1300802163
 

Physical Security: Key Elements and Considerations for Protecting Your Assets

31/07/2023by admin0Read: 5 minutes

In the current era of digital transformation, physical security plays a pivotal role while running a business. It is an essential component of protecting organisations from attacks since it serves as the first line of defence and protects the various business processes.

In this article, we will discuss physical security, and analyse how it relates to information security, its key elements and guidelines for protecting assets.

Physical Security

The protection of physical assets, such as buildings, machinery, and resources, which are essential to a company’s operations is referred to as physical security. It includes a range of defences against unauthorised entry, theft, vandalism, and other physical dangers, including access control systems, surveillance cameras, locks, alarms, and security guards. It helps in business continuity and disaster management for organisations.

Relation between Physical Security and Information Security

Physical security is closely related to information security even though it focuses on protecting movable objects. Together, the two domains offer complete security for enterprises. Physical security measures, such as controlling physical access to server rooms or ensuring that important papers are disposed of securely, directly aid in protecting priceless data and information. Strong information security measures do the same, helping to lower the possibility of unauthorised access or data breaches, and strengthening general physical security.

Policies for Physical Security

  • Physical Policies for Entity Resources

Purpose

This policy outlines the physical safeguards necessary to secure individuals, data, and assets (including ICT hardware) in order to reduce or eliminate security risks.

Overview

To reduce harm to people, information, and physical assets, entities must put physical security measures in place. The predicted business impact of these resources must be taken into account, taking into account elements like value, categorisation, significance, or attractiveness. They must choose the proper containers, cabinets, and safe rooms, and they must employ authorised security tools.

Additionally, they must regulate the surroundings and apply audio security measures to avoid listening in on private conversations. Based on the greatest business impact level or aggregate of information, they must determine the proper physical security measures for ICT assets and information.

Personnel must take into account the security hazards in remote work settings and dispose of physical assets safely when they are no longer needed.

  • Entity Facilities

Purpose

To ensure the protection of people, information, and assets, this policy outlines how to plan, choose, design, and adapt facilities.

Overview

To secure people, information, and assets, entities must integrate protective security into their facilities. The highest level of resource danger determines the security zones. Specifications for building structure, perimeter hardware, security alarm systems, and access control are included in ASIO’s (Australian Security Intelligence Organisation) Technical Notes. According to the PSPF (Protective Security Policy Framework) and ASIO’s Technical Notes, Security Zones must be certified and accredited. Facilities in Zone Five must have accreditation from the Australian Signals Directorate.

ASIO-T4 physical security certification is required for outsourced ICT facilities. Technical surveillance countermeasures (TSCM) guard against technical compromises, such as real-time audio interception or TSCM inspections, for information classified talks.

Guidelines for Physical Security

Below given are the guidelines for physical security:

1. Facilities and Systems 

  • Physical Access to Systems

The employment of increasing levels of physical security improves the application of the defence-in-depth approach to the protection of systems. the usage of a security zone for buildings and housing systems as the first layer of physical security.

Additionally, deployable systems need to adhere to physical security standards. Notably, deployable platform physical security certification bodies may have unique criteria that supercede the procedures in these standards. This might include personnel levels, building standards, and perimeter restrictions. In order to get further information, a business using deployable platforms should get in touch with its physical security certification authority.

Systems are protected in settings that are compliant with the standards of a security zone appropriate for their sensitivity or classification.

  • Physical Access to Servers, Cryptographic Equipment, Network Devices

The adoption of an extra security zone for a server room or communications room constitutes the second tier of physical protection. Servers, network equipment, and cryptographic equipment are then further protected by using security containers or secure rooms.

Server rooms or communications rooms that satisfy the criteria for a security zone suited for their sensitivity or classification are used to safeguard servers, network devices, and cryptographic equipment.

In accordance with their sensitivity or classification and the combination of security zones they are located in, servers, network devices, and cryptographic equipment are protected in security containers or secure rooms.

Secure rooms, security containers, server rooms, and communications rooms are never left unattended.

Server rooms, communications rooms, security containers, and secure rooms all have keys or comparable access controls.

  • Physical Access to Network Devices in Public Areas

Unprotected network equipment in public places runs the risk of suffering accidental or intentional physical harm, which would cause services to be interrupted.

Alternative options include connecting directly to network devices to get around network access controls or resetting them to their factory default settings, which would remove any controls.

Resetting network devices to their factory default settings almost certainly result in a service outage, even if access to the devices is not acquired.

Physical security measures can be used to limit physical access to network equipment, such as mounting them on ceilings or behind walls, putting them in secure containers, or utilising enclosures that block access to their factory reset buttons and console ports.

Network devices in public spaces are safeguarded using physical security measures to prevent theft or unauthorised access.

2. Bringing Radio Frequency and Infrared Devices into Facilities

For an organisation, radio frequency (RF) equipment, such as mobile phones, wireless keyboards, Bluetooth devices, and infrared (IR) devices, can be a security issue, particularly if they have the ability to record or send audio or data and can hamper computer security and network security.

It is crucial for an organisation to comprehend the security concerns posed by the introduction of RF and IR devices in SECRET and TOP SECRET locations and to design, implement, and maintain a registry of those that have been approved for use in such settings.

An organisation should take into account any existing mitigating measures when choosing which RF or IR devices to authorise for use in SECRET and TOP SECRET areas, such as whether IR communications would be prevented from travelling outside secured spaces, whether systems with different levels of sensitivity are used in the same spaces, and whether any temporary or long-term method of blocking RF or IR transmissions has been applied to the facility.

For SECRET and TOP SECRET regions, a record of approved RF and IR devices is created, put into place, maintained, and regularly validated.

SECRET and TOP SECRET zones do not permit the use of unauthorised RF and IR equipment.

In SECRET and TOP SECRET regions, security procedures are utilised to recognise and react to illegal RF devices.

3. Protection by Unauthorised Individuals

Without adequate perimeter security, it is frequently possible for unauthorised individuals to see into a facility, whether by direct observation or the use of telescopic equipment. This security risk may be reduced by making sure that systems, in particular workstation displays and keyboards, are not visible through windows, such as by using blinds, curtains, privacy films, or workstation arrangements.

Systems, particularly workstation screens and keyboards, are protected against unauthorised viewing inside such facilities.

4. ICT Equipment and Media

Securing ICT Equipment and Media

When not in use, ICT hardware and media need to be safeguarded. You can do this by using one of the following strategies:

  • Putting ICT equipment and media in a safe room or container if required.
  • ICT equipment without hard drives and memory sanitization upon shutdown.
  • ICT equipment’s hard drives should be encrypted, and memory should be sanitised after use.
  • ICT equipment memory should be cleaned when it is turned off, and any hard drives should be removed and secured.

An enterprise may want to reduce the possible effects of not safeguarding ICT equipment when not in use if none of the aforementioned methods is practical. This can be done by limiting the storage of confidential or privileged information on hard drives, putting user-profiles and documents on network shares, deleting temporary user data upon logoff, cleaning virtual memory at shutdown, and sanitising memory at shutdown.

However, it should be emphasised that there is no assurance that such precautions will always be successful or that they won’t be circumvented by unforeseen events, such as a power outage. Therefore, for the purposes of reuse, reclassification, declassification, sanitisation, destruction, and disposal, hard drives in such situations will keep their sensitivity or classification.

When not in use, ICT hardware and media are locked up.

So, this was our industry insider on Physical Security.

Explore the highest standards of information security with our ISO 27001 consultancy services. Contact our experts today for tailored solutions and comprehensive support in achieving ISO 27001 certification.

admin

Leave a Reply

Your email address will not be published. Required fields are marked *

OUR NEWSLETTERSubscribe
Get the latest news, product updates and Event updates.


Copyright @ 2023. All Rights reserved.