V. Physical Security

Ideally planning for physical security begins with an evaluation of potential locations for the computing system and of sensitive data flow both internally and externally. One may get a great buy on a building with large glass windows on Main Street in Beirut, but from a security standpoint is it a good deal? As with all security issues, identify the level of data security needed and the cost/benefits before arriving at the appropriate decision. In class discussions consider the following.

A. Location

The location of the information processing function has an impact on security system design.

1. Access versus security

Access control is another important countermeasure to provide network security. This is achieved by identifying the privileges of a user to access information or use the services provided by elements of the network and to administer the operation of the process to insure that the user can only access and use what he or she has been granted permission.

Various security products have been developed to protect sensitive data stored on microcomputers. These products, sometimes called environment control packages, provide for encryption (encoding) and system/file access control but, also, password protection and audit trail capability. In most cases the program must reside on a hard disk and a system manager must control passwords and system specifications. The program may actually control the entire system operation from logon to logoff.

A typical product of this type would include these functions:

  • Boot Protection – Intruders are not able to bypass the hard disk and boot the system from drive A.
  • Password Verification – Each user must enter a password before access to the system is permitted.
  • User Segregation – While all users may be able to use any program on the disk, each user’s personal files are inaccessible to others.
  • Definable User Lockout – Users may be restricted from using programs not essential to their jobs.
  • Data Encryption – Data encryption for individual files or for all files may be selected.
  • Audit Trail – The audit trail can be customized to include unauthorized access attempts and all system manager functions.

2. Rooms, Doors, Windows, Keys

a. Location and Construction

Evaluate potential locations for the computer room. Consider the importance of having direct access from the outside and the need to protect windows. Decide if windows should have bars or electronic detection devices. Should there be a system to control keys and other access devices?

For example, a particular situation might require heavy doors with dead bolts. If the doors are not new, they should have new locks. Seal windows at ground level or protect them with metal bars. Additionally, consider alarms and detection devices.

b. Computer Room Access.

Depending on organizational need, restrict access to rooms containing microcomputers to specifically authorized personnel. Consider special precautions for stand alone computers, e.g., those on an employees desk. Resource sharing systems, remote terminals should be available only to selected individuals. This access may be controlled by one or more of the following:

  • Locked doors.;
  • Posted guards;
  • Other approved restraints.
c. Physical Control

Protect microcomputers with lockable equipment enclosures, lockable power switches, fasteners, and securing devices. Consider devices such as those that sound an alarm when equipment is moved or disconnected from a wall socket.

One example of an advanced device, such as one used by the Department of the Navy, employs a crystal oscillator with various broadcasting frequencies embedded in the microcomputer. Antennas located throughout the area can be used to track any movement of the microcomputer.

Standardized inventory and control forms may be used throughout any organization interested in controlling hardware, software, or data. These forms should contain information about the location of the microcomputer, who is responsible, and any changes made since the original installation. Centrally record the physical location and configuration of each microcomputer.

Some standard devices normally associated with a microcomputer, such as a mouse, internal cards and wires, do not lend themselves well to the above procedures. These devices might be subject to external controls, such as check-out, removal from the machine on a daily basis, etc.

It is particularly important to protect floppy disks from contaminants, unauthorized access, destruction and damage. Procedures should ensure that all diskettes (floppy disks), be labeled before use and stored in a secure place when not in use. One method of protecting diskettes against theft is to hide a signaling device (such as those used in libraries) in the jacket cover of the floppy.

  • One should locate the media library in an area secure from explosion or other dangers.
  • Recall that security includes backup file systems at a secondary location for both the programs and the associated documentation. Essential programs, software systems, and associated documentation of programs in the library are located in a locked vault or a secured area.

B. Environment

Control of the environment a fundamental issue in information security.

1. Radio Frequency Interference (RFI)

All electronic equipment produce radiation and emanations of varying frequencies. Take care that the computer will operate in the environment that contains emanations from other electronic devices and that the computer will not interfere with other electronic devices.

If care is not taken, RFI may be received outside the computer facility and, by sophisticated means, be used to determine the nature of the data being processed by the computer.

2. Cooling

While a personal computer is somewhat insensitive to its environment, some attention to the environment will prolong the life and increase the safety of data stored in the machine. A rule of thumb to apply when considering the physical environment is, “If you are comfortable, the computer is comfortable.”

3. Cabling

Cables should be routed to minimize both RFI and unauthorized personnel. Cables and Cableways should be protected from both fire and water damage.

4. Power Surges and Brownouts.

Computers are susceptible to sudden surges or drops in electrical line voltage. Depending on the importance of the data being processed, efforts should be made to shield the computer from these variations. Electronic devices ranging from inexpensive surge processors to uninterruptible power supplies are available to provide the level of protection required.

NIATEC National Science Foundation Information Assurance Directorate Department of Homeland Security CISSE Scholarship For Service