Without control over the physical environment, you can’t have adequate security with as much administrative or technical/logical control you through at it. If a malicious person can gain physical access to your facility or equipment, they can do whatever they want. destroy, disclose, alter.
Examples of administrative physical security controls are facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures.
Technical physical controls can be access controls, intrusion detection, alarms, CCTV, monitoring, HVAC, power supplies, and fire detection and suppression.
Physical controls for physical security are fencing, lighting, locks, construction materials, mantraps, dogs, and guards.
The order of controls are: deterrence, then denial, then detection, then delay.
The key elements in making a site selection are visibility, composition of the surrounding area, area accessibility, and the effects of natural disasters. A key element in designing a facility for construction is understanding the level of security needed by your organization and planning for it before construction begins.
There should not be equal access to all locations within a facility. Areas that contain assets of higher value or importance should have restricted access. Valuable and confidential assets should be located in the heart or center of protection provided by a facility. Also, centralized server or computer rooms need be human compatible.
If a facility employs restricted areas to control physical security, then a mechanism to handle visitors is required. Often an escort is assigned to visitors, and their access and activities are monitored closely. Failing to track the actions of outsiders when they are granted access into a protected area can result in malicious activity against the most protected assets.
The security controls to manage physical security are: Administrative, Technical and Physical.
Common threats to physical access controls: Abuse, Masquerading and Piggybacking. TO counter, deploy a guard or other monitoring system.
Abuses of physical access controls are propping open secured doors and bypassing locks or access controls. Masquerading is using someone else’s security ID to gain entry into a facility. Piggybacking is following someone through a secured gate or doorway without being identified or authorized personally.
Audit trails and access logs are useful tools even for physical access control. They may need to be created manually by security guards or they can be generated automatically if sufficiently automated access control mechanisms are in place. Consider monitoring entry points with CCTV and compare the audit trails and access logs with visually recorded history of the events. Useful for reconstructing the events of an intrusion, breach or attack.
Power supplied by electric companies is not always consistent and clean. Most electronic equipment demands clean power in order to function properly. Equipment damage because of power fluctuations is a common occurrence. Many organizations opt to manage their own power through several means. A UPS is a type of self-charging battery that can be used to supply consistent clean power to sensitive equipment. UPSs also provide continuous power even after the primary power source fails. A UPS can continue to supply power for minutes or hours depending on its capacity and the draw of the equipment.
As they relate to power…
Define Fault: In an electric power system, a fault is any abnormal electric current. For example, a short circuit is a fault in which current bypasses the normal load. An open-circuit fault occurs if a circuit is interrupted by some failure. In three-phase systems, a fault may involve one or more phases and ground, or may occur only between phases. In a “ground fault” or “earth fault”, charge flows into the earth. The prospective short circuit current of a fault can be calculated for power systems. In power systems, protective devices detect fault conditions and operate circuit breakers and other devices to limit the loss of service due to a failure.
Define Blackout: A power outage (also known as a power cut, power failure, power loss, or blackout) is a short- or long-term loss of the electric power to an area.
Define Sag: A power is a momentary drop in power. It involves voltages 80 to 85 percent below normal for short periods.
Define Brownout: A brownout is an intentional or unintentional drop in voltage in an electrical power supply system. Intentional brownouts are used for load reduction in an emergency. The reduction lasts for minutes or hours, as opposed to short-term voltage sag or dip.
Define Spike: In electrical engineering, spikes are fast, short duration electrical transients in voltage (voltage spikes), current (current spike), or transferred energy (energy spikes) in an electrical circuit.
Define inrush: Inrush current or input surge current refers to the maximum, instantaneous input current drawn by an electrical device when first turned on.
Define Noise: A steady, interfering power disturbance or fluctuation.
Define Transient: A short duration of line noise disturbance
Define Clean: Non fluctuation pure power
Define Ground: The wire in a circuit that is grounded.
In addition to power considerations, maintaining the environment involves control over the HVAC mechanisms. Rooms containing primarily computers should be kept at 60 to 75 degrees Fahrenheit or 15 to 23 degrees Celsius.
Humidity in a computer room should be maintained between 40 and 60 percent. Too much humidity causes corrosion and too little causes static electricity.
It is possible to generate 20,000 volt static discharge on nonstatic carpeting if the humidity is too low.
Water leakage and flooding should be addressed in your environmental safety policy and procedures. Plumbing leaks are not an everyday occurrence but when they occur they often cause significant damage. Water and electricity don’t mix. Whenever possibly, locate server rooms and critical computer equipment away from any water source or transport pipes.
Fire detection and suppression must not be overlooked. Protecting personnel from harm should always be the most important goal of any security or protection system. In addition to protecting people, fire detection and suppression is designed to keep damage caused by a fire, smoke, heat, and suppression materials to a minimum, especially in regard to the IT infrastructure.
The destructive elements of a fire include smoke and heat but also the suppression medium, such as water or soda acid. Smoke is damaging to most storage devices. Heat can damage any electronic or computer component. Suppression mediums can cause short circuits, initiate corrosion, or otherwise render equipment useless. All of these issues must be addressed when designing a fire response system.
In all circumstances and under all conditions, the most important aspect of security is protecting people. Thus, preventing harm to people is the most important goal for all security solutions.
