Physical and Environmental Security (ISO 11)

Table of Contents

• #Overview | #Standards | #Getting Started | #Resources
• Secure Areas (ISO 11.1)
• Equipment (ISO 11.2)

Overview

The term physical and environmental security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment.

Physical and environmental safeguards are often overlooked but are very important in protecting information. Buildings and rooms that house information and information technology systems must be afforded appropriate protection to avoid damage or unauthorized access to information and systems. In addition, the equipment housing this information (e.g., filing cabinets, data wiring, laptop computers, portable disk drives) must be physically protected. Equipment theft is of primary concern, but other issues should be considered, such as damage or loss caused by fire, flood, and sensitivity to temperature extremes.

Secure Areas

Ensuring complete physical security is impossible, especially in an institution of higher education. While there are several university facilities that have extensive security safeguards in place because of the nature of the services and information contained therein, most of our buildings and rooms allow unfettered access to members of the public. General building and room security safeguards should be in harmony with the overall atmosphere of the building while factoring in threats to the information contained within.

The security of facilities housing information resources can be protected by a number of means (e.g., locked doors with limited key distribution, locked machine cabinets, glass break sensors on windows, motion detectors, door alarms, fire suppression, appropriate heating, cooling and backup power). As with all security issues, the cost of implementing such protection measures has to be weighed against the risks. In some circumstances, the simple act of ensuring that all doors and windows in the room remained closed and locked while unoccupied might suffice. In another case, the sensitivity or criticality of the information contained on and the service provided by building, room, or piece of equipment might be such that more stringent actions are taken.

Equipment Security

There are many types of equipment involved in the creation, collection, storage, manipulation, and/or transmission of information. Filing cabinets are used to store student transcripts. Computer systems are used to process and maintain intellectual property. Data networking equipment and cables are used to transmit voice and video communications. While the value of the equipment cannot be disregarded, the information stored in the device is arguably more valuable than the device itself. Physical and logical security safeguards should be based on the type of data being processed by the equipment. A sound asset management strategy is important to ensure all important equipment is tracked and secured appropriately (see Asset Management (ISO 8) for additional information).

Placement

Appropriate physical safeguards must be placed on equipment that stores or processes institutional data. In addition to physically securing this equipment, consideration must be given to other environmental related aspects that could, if not managed correctly, cause an interruption of service or availability and thus disrupt the university's mission. Careful thought must be given to ensure proper power (e.g., Uninterruptable Power Supplies, generator power backup, redundant power feeds), adequate fire protection, proper heating and cooling, and so on. These environmental safeguards must be commensurate with the sensitivity of the data contained in or processed by the equipment.

Equipment removed from university premises is particularly vulnerable to loss or theft. Therefore, the equipment must be protected when off-site, at home, or while in transit from one location to another.

Disposal and Redistribution

Information stored in equipment being disposed, redistributed, or sold must be securely removed to prevent the disclosure of the information to unauthorized parties.

#Top of page

Standards

In addition to the standards listed here, please check out this cross-referenced matrix (developed by Symantec), which outlines IT Controls for security and privacy concerns related to regulatory compliance in the workplace, including ISO 17799, COBIT 4.0, Sarbanes Oxley, HIPAA, PCI DSS, GLBA, NERC standards CIP, and PIPEDA (Canada).

#Top of page

Getting Started

Physical security programs define the various measures or controls that protect an organization from a loss of computer processing capabilities caused by theft, fire, flood, intentional destruction, unintentional damage, mechanical equipment failure and power failures. Physical security measures should be sufficient to deal with foreseeable threats.
1. Determine which managers are responsible for planning, funding, and operations of physical security of the Data Center.
2. You may want to select a standard that provides you with assessment and implementation guidance to assess physical security controls in place at your University Data Center (for example). This will ensure you don't have to 'reinvent the wheel' and will help you get the initiative off the ground relatively quickly.
3. You will want to establish a baseline by conducting a physical security controls gap assessment that will include the following as they relate to your campus Data Center:

• Environmental Controls
• Natural Disaster Controls
• Supporting Utilities Controls
• Physical Protection and Access Controls
• System Reliability
• Physical Security Awareness and Training
• Contingency Plans

4. Your assessment will determine, for example, whether an appropriate investment in physical security equipment (alarms, locks or other physical access controls, identification badges for high security areas, etc.) has been made and if these controls are effective.
5. As you're performing your gap analysis, you will want to provide responsible managers guidance in handling risks that you come across. For example, if you find that the current investment in physical security controls is inadequate, this may allow unauthorized access to servers and network equipment. Inadequate funding for key positions with responsibility for IT physical security may result in poor monitoring, poor compliance with policies and standards, and overall poor physical security.
6. You may want to take an incremental approach to assessing all the physical security controls in place and as you discover physical security controls gaps, you would work with managers to come up with corrective action plans and monitor them through completion.

Secure Areas (ISO 11.1)

Critical IT equipment, cabling and so on should be protected against physical damage, fire, flood, theft etc., both on- and off-site. Power supplies and cabling should be secured. The physical facility is usually the building(s) housing the system and network components. The physical characteristics of these structures determine the level of such physical threats as fire, roof leaks, or unauthorized access. Security perimeters should be used to protect areas that contain information and information processing facilities -- using walls, controlled entry doors/gates, manned reception desks and similar measures. The facility's general geographic location determines the characteristics of natural threats, which include earthquakes and flooding; man-made threats such as burglary, civil disorders, or interception of transmissions; and damaging nearby activities, including toxic chemical spills, explosions, and fires. Physical protection against damage from fire, flood, wind, earthquake, explosion, civil unrest and other forms of natural and man-made risk should be designed and implemented.

Secure Areas Resources:

• Joe St Sauver - Physical Security: A Crucial (But Often Neglected) Part of Cybersecurity
• Joe St Sauver - Physical Security of Advanced Network and Systems Infrastructure
• Cornell University Policy - Responsible Use of Video Surveillance Systems
• Indiana University - Facilities Physical Security, Safety, and Privacy Program
• Indiana University Policy - Video and Electronic Surveillance
• Virginia Polytechnic Institute and State University Policy - Safety and Security Camera Acceptable Use
• Wayne State University Policy - Video Surveillance
• Oakland University Policy - Surveillance and Monitoring Technologies
• Penn State University Policy - Electronic Security and Access Systems
• The University of Iowa - Federal Information Security Management Act (FISMA) Plan
• The University of Iowa - Video Surveillance Policy
• University of Manitoba Perspectives of Closed Circuit Television Surveillance
• University of Manitoba Closed Circuit TV (CCTV) Monitoring Policy
• University of Idaho Access Control Policy

#Top of page

Equipment (ISO 11.2)

IT equipment should be maintained properly and disposed of securely.

The system's operation usually depends on supporting facilities such as electric power, heating and air conditioning, and telecommunications. The failure or substandard performance of these facilities may interrupt operation of systems and may cause physical damage to system hardware or stored data. Equipment should be protected from disruptions caused by failures in supporting utilities such as HVAC, water supply and sewage. Power and telecommunications cabling carrying sensitive data should be protected from interception or damage. Maintenance contracts should be in place to make certain equipment will be correctly maintained to ensure its continued availability and integrity. Equipment, information or software should not be taken off-premises without prior authorization. Appropriate security measures should be applied to off-site equipment, taking into account the different risks of working outside the organization's premises.

All equipment containing storage media should be checked to ensure that sensitive data and licensed software have been removed or securely overwritten prior to secure disposal.

Equipment Security Resources:

• Ten Steps to Secure Your Mobile Device
• 7 Things You Should Know about Mobile Security
• Indiana University Policy - Disposal and Redistribution of University Property
• Guidelines for Information Media Sanitization
• Copier and Multi-Function Device Security
• The University of Iowa - Federal Information Security Management Act (FISMA) Plan
• Introduction to Full Disk Encryption (FDE)

#Top of page

Resources

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).