Principles of Information Security

Chapter 9 – Physical Security

Based on the Fourth Edition of:

M. E. Whitman, H. J. Mattord:. Principles of Information Security

School of Business, Department of Information Technology

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

If someone really wants to get at the information, it is not difficult

if they can gain physical access to the computer or hard drive.

Microsoft White Paper, July 1999

Chapter 9 – Physical Security Principles of Information Security 2

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Learning Objectives

Discuss the relationship between threats to information

security and physical security

Describe the key physical security considerations including fire

control and surveillance systems

Identify critical physical environment considerations for

computing facilities, including uninterruptible power supplies

Chapter 9 – Physical Security Principles of Information Security 3

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Outline

1 Introduction

2 Physical Access Controls

3 Fire Security and Safety

4 Failure of Supporting Utilities and Structural Collapse

5 Interception of Data

6 Mobile and Portable Systems

7 Special Considerations for Physical Security Threats

Chapter 9 – Physical Security Principles of Information Security 4

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Introduction

Physical security addresses design, implementation, and

maintenance of countermeasures that protect physical
resources of an organization

Most controls can be circumvented if an attacker gains

physical access

Physical security is as important as logical security

Chapter 9 – Physical Security Principles of Information Security 5

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Introduction (cont.)
Seven Major Sources of Physical Loss (Donn B. Parker)
1 Extreme temperature: heat, cold

2 Gases: war gases, commercial vapors, humid or dry air,

3 Liquids: water, chemicals

4 Living organisms: viruses, bacteria, people, animals, insects

5 Projectiles: tangible objects in motion, powered objects

6 Movement: collapse, shearing, shaking, vibration, liquefaction

7 Energy anomalies: electrical surge or failure, magnetism,

static electricity, aging circuitry; radiation: sound, light, radio

Chapter 9 – Physical Security Principles of Information Security 6

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Introduction (cont.)

Community roles
General management: responsible for facility security

IT management and professionals: responsible for

environmental and access security

Information security management and professionals: perform

risk assessments and implementation reviews

Chapter 9 – Physical Security Principles of Information Security 7

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 security addresses the design, implementation, and

maintenance of counter-measures that protect the physical
resources of an organization.
Answer:

Chapter 9 – Physical Security Principles of Information Security 8

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 security addresses the design, implementation, and

maintenance of counter-measures that protect the physical
resources of an organization.
Answer: Physical

Chapter 9 – Physical Security Principles of Information Security 8

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 security addresses the design, implementation, and

maintenance of counter-measures that protect the physical
resources of an organization.
Answer: Physical

2 management is responsible for the security of the

facility in which the organization is housed and the policies
and standards for secure operation.
Answer:

Chapter 9 – Physical Security Principles of Information Security 8

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 security addresses the design, implementation, and

maintenance of counter-measures that protect the physical
resources of an organization.
Answer: Physical

2 management is responsible for the security of the

facility in which the organization is housed and the policies
and standards for secure operation.
Answer: General

Chapter 9 – Physical Security Principles of Information Security 8

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 security addresses the design, implementation, and

maintenance of counter-measures that protect the physical
resources of an organization.
Answer: Physical

2 management is responsible for the security of the

facility in which the organization is housed and the policies
and standards for secure operation.
Answer: General

3 management and professionals are responsible for

environmental and access security in technology equipment
locations and for the policies and standards of secure
equipment operation.
Answer:
Chapter 9 – Physical Security Principles of Information Security 8
Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 security addresses the design, implementation, and

maintenance of counter-measures that protect the physical
resources of an organization.
Answer: Physical

2 management is responsible for the security of the

facility in which the organization is housed and the policies
and standards for secure operation.
Answer: General

3 management and professionals are responsible for

environmental and access security in technology equipment
locations and for the policies and standards of secure
equipment operation.
Answer: Information technology
Chapter 9 – Physical Security Principles of Information Security 8
Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Physical Access Controls

Secure facility: physical location engineered with controls

designed to minimize risk of attacks from physical threats

Secure facility can take advantage of natural terrain, traffic

flow, and degree of urban development; can complement these
with protection mechanisms (fences, gates, walls, guards,
alarms)

Chapter 9 – Physical Security Principles of Information Security 9

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Physical security controls

Walls, Fencing, and Gates – walls and fences with suitably

constructed gates are an essential starting point for
organizations whose employees require access to the real
estate the organization owns or controls

Guards – Guards can evaluate each situation as it arises and

make reasoned responses. Most guards have clear standard
operating procedures (SOPs) that help them to act decisively
in unfamiliar situations

Dogs – Guard dogs are useful because their keen sense of

smell and hearing can detect intrusions that human guards
cannot

Chapter 9 – Physical Security Principles of Information Security 10

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Physical security controls

ID cards and badges

Ties physical security with information access control
ID card is typically concealed
Name badge is visible

Serve as simple form of biometrics (facial recognition).

Should not be only means of control as cards can be easily

duplicated, stolen, and modified.

Tailgating occurs when unauthorized individual follows

authorized user through the control

Chapter 9 – Physical Security Principles of Information Security 11

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Physical security controls

Locks and keys

Two types of locks: mechanical and electromechanical.

Locks can also be divided into four categories: manual,

programmable, electronic, biometric

Locks fail and alternative procedures for controlling access

must be put in place

Locks fail in one of two ways:

1 Fail-safe lock; the door lock fails and the door remained unlock
2 Fail-secure lock; the door lock fails and the door remains
locked

Chapter 9 – Physical Security Principles of Information Security 12

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Physical security controls

Figure 9-1 Locks

Chapter 9 – Physical Security Principles of Information Security 13
Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Physical security controls

Mantraps
Small enclosure that has entry point and different exit point

Individual enters mantrap, requests access, and if verified, is

allowed to exit mantrap into facility

Individual denied entry is not allowed to exit until security

official overrides automatic locks of the enclosure

Chapter 9 – Physical Security Principles of Information Security 14

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Physical security controls

Figure 9-2 Mantraps

Chapter 9 – Physical Security Principles of Information Security 15

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Physical security controls

Electronic monitoring
Records events where other types of physical controls are
impractical or incomplete

May use cameras with video recorders; includes closed-circuit

television (CCT) systems

Drawbacks:
Reactive; does not prevent access or prohibited activity
Recordings often are not monitored in real time; must be
reviewed to have any value

Chapter 9 – Physical Security Principles of Information Security 16

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Physical security controls

Alarms and alarm systems

Alarm systems notify when an event occurs

Detect fire, intrusion, environmental disturbance, or an

interruption in services.

Rely on sensors that detect event; e.g., motion detectors,

smoke detectors, thermal detectors, glass breakage detectors,
weight sensors, contact sensors, vibration sensors.

Chapter 9 – Physical Security Principles of Information Security 17

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Physical security controls

Computer Rooms and Wiring Closets

Require special attention to ensure confidentiality, integrity,
and availability of information

Logical controls easily defeated if attacker gains physical

access to computing equipment

Custodial staff often the least scrutinized persons who have

access to offices; are given greatest degree of unsupervised
access

Chapter 9 – Physical Security Principles of Information Security 18

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Physical security controls

Interior Walls and Doors
Information asset security sometimes compromised by
construction of facility walls and doors

Facility walls typically either standard interior or firewall

High-security areas must have firewall-grade walls to provide

physical security from potential intruders and improve
resistance to fires

Doors allowing access to high security rooms should be

evaluated

Recommended that push or crash bars be installed on

computer rooms and closets

Chapter 9 – Physical Security Principles of Information Security 19

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 management and professionals perform risk
assessments and implementation reviews for the physical
security controls implemented by other groups.
Answer:

Chapter 9 – Physical Security Principles of Information Security 20

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 management and professionals perform risk
assessments and implementation reviews for the physical
security controls implemented by other groups.
Answer: Information security

Chapter 9 – Physical Security Principles of Information Security 20

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 management and professionals perform risk
assessments and implementation reviews for the physical
security controls implemented by other groups.
Answer: Information security
2 A facility is a physical location that has been
engineered with controls designed to minimize the risk of
attacks from physical threats.
Answer:

Chapter 9 – Physical Security Principles of Information Security 20

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 management and professionals perform risk
assessments and implementation reviews for the physical
security controls implemented by other groups.
Answer: Information security
2 A facility is a physical location that has been
engineered with controls designed to minimize the risk of
attacks from physical threats.
Answer: secure

Chapter 9 – Physical Security Principles of Information Security 20

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 management and professionals perform risk
assessments and implementation reviews for the physical
security controls implemented by other groups.
Answer: Information security
2 A facility is a physical location that has been
engineered with controls designed to minimize the risk of
attacks from physical threats.
Answer: secure
3 have the ability to apply human reasoning.
Answer:

Chapter 9 – Physical Security Principles of Information Security 20

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 management and professionals perform risk
assessments and implementation reviews for the physical
security controls implemented by other groups.
Answer: Information security
2 A facility is a physical location that has been
engineered with controls designed to minimize the risk of
attacks from physical threats.
Answer: secure
3 have the ability to apply human reasoning.
Answer: Guards

Chapter 9 – Physical Security Principles of Information Security 20

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 management and professionals perform risk
assessments and implementation reviews for the physical
security controls implemented by other groups.
Answer: Information security
2 A facility is a physical location that has been
engineered with controls designed to minimize the risk of
attacks from physical threats.
Answer: secure
3 have the ability to apply human reasoning.
Answer: Guards
4 are useful because their keen sense of smell and
hearing can detect intrusions that human guards cannot.
Answer:
Chapter 9 – Physical Security Principles of Information Security 20
Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 management and professionals perform risk
assessments and implementation reviews for the physical
security controls implemented by other groups.
Answer: Information security
2 A facility is a physical location that has been
engineered with controls designed to minimize the risk of
attacks from physical threats.
Answer: secure
3 have the ability to apply human reasoning.
Answer: Guards
4 are useful because their keen sense of smell and
hearing can detect intrusions that human guards cannot.
Answer: Dogs
Chapter 9 – Physical Security Principles of Information Security 20
Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

5 are not foolproof, and they can be easily duplicated,

stolen, and modified.
Answer:

Chapter 9 – Physical Security Principles of Information Security 21

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

5 are not foolproof, and they can be easily duplicated,

stolen, and modified.
Answer: ID cards and badges

Chapter 9 – Physical Security Principles of Information Security 21

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

5 are not foolproof, and they can be easily duplicated,

stolen, and modified.
Answer: ID cards and badges
6 controls are divided into four categories: manual,
programmable, electronic, and biometric.
Answer:

Chapter 9 – Physical Security Principles of Information Security 21

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

5 are not foolproof, and they can be easily duplicated,

stolen, and modified.
Answer: ID cards and badges
6 controls are divided into four categories: manual,
programmable, electronic, and biometric.
Answer: Lock and key

Chapter 9 – Physical Security Principles of Information Security 21

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

5 are not foolproof, and they can be easily duplicated,

stolen, and modified.
Answer: ID cards and badges
6 controls are divided into four categories: manual,
programmable, electronic, and biometric.
Answer: Lock and key

7 Finger, palm, and hand readers; iris and retina scanners; and
voice and signature readers are examples of locks.
Answer:

Chapter 9 – Physical Security Principles of Information Security 21

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

5 are not foolproof, and they can be easily duplicated,

stolen, and modified.
Answer: ID cards and badges
6 controls are divided into four categories: manual,
programmable, electronic, and biometric.
Answer: Lock and key

7 Finger, palm, and hand readers; iris and retina scanners; and
voice and signature readers are examples of locks.
Answer: biometric

Chapter 9 – Physical Security Principles of Information Security 21

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

5 are not foolproof, and they can be easily duplicated,

stolen, and modified.
Answer: ID cards and badges
6 controls are divided into four categories: manual,
programmable, electronic, and biometric.
Answer: Lock and key

7 Finger, palm, and hand readers; iris and retina scanners; and
voice and signature readers are examples of locks.
Answer: biometric

8 When the lock of a door fails and the door remains locked,
this is an example of a(n) lock.
Answer:

Chapter 9 – Physical Security Principles of Information Security 21

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

5 are not foolproof, and they can be easily duplicated,

stolen, and modified.
Answer: ID cards and badges
6 controls are divided into four categories: manual,
programmable, electronic, and biometric.
Answer: Lock and key

7 Finger, palm, and hand readers; iris and retina scanners; and
voice and signature readers are examples of locks.
Answer: biometric

8 When the lock of a door fails and the door remains locked,
this is an example of a(n) lock.
Answer: fail-secure

Chapter 9 – Physical Security Principles of Information Security 21

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Fire security and Safety

Most serious threat to safety of people who work in an

organization is possibility of fire

Fires account for more property damage, personal injury, and

death than any other threat

It is imperative that physical security plans examine and

implement strong measures to detect and respond to fires

Chapter 9 – Physical Security Principles of Information Security 22

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Fire Detection and Response

Fire suppression systems are devices installed and maintained

to detect and respond to a fire, or potential fire

These devices typically work to deny an environment of heat,

fuel, or oxygen
Water and water mist systems, to reduce the temperature of
the flame
Carbon dioxide systems, rob fire of its oxygen
Soda acid systems, deny fire its fuel, preventing the fire from
spreading
Gas-based systems, disrupt the fire’s chemical reaction but
leave enough oxygen for people to survive for a short time

Chapter 9 – Physical Security Principles of Information Security 23

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Fire Detection and Response

Fire Detection
Fire detection systems fall into two general categories:
1 manual fire detection systems
2 automatic fire detection systems

Part of a complete fire safety program includes individuals

that monitor chaos of fire evacuation to prevent an attacker
accessing offices

There are three basic types of fire detection systems:

1 Thermal detection systems
2 Smoke detection systems
3 Flame detection systems

Chapter 9 – Physical Security Principles of Information Security 24

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Fire Detection and Response

Fire Suppression
Fire suppression systems can consist of portable, manual, or
automatic apparatus

Portable extinguishers are rated by the type of fire:

Class A– involve wood, paper, robber, cloth, trash
Class B– involve liquids or gases, e.g., paint, lacquer, and oil
Class C– involve electrical equipment or appliances
Class D– involve metals, e.g. magnesium, lithium, sodium

Installed systems apply suppressive agents; usually either

sprinkler or gaseous systems

Chapter 9 – Physical Security Principles of Information Security 25

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Fire Detection and Response

Figure 9-3 Water sprinkler system

Chapter 9 – Physical Security Principles of Information Security 26

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Fire Detection and Response

Gaseous Emission Systems

Chemical gas systems can also be used to suppress fires. Until
recently, there were only two major types of gaseous systems:
carbon dioxide and Halon

Carbon dioxide robs a fire of its oxygen supply

Halon is clean but has been classified as an ozone-depleting

substance; new installations are prohibited

Chapter 9 – Physical Security Principles of Information Security 27

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Fire Detection and Response

Figure 9-4 Gaseous fire suppression system

Chapter 9 – Physical Security Principles of Information Security 28

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 Fires that involve ordinary combustible fuels, such as wood,
paper, textiles, rubber, cloth, and trash, belong to which
class?
Answer:

Chapter 9 – Physical Security Principles of Information Security 29

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 Fires that involve ordinary combustible fuels, such as wood,
paper, textiles, rubber, cloth, and trash, belong to which
class?
Answer: Class A

Chapter 9 – Physical Security Principles of Information Security 29

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 Fires that involve ordinary combustible fuels, such as wood,
paper, textiles, rubber, cloth, and trash, belong to which
class?
Answer: Class A

2 Fires fueled by combustible liquids or gases, such as solvents,

gasoline, paint, lacquer, and oil, belong to which class?
Answer:

Chapter 9 – Physical Security Principles of Information Security 29

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 Fires that involve ordinary combustible fuels, such as wood,
paper, textiles, rubber, cloth, and trash, belong to which
class?
Answer: Class A

2 Fires fueled by combustible liquids or gases, such as solvents,

gasoline, paint, lacquer, and oil, belong to which class?
Answer: Class B

Chapter 9 – Physical Security Principles of Information Security 29

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 Fires that involve ordinary combustible fuels, such as wood,
paper, textiles, rubber, cloth, and trash, belong to which
class?
Answer: Class A

2 Fires fueled by combustible liquids or gases, such as solvents,

gasoline, paint, lacquer, and oil, belong to which class?
Answer: Class B

3 Fires with energized electrical equipment or appliances belong

to which class?
Answer:

Chapter 9 – Physical Security Principles of Information Security 29

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 Fires that involve ordinary combustible fuels, such as wood,
paper, textiles, rubber, cloth, and trash, belong to which
class?
Answer: Class A

2 Fires fueled by combustible liquids or gases, such as solvents,

gasoline, paint, lacquer, and oil, belong to which class?
Answer: Class B

3 Fires with energized electrical equipment or appliances belong

to which class?
Answer: Class C

Chapter 9 – Physical Security Principles of Information Security 29

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 Fires that involve ordinary combustible fuels, such as wood,
paper, textiles, rubber, cloth, and trash, belong to which
class?
Answer: Class A

2 Fires fueled by combustible liquids or gases, such as solvents,

gasoline, paint, lacquer, and oil, belong to which class?
Answer: Class B

3 Fires with energized electrical equipment or appliances belong

to which class?
Answer: Class C

4 Fires fueled by combustible metals, such as magnesium,

lithium, and sodium, belong to which class?
Answer:
Chapter 9 – Physical Security Principles of Information Security 29
Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz
1 Fires that involve ordinary combustible fuels, such as wood,
paper, textiles, rubber, cloth, and trash, belong to which
class?
Answer: Class A

2 Fires fueled by combustible liquids or gases, such as solvents,

gasoline, paint, lacquer, and oil, belong to which class?
Answer: Class B

3 Fires with energized electrical equipment or appliances belong

to which class?
Answer: Class C

4 Fires fueled by combustible metals, such as magnesium,

lithium, and sodium, belong to which class?
Answer: Class D
Chapter 9 – Physical Security Principles of Information Security 29
Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Failure of Supporting Utilities and Structural Collapse

Supporting utilities (heating, ventilation, and air conditioning;

power; water; and others) have significant impact on
continued safe operation of a facility

Each utility must be properly managed to prevent potential

damage to information and information systems

Areas within heating, ventilation, and air conditioning (HVAC)

systems that can cause damage to information systems
include temperature, filtration, humidity, and static electricity

Chapter 9 – Physical Security Principles of Information Security 30

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Heating, Ventilation, and Air Conditioning

Temperature and Filtration – Computer systems are subject

to damage from extreme temperature and particular
contamination

Humidity and Static Electricity – High humidity levels create

condensation problem, and low humidity levels can increase
the amount of static electricity in the environment

Ventilation Shafts – While ductwork is small in residential

buildings, in large commercial buildings it can be large enough
for an individual to climb through

Chapter 9 – Physical Security Principles of Information Security 31

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Failure of Supporting Utilities and Structural Collapse

Power Management and Conditioning
Electrical quantity (voltage level, amperage rating) is a
concern, as is quality of power (cleanliness, proper
installation).

Noise that interferes with the normal 60 Hertz cycle can result
in inaccurate time clocks or unreliable internal clocks inside
CPU

Grounding and Amperage – Grounding ensures that the

returning flow of current is properly discharged to the ground.
If the grounding elements of the electrical system are not
properly installed, anyone touching a computer or other
electrical device could act as a ground source, which would
cause damage to equipment and injury or death to the person.
Chapter 9 – Physical Security Principles of Information Security 32
Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Failure of Supporting Utilities and Structural Collapse

Power Management and Conditioning (cont.)

Uninterruptible Power Supply (UPS) – In case of power
outage, UPS is backup power source for major computer
systems

Four basic UPS configurations:

1 Standby or offline UPS
2 Ferroresonant standby UPS
3 Line-interactive UPS
4 True online UPS (double conversion online)

Chapter 9 – Physical Security Principles of Information Security 33

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Failure of Supporting Utilities and Structural Collapse

Figure 9-5 Types of uninterruptible power supplies9

Source: Courtesy of American Power Conversion Corporation

Chapter 9 – Physical Security Principles of Information Security 34

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Failure of Supporting Utilities and Structural Collapse

Emergency Shutoff
An important aspect of power management in any
environment is the need to be able to stop power immediately
should the current represent a risk to human or machine
safety

Most computer rooms and wiring closets are equipped with an

emergency power shutoff

These devices are the last line of defense against personal

injury and machine damage in the event of flooding or
sprinkler activation

Chapter 9 – Physical Security Principles of Information Security 35

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Failure of Supporting Utilities and Structural Collapse

Water Problems
Lack of water poses problems to systems, including the
functionality of fire suppression systems, and the ability of
water chillers to provide air-conditioning

Surplus of water, or water pressure, poses a real threat

(flooding, leaks)

It is important to integrate water detection systems into the

alarm systems that regulate overall facilities operations

Chapter 9 – Physical Security Principles of Information Security 36

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Failure of Supporting Utilities and Structural Collapse

Structural Collapse
Unavoidable forces can cause failures of structures that house
the organization

Structures are designed and constructed with specific load

limits, and overloading these design limits results in structural
failure and potential injury or loss of life

Periodic inspections by qualified civil engineers assist in

identifying potentially dangerous structural conditions

Chapter 9 – Physical Security Principles of Information Security 37

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Maintenance of Facility Systems

Physical security must be constantly documented, evaluated,

and tested

Documentation of facility’s configuration, operation, and

function should be integrated into disaster recovery plans and
operating procedures

Testing helps improve the facility’s physical security and

identify weak points

Chapter 9 – Physical Security Principles of Information Security 38

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 When the power stops flowing to the equipment, what type of

UPS activates a transfer switch, which provides power from
the batteries through a DC-to-AC converter until the power is
restored or the computer is shut down?
Answer:

Chapter 9 – Physical Security Principles of Information Security 39

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 When the power stops flowing to the equipment, what type of

UPS activates a transfer switch, which provides power from
the batteries through a DC-to-AC converter until the power is
restored or the computer is shut down?
Answer: Standby or offline UPS

Chapter 9 – Physical Security Principles of Information Security 39

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 When the power stops flowing to the equipment, what type of

UPS activates a transfer switch, which provides power from
the batteries through a DC-to-AC converter until the power is
restored or the computer is shut down?
Answer: Standby or offline UPS

2 With a(n) type of UPS, the primary power source is

the battery, and the power feed from the utility constantly
recharges this battery.
Answer:

Chapter 9 – Physical Security Principles of Information Security 39

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 When the power stops flowing to the equipment, what type of

UPS activates a transfer switch, which provides power from
the batteries through a DC-to-AC converter until the power is
restored or the computer is shut down?
Answer: Standby or offline UPS

2 With a(n) type of UPS, the primary power source is

the battery, and the power feed from the utility constantly
recharges this battery.
Answer: True online UPS

Chapter 9 – Physical Security Principles of Information Security 39

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Interception of Data

There are three methods of data interception:

1 Direct observation
2 Interception of data transmission
3 Electromagnetic interception

U.S. government developed TEMPEST program to reduce

risk of electromagnetic radiation (EMR) monitoring

Chapter 9 – Physical Security Principles of Information Security 40

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Mobile and Portable Systems

Many mobile computing systems (e.g. laptops and handhelds)

have corporate information stored within them; some are
configured to facilitate user’s access into organization’s secure
computing facilities (i.e. they require more security than the
average in-house system).

Controls support security and retrieval of lost or stolen

laptops.
CompuTrace software, stored on laptop; reports to a central
monitoring center
Burglar alarms made up of a PC card that contains a motion
detector. If the device is armed, and the laptop is moved more
than expected, the alarm triggers a very loud buzzer or horn

Chapter 9 – Physical Security Principles of Information Security 41

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Mobile and Portable System

Figure 9-6 Laptop theft deterrence

Chapter 9 – Physical Security Principles of Information Security 42

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Remote Computing Security

Remote site computing: away from organizational facility

Telecommuting: computing using telecommunications

including Internet, dial-up, or leased point-to-point links

Employees may need to access networks on business trips;

telecommuters need access from home systems or satellite
offices

To provide secure extension of organization’s internal

networks, all external connections and systems must be
secured

Chapter 9 – Physical Security Principles of Information Security 43

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Special Considerations for Physical Security Threats

Develop physical security in-house or outsource?

Many qualified and professional agencies
Benefit of outsourcing includes gaining experience and
knowledge of agencies
Downside includes high expense, loss of control over individual
components, and level of trust that must be placed in another
company

Social engineering: use of people skills to obtain information

from employees that should not be released.

Chapter 9 – Physical Security Principles of Information Security 44

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Special Considerations for Physical Security Threats

Inventory Management
Computing equipment should be inventoried and inspected on
a regular basis

Classified information should also be inventoried and

managed.

Physical security of computing equipment, data storage

media, and classified documents varies for each organization

Chapter 9 – Physical Security Principles of Information Security 45

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 is off site computing that uses Internet connections,

dialup connections, connections over leased point-to-point
links between offices, and other connection mechanisms.
Answer:

Chapter 9 – Physical Security Principles of Information Security 46

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 is off site computing that uses Internet connections,

dialup connections, connections over leased point-to-point
links between offices, and other connection mechanisms.
Answer: Telecommuting

Chapter 9 – Physical Security Principles of Information Security 46

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 is off site computing that uses Internet connections,

dialup connections, connections over leased point-to-point
links between offices, and other connection mechanisms.
Answer: Telecommuting

2 True or False: Like other organizational resources, computing

equipment should be inventoried and inspected on a regular
basis.
Answer:

Chapter 9 – Physical Security Principles of Information Security 46

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Quick Quiz

1 is off site computing that uses Internet connections,

dialup connections, connections over leased point-to-point
links between offices, and other connection mechanisms.
Answer: Telecommuting

2 True or False: Like other organizational resources, computing

equipment should be inventoried and inspected on a regular
basis.
Answer: True

Chapter 9 – Physical Security Principles of Information Security 46

Introduction Physical Control Fire Security Failure of Support Interception Portable Threats

Additional Resources

1 How to Dumpster Dive

http://www.wikihow.com/Dumpster-Dive

2 I came, Eyesore, I Conquered

http://www.slate.com/id/2124886/

3 Types of UPS
http://www.smps.us/uninterruptible-power-supply.html

Chapter 9 – Physical Security Principles of Information Security 47