1. Physical Security

2. Objective
To address the threats, vulnerabilities, and
countermeasures which can be utilized to physically protect
an enterprise’s resources and sensitive information to
include people, facilities, data, equipment, support
systems, media, and supplies.
To discuss considerations for choosing a secure site, its
design and configuration, and the methods for securing the
facility against unauthorized access, theft of equipment and
information, and the environmental and safety measures
needed to protect people, the facility, and its resources.

3. Physical Security
 Physical Security Threats
 Site Design and Configuration
 Physical Security Requirements
– For Centralized Computing Facilities
– For Distributed Processing Facilities
– For Extended Processing

4. The Layered Approach

5. Information Protection Environment
 Crime Prevention through Environmental Design
(CPTED)
• Concept that, as its basic premise, states that the
physical environment of a building can be changed
or managed to produce behavioral effects that will
reduce the incidence and fear of crime
• Territoriality
• Surveillance
• Access control

6. Information Protection Environment Cont…
 Site Location
• Specific physical security concerns
• Vulnerable to crime, riots, demonstrations, or terrorism
attacks
• Neighborhood crime rates and types
• Vulnerable to natural disasters
 Construction Impacts
 Facility Impacts
• Entry points
• Infrastructure support systems
• Electrical power
• Heating, ventilation, air conditioning (and refrigeration)
• Internal sensitive or compartmentalized areas
• Portable computing

7. Information Protection Environment Cont…
 Electrical Power
– Vulnerabilities include total power loss of short or long duration
or degradation in power quality, such as brownouts, spikes, or
sags
• Blackout - complete loss of commercial power
• Fault - momentary power outage
• Brownout - an intentional reduction of voltage by a utility company
• Sag/dip - a short period of low voltage
• Surge - a sudden rise in voltage in the power supply
• Transient - line noise or disturbance is superimposed on the supply
circuit and can cause fluctuations in electrical power
• In-rush current - the initial surge of current required by a load before
it reaches normal operation
• Electrostatic discharge - another type of electrical surge can occur
when two non-conducting materials rub together, causing electrons
to transfer from one material to another

8. The Layered Defense
 Perimeter and building grounds
– Landscaping, Fences, Gates, Bollards, Walls, and Doors
• 1 meter/3–4 feet - Deters casual trespassers
• 2 meters/6–7 feet - Too high to climb easily
• 2.4 meters/8 feet with top guard - Deters
determined intruder
 Building entry points
 Inside the building - building floors, office suites,
and offices

9. Fire Protection
 Fire Prevention
– Fireproof Construction materials
– False ceiling should not be flammable
– Magnetic tapes, if ignited, produce poisonous gases
– fire-prevention training
 Fire Detection
– Ionization-type smoke detectors
– Photoelectric detectors
– Heat detectors
“The first rule is to get the people out”

10. Fire Protection Cont…
 Fire Suppression

11. Fire Protection Cont…
 Portable Extinguishers
 At Exits
 Mark Locations and Type
 Types A, B & C
 Need to Inspect
 Water Sprinkler Systems
 Works to Lower Temperature
 Most Damaging to Equipment
 Conventional Systems
 “Dry Pipe” Systems: Less Risk of Leakage
 Employ in Throughout Building and in all Spaces

12. Fire Protection Cont…
 Carbon Dioxide (CO2)
 Colorless/Odorless
 Potentially Lethal
 Removes Oxygen
 Best for Unattended Facilities
 Delayed-Activation in Manned Facilities
 Halon
 Best Protection for Equipment
 Concentrations <10% are Safe
 Becomes Toxic at 900o
 Depletes Ozone (CFCs)
 Montreal Protocol (1987)
 Halon 1301: Requires Pressurization
 Halon 1211: Self-Pressurization (Portable Extinguishers)

13. Physical Security Threats
 Threat Components
 Agents
 Motives
 Results
 External Threats
 Wind/Tornado
 Flooding
 Lightning
 Earthquake
 Cold and Ice
 Fire
 Chemical

14. Physical Security Threats Cont…
 Internal Physical Threats
 Fire
 Environmental Failure
 Liquid Leakage
 Electrical Interruption
 Human Threats
 Theft
 Vandalism
 Sabotage
 Espionage
 Errors

15. Site Design Considerations
 Location and Access
 Local Crime
 Visibility
 Emergency Access
 Natural Hazards
 Air and Surface Traffic
 Joint Tenants
 Stable Power Supply
 Existing Boundary Protection (Barriers/Fencing/Gates)

16. Boundary Protection
 Area Designation: Facilitates Enforcement
 Vehicular Access
 Personnel Access
 Occupants
 Visitors (Escort & Logging)
 Fences
 Deter Casual Trespassing
 Compliments Other Access Controls
 Aesthetics
 Won’t Stop Determined Intruder

17. Boundary Protection Cont…
 Lighting
 Entrances
 Parking Areas
 Critical Areas
 Perimeter Detection Systems
 Does Not Prevent Penetration
 Alerts Response Force
 Requires Response
 Nuisance Alarms
 Costly

18. Boundary Protection Cont…
 CCTV
 Efficiency
 Requires Human Response
 Limitations
 Staffing
 Access Control Points
 Patrols
 Employees

19. Computing Facility Requirements
 Walls
 True Floor to Ceiling
 Fire Rating (at least 1 hour)
 Penetrations
 Adjacent Areas
 Doors
 Interior/Exterior
 Hinges
 Fire Rating
 Alarms
 Monitoring

20. Computing Facility Requirements Cont…
 Windows/Openings
 Interior/Exterior
 Fixed
 Shatterproof
 Computer and Equipment Room Lay Out
 Equipment Access
 Storage
 Occupied Areas
 Water Sources
 Cable Routing

21. Computing Facility Requirements Cont…
 Dedicated Circuits
 Controlled Access to
 Power Distribution Panels
 Master Circuit Breakers
 Transformers
 Feeder Cables
 Emergency Power Off Controls
 Voltage Monitoring/Recording
 Surge Protection

22. Computing Facility Requirements Cont…
 Backup Power
Alternate Feeders
Uninterruptible Power Supply
Hydrogen Gas Hazard
Maintenance/Testing
Emergency Power Generator
Fuel Consideration
Maintenance/Testing
Costs
 HVAC
 Telecom

23. Computing Facility Requirements Cont…
 Humidity Controls
 Risk of Static Electricity
 Risk to Electric Connections
 Air Quality (Dust)
 Water Protection
 Falling Water
 Rising Water
 Drains
 Protective Coverings
 Moisture Detection Systems

24. Securing Storage Areas
 Forms Storage Rooms
 Increased Threat of Fire
 Combustibles
 Access Controls
 Media Storage Rooms
 Media Sensitivity
 Segregation
 Access Controls
 Environmental Controls

25. Media Protection
 Storage
 Media Libraries/Special Rooms
 Cabinets
 Vaults
 Location
 Operational
 Off-Site
 Transportation

26. Cable Protection
 Optical Fiber
 Copper Wire
 Certifying the Wiring and Cabling
 Controlling Access to Closets and Riser Rooms

27. Other Considerations
 Dealing with Existing Facilities
 Planning
 Upgrade/Renovation
 Incremental New Construction
 Protecting the Protection
 Implement Physical and Environmental Controls
for Security Systems
 Protect against both Intentional and Inadvertent
Threats

28. Personnel Access Controls
 Position Sensitivity Designation
 Management Review of Access Lists
 Background Screening/Re-Screening
 Termination/Transfer Controls
 Disgruntled Employees

29. Access Controls – Locks
 Preset Locks and Keys
 Programmable Locks
 Mechanical (Cipher Locks)
 Electronic (Keypad Systems): Digital Keyboard
 Number of Combinations
 Number of Digits in Code
 Frequency of Code Change
 Error Lock-Out
 Error Alarms

30. Access Controls - Tokens
 Security Card Systems
 Dumb Cards
Photo Identification Badges
Manual Visual Verification
Can be Combined with Smart Technology
 Digital Coded (Smart) Cards
Often Require Use of PIN Number with Card
Readers: Card Insertion, Card Swipe & Proximity

31. Types of Access Cards
 Photo ID Cards
 Optical Coded Cards (Magnetic Dot)
 Electric Circuit Cards (Embedded Wire)
 Magnetic Cards (Magnetic Particles)
 Metallic Stripe Card (Copper Strips)

32. Access Controls - Biometrics
 Fingerprint/Thumbprint Scan
 Blood Vein Pattern Scan
 Retina
 Wrist
 Hand
 Hand Geometry
 Facial Recognition
 Voice Verification
 Keystroke Recorders
 Problems
 Cost
 Speed
 Accuracy

33. Physical Security in Distributed
Processing
 Threats
To Confidentiality
Sharing Computers
Sharing Diskettes
To Availability
 User Errors
To Data Integrity
Malicious Code
Version Control

34. Physical Security Controls Distributed
Processing
 Office Area Controls
 Entry Controls
 Office Lay-Out
 Personnel Controls
 Hard-Copy Document Controls
 Electronic Media Controls
 Clean-Desk Policy

35. Physical Security Controls - Office Area
 Printer/Output Controls
 Property Controls
 Space Protection Devices
 Equipment Lock-Down

36. Physical Security Controls - Distributed
Processing Cont…
Cable Locks
Disk Locks
Port Controls
Power Switch Locks
Keyboard Locks
Cover Locks

37. Physical Security Controls - Distributed
Processing Cont…
 Isolated Power Source
 Noise
 Voltage Fluctuations
 Power Outages
 Heat/Humidity Considerations
 Fire/Water
 Magnetic Media Controls

38. Physical Security Controls Extended
Processing
 User Responsibilities Paramount
 Protection against Disclosure
 Shoulder Surfing
 Access to Sensitive Media and Written Material
 Integrity Protection
 Protection against Loss or Theft
 Locks
 Practices
 Management Responsibilities
 Approval
 Monitoring

39. Physical Security - Other Terms
 Tailgate  Passive Ultrasonic
 Piggy-Back  Fail Safe/Fail Soft
 Stay Behind  IDS
  Shoulder Surfing
Degauss
 Electronic Emanation
 Remanence
 Tsunami
 Mantrap
 RFI
 Pass-Back  Defense in Depth
 Dumpster Diving  EMI
 False Positive/Negative  Top Guard
 Montreal Protocol
 Duress Alarm
 Tamper Alarm

40. ?