Table of Contents
- #Overview | #Standards | #Getting Started | #Resources
- Secure Areas (ISO 9.1)
- Equipment Security (ISO 9.2)
Overview
The term physical and environmental security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment.
Physical and environmental safeguards are often overlooked but are very important in protecting information. Buildings and rooms that house information and information technology systems must be afforded appropriate protection to avoid damage or unauthorized access to information and systems. In addition, the equipment housing this information (e.g., filing cabinets, data wiring, laptop computers, portable disk drives) must be physically protected. Equipment theft is of primary concern, but other issues should be considered, such as damage or loss caused by fire, flood, and sensitivity to temperature extremes.
Secure Areas
Ensuring complete physical security is impossible, especially in an institution of higher education. While there are several university facilities that have extensive security safeguards in place because of the nature of the services and information contained therein, most of our buildings and rooms allow unfettered access to members of the public. General building and room security safeguards should be in harmony with the overall atmosphere of the building while factoring in threats to the information contained within.
The security of facilities housing information resources can be protected by a number of means (e.g., locked doors with limited key distribution, locked machine cabinets, glass break sensors on windows, motion detectors, door alarms, fire suppression, appropriate heating, cooling and backup power). As with all security issues, the cost of implementing such protection measures has to be weighed against the risks. In some circumstances, the simple act of ensuring that all doors and windows in the room remained closed and locked while unoccupied might suffice. In another case, the sensitivity or criticality of the information contained on and the service provided by building, room, or piece of equipment might be such that more stringent actions are taken.
Equipment Security
There are many types of equipment involved in the creation, collection, storage, manipulation, and/or transmission of information. Filing cabinets are used to store student transcripts. Computer systems are used to process and maintain intellectual property. Data networking equipment and cables are used to transmit voice and video communications. While the value of the equipment cannot be disregarded, the information stored in the device is arguably more valuable than the device itself. Physical and logical security safeguards should be based on the type of data being processed by the equipment. A sound asset management strategy is important to ensure all important equipment is tracked and secured appropriately (see Asset Management (ISO 7) for additional information).
Placement
Appropriate physical safeguards must be placed on equipment that stores or processes institutional data. In addition to physically securing this equipment, consideration must be given to other environmental related aspects that could, if not managed correctly, cause an interruption of service or availability and thus disrupt the university's mission. Careful thought must be given to ensure proper power (e.g., Uninterruptable Power Supplies, generator power backup, redundant power feeds), adequate fire protection, proper heating and cooling, and so on. These environmental safeguards must be commensurate with the sensitivity of the data contained in or processed by the equipment.
Equipment removed from university premises is particularly vulnerable to loss or theft. Therefore, the equipment must be protected when off-site, at home, or while in transit from one location to another.
Disposal and Redistribution
Information stored in equipment being disposed, redistributed, or sold must be securely removed to prevent the disclosure of the information to unauthorized parties.
#Top of page
Standards
27002: Information Security Management |
800-100: Information Security Handbook: A Guide for Managers |
PO4 |
Requirement 9 |
#Top of page
Secure Areas (ISO 9.1)
Objective: To ensure the institution appropriately protects buildings and rooms to prevent unauthorized access, damage, or interference to the information systems therein.
Critical IT equipment, cabling and so on should be protected against physical damage, fire, flood, theft etc., both on- and off-site. Power supplies and cabling should be secured. The physical facility is usually the building(s) housing the system and network components. The physical characteristics of these structures determine the level of such physical threats as fire, roof leaks, or unauthorized access. Security perimeters should be used to protect areas that contain information and information processing facilities -- using walls, controlled entry doors/gates, manned reception desks and similar measures. The facility's general geographic location determines the characteristics of natural threats, which include earthquakes and flooding; man-made threats such as burglary, civil disorders, or interception of transmissions; and damaging nearby activities, including toxic chemical spills, explosions, and fires. Physical protection against damage from fire, flood, wind, earthquake, explosion, civil unrest and other forms of natural and man-made risk should be designed and implemented.
Secure Areas Resources:
- Joe St Sauver - Physical Security: A Crucial (But Often Neglected) Part of Cybersecurity
- Joe St Sauver - Physical Security of Advanced Network and Systems Infrastructure
- Cornell University Policy - Responsible Use of Video Surveillance Systems
- Indiana University - Facilities Physical Security, Safety, and Privacy Program
- Indiana University Policy - Video and Electronic Surveillance
- Virginia Polytechnic Institute and State University Policy - Safety and Security Camera Acceptable Use
- Wayne State University Policy - Video Surveillance
- Oakland University Policy - Surveillance and Monitoring Technologies
- Penn State University Policy - Electronic Security and Access Systems
- The University of Iowa - Federal Information Security Management Act (FISMA) Plan
- The University of Iowa - Video Surveillance Policy
- University of Manitoba Perspectives of Closed Circuit Television Surveillance
- University of Manitoba Closed Circuit TV (CCTV) Monitoring Policy
- University of Idaho Access Control Policy
#Top of page
Equipment Security (ISO 9.2)
Objective: To ensure the institution appropriately protects information systems equipment from physical and environmental threats.
IT equipment should be maintained properly and disposed of securely.
The system's operation usually depends on supporting facilities such as electric power, heating and air conditioning, and telecommunications. The failure or substandard performance of these facilities may interrupt operation of systems and may cause physical damage to system hardware or stored data. Equipment should be protected from disruptions caused by failures in supporting utilities such as HVAC, water supply and sewage. Power and telecommunications cabling carrying sensitive data should be protected from interception or damage. Maintenance contracts should be in place to make certain equipment will be correctly maintained to ensure its continued availability and integrity. Equipment, information or software should not be taken off-premises without prior authorization. Appropriate security measures should be applied to off-site equipment, taking into account the different risks of working outside the organization's premises.
All equipment containing storage media should be checked to ensure that sensitive data and licensed software have been removed or securely overwritten prior to secure disposal.
Equipment Security Resources:
- Ten Steps to Secure Your Mobile Device
- 7 Things You Should Know about Mobile Security
- Indiana University Policy - Disposal and Redistribution of University Property
- Guidelines for Information Media Sanitization
- Copier and Multi-Function Device Security
- The University of Iowa - Federal Information Security Management Act (FISMA) Plan
- Introduction to Full Disk Encryption (FDE)
#Top of page
Resources
EDUCAUSE Resources
- Ten Steps to Secure Your Mobile Device
- 7 Things You Should Know about Mobile Security
- Physical Security
- Mobile Device Security
- Financial and Door-Access Threats of University ID Cards, 2009 Security Professionals Conference
- Mobile Data Paranoia---Three Perspectives on Encryption, 2010 Security Professionals Conference
- Copier and Multi-Function Device Security
- Guidelines for Information Media Sanitization
- Business Continuity Planning Toolkit
- Introduction to Full Disk Encryption (FDE)
Initiatives, Collaborations, & Other Resources
- Joe St Sauver - Physical Security of Advanced Network and Systems Infrastructure
- Cornell University Policy - Responsible Use of Video Surveillance Systems
- Indiana University - Facilities Physical Security, Safety, and Privacy Program
- Indiana University Policy - Video and Electronic Surveillance
- Virginia Polytechnic Institute and State University Policy - Safety and Security Camera Acceptable Use
- Wayne State University Policy - Video Surveillance
- Oakland University Policy - Surveillance and Monitoring Technologies
- Penn State University Policy - Electronic Security and Access Systems
- Indiana University Policy - Disposal and Redistribution of University Property
- The University of Iowa - Federal Information Security Management Act (FISMA) Plan
- The University of Iowa - Video Surveillance Policy
- University of Manitoba Perspectives of Closed Circuit Television Surveillance
- University of Manitoba Closed Circuit TV (CCTV) Monitoring Policy
- University of Idaho Access Control Policy
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.