The physical infrastructure is the foundation on which all enterprise systems operate – power, communication, computing, control, and security. Research shows that faults within the physical infrastructure cause a majority of system downtime.
2. What is Physical Infrastructure
● The physical infrastructure is the foundation on which all
enterprise systems operate – power, communication, computing,
control and security. Research shows that faults within the
physical infrastructure cause a majority of system downtime.
3. Secure physical infrastructure
● Security can be best achieved by ensuring multiple layers
of security and not depending on a single measure. The
controls for physical and environmental security are
defined in three areas:
– Security of the premise
– Security of the equipment
– Secure behavior
4. Security Of The Premise
Components:-
● Physical security perimeter
● Physical entry controls
● Securing offices, rooms and facilities
● Isolated delivery and loading areas
● Working in secure areas
5. Physical security perimeter
boundary of the premise
entry points
protective wall
doors strong enough
Entry gates controlled by cards
watchmen, guards or receptionist monitoring the
entry points
6. Physical entry controls
Only authorized persons should be allowed access to
the secure areas.
This objective could be achieved by having a clear
access control policy defining the access rights.
These measures may take the form of access controlled
devices like swipe card controlled doors, logging
information about visitors and visible identification
badges.
7. Securing offices, rooms and
facilities
Support facilities like photocopier, fax machines, which
are constantly accessed by everyone, should be located
away from the secure area.
Suitable intruder detection systems like CCTV, motion
sensors etc. should be installed and regularly tested.
8. Working in secure areas
Location of the secure office within the physically
secure perimeter should be chosen with care.
All the risks pertaining to fire, flood, explosion, civil
unrest and other forms of natural or man made disaster
should be considered.
There could also be threat from neighboring premises
caused by leakage of water, spreading of fire or storage
of toxic/inflammable/explosive material.
Even bulk supplies like stationery should not be stored
within the secure premises.
9. Isolated delivery and loading
areas
In industrial premises there could be constant
movement of incoming and outgoing material.
All this traffic needs to be isolated from the secure office
area so that it does not pose a threat.
10. Security Of The Equipment
Components:
● Equipment sitting and protection
● Power supplies
● Cabling Security
● Equipment Maintenance
● Security of equipment off-premises
● Secure disposal or re-use of equipment
11. Equipment sitting and protection
Information processing equipment needs to be
handled carefully.
It reduce the risk from environmental threats and
hazards.
Reduce opportunity for unauthorized access.
12. Power supplies
Information processing will come to a halt in the
absence of a suitable power supply.
So equipment should be protected from power failure.
13. Cabling Security
Power and telecommunication cabling carrying data
or supporting information services shall be protected
from interception or damage
14. Equipment Maintenance
It is normally expected that due care is taken for
equipment maintenance and proper records are
maintained.
One is to maintain record of faults that were noticed
and the second step is to maintain records of all
equipment sent off the premises for maintenance.
15. Security of equipment off-premises
Security procedures and controls shall be used to
secure equipment used outside any company’s
premies
16. Secure disposal or re-use of equipment
Every such device should be subjected to a thorough
erasing and overwriting to destroy the data.
Since some reports claim that the data could be
recovered even after multiple overwriting and
formatting, it may be desirable to physically destroy
the media containing top secret information.
18. Clear desk and clear screen policy
Lock up all documents and media when not used.
Protect the computers and terminals through use of key
locks, passwords, and screen savers.
Fax and telex machines used for confidential
information should not be left unattended.
Access to photocopiers and scanners is restricted after
office hours.
Printing of classified information should be supervised
and all printouts must be removed immediately.
19. Removal of property
Any movement of equipment, information or software
should be only with proper authorization.
All these movements should be logged and records
maintained for all outgoing and incoming items.
21. Introduction
Traditionally, organizations have relied on policies.
These documents, once issued, provide top down
influence for everyone in the company—from
business units to departments to individual
employees.
One of the major challenges for an organization in
this area is the continued growth and adaptation of
the policies to mirror the transformation within the
organization.
22. Contd…
The fastest area of growth and change within an
organization is Information Systems. With the rapid
development and push toward new technologies,
organizations find themselves striving to maintain
current technical environments with outdated
policies.
Secondly, with the emergence of new technology
strategies such as Intranets and Extranets, security
and the protection of informational assets has
become paramount.
23. Contd…
The first step is an enterprise-wide Information
Systems Security Policy that is consistently enforced
even as business needs change.
Unfortunately, most companies have only bits and
pieces of security scattered throughout the
organization. These may make some departments or
individuals feel safe, but they do little to protect the
enterprise as a whole.
24. What is PPT methodology?
PPT stands for People, Policy, & Technology. The
security process is a mixture of these three elements.
Each element depends in some manner on the other
elements.
25.
26. People
This core element is the most important. The people
element comprises the people and various roles and
responsibilities within the organization.
These are the people that are put in place to execute
and support the process.
A few key roles include senior management, security
administrators, system and IT administrators, end
users, and auditors.
27. Policy
This element comprises the security vision statement,
security policy and standards, and the control
documentation.
This is basically the written security environment—
the bible that the security process will refer to for
direction and guidance.
28. Technology
This element includes tools, methods, and
mechanisms in place to support the process.
These are core technologies—the operating systems,
the databases, the applications, the security tools—
embraced by the organization.
The technology then is the enforcement, monitoring,
and operational tool that will facilitate the process.