Protection
22. Computing Facility Requirements Cont…
Backup Power
Alternate Feeders
Uninterruptible Power Supply
Hydrogen Gas Hazard
Maintenance/Testing
Emergency Power Generator
Fuel Consideration
Maintenance/Testing
Costs
HVAC
Telecom
23. Computing Facility Requirements Cont…
Humidity Controls
Risk of Static Electricity
Risk to Electric Connections
Air Quality (Dust)
Water Protection
Falling Water
Rising Water
Drains
Protective Coverings
Moisture Detection Systems
24. Securing Storage Areas
Forms Storage Rooms
Increased Threat of Fire
Combustibles
Access Controls
Media Storage Rooms
Media Sensitivity
Segregation
Access Controls
Environmental Controls
26. Cable Protection
Optical Fiber
Copper Wire
Certifying the Wiring and Cabling
Controlling Access to Closets and Riser Rooms
27. Other Considerations
Dealing with Existing Facilities
Planning
Upgrade/Renovation
Incremental New Construction
Protecting the Protection
Implement Physical and Environmental Controls
for Security Systems
Protect against both Intentional and Inadvertent
Threats
29. Access Controls – Locks
Preset Locks and Keys
Programmable Locks
Mechanical (Cipher Locks)
Electronic (Keypad Systems): Digital Keyboard
Number of Combinations
Number of Digits in Code
Frequency of Code Change
Error Lock-Out
Error Alarms
30. Access Controls - Tokens
Security Card Systems
Dumb Cards
Photo Identification Badges
Manual Visual Verification
Can be Combined with Smart Technology
Digital Coded (Smart) Cards
Often Require Use of PIN Number with Card
Readers: Card Insertion, Card Swipe & Proximity
31. Types of Access Cards
Photo ID Cards
Optical Coded Cards (Magnetic Dot)
Electric Circuit Cards (Embedded Wire)
Magnetic Cards (Magnetic Particles)
Metallic Stripe Card (Copper Strips)
37. Physical Security Controls - Distributed
Processing Cont…
Isolated Power Source
Noise
Voltage Fluctuations
Power Outages
Heat/Humidity Considerations
Fire/Water
Magnetic Media Controls
38. Physical Security Controls Extended
Processing
User Responsibilities Paramount
Protection against Disclosure
Shoulder Surfing
Access to Sensitive Media and Written Material
Integrity Protection
Protection against Loss or Theft
Locks
Practices
Management Responsibilities
Approval
Monitoring