The Way Business Is Moving published by
Issue Date: July 2002

Physical and environmental protection

1 July 2002
Synthil Chetty: senior consultant, Information Security Services

Ask any person who has had his or her laptop stolen, and they will tell you that physical security of data is as vital as virtual security of data.
It is two o'clock, Wednesday afternoon, emotions are running high, productivity is zero, the only South Africans working are the Bafana Bafana soccer stars, sweating it out with Spain on an emerald playing field.
The whistle sounds, South Africa is out of the 2002 World Cup. Sorrow and disappointment hangs like a bulky thundercloud in the air. All of a sudden the cloud splits open and hard, awkward drops crash from the cloud. The cause? Two senior executives' laptops are stolen.
The rapid increase of theft, vandalism, destruction, and the impacts thereof on technology resources, makes physical access and environmental protection a priority for all CIOs.
For business to continue functioning, there must be a strategy to protect information resources. In addition, the management process that identifies the impact on information assets and also focuses resources on critical assets, which must be protected and mitigated at appropriate costs, must be enforced.
The strategy
Firstly, management needs to establish what information resources they need to protect. At the very least an organisation must have an up to date inventory list of the critical information-resources within its protection. Organisations that understand the monetary value of the information, are in a position to make an informed decision on the level of protection that is needed to secure their information.
Plans to protect the information resources must be commensurate with the strategy of the organisation. A policy must be defined for all buildings. This includes site selection, construction, guarding, personnel safety, mechanical and electrical systems, fire, lightning and flooding protection based on a cost/risk ratio. Management who are serious about protecting their information resource must make a decision to work within current constraints or move information resources to more protected environments.
Another factor to build into your strategy should be regulatory considerations. That is, the statutory annual audit focus on controls implemented to protect information resources to give reasonable assurance that these information resources are 'secure'.
Auditors normally ask for diagrams of buildings and visits to sensitive information processing areas to locate where your information resources are hosted and how they are protected, the policy and procedures regarding physical security and environmental controls.
Yet, how do you ensure that only authorised people have access to these resources? Auditors would typically look at:
p Source documents and reports used for controlling access to sensitive areas.

* Logs indicating whether access has been granted or revoked.

* Logs indicating personnel who have gained access to sensitive areas.

* Inventory logs of access keys, cards and the like for sensitive areas.

* Access control mechanism monitoring logs.

* The listing of individuals who have access to restricted areas.
Nevertheless, how does management measure the effectiveness of the environmental control mechanisms and how do they assess the business impact of potential threats to physical information resources? Evidence of the following is requested:
* Materials documenting test results for the monitoring equipment.

* Reports and follow-up describing any computer outages or damage resulting from an environmental hazard.

* Results from emergency drills.

* Disaster recovery/business continuity plans (including plans for backup and off-line media storage).

* Facility maintenance procedure guides.

* Evaluations of environmental control options.

* Minutes of information systems steering committee (or equivalent) meetings.

* Materials that document that management has identified the essential areas to be protected.
Once you manage to equalise with the audit committee, you need to score the goals.
Maximise the opportunity, to ensure that the need to control the computing environment is fully understood, and is supported by senior management and evident in their commitment and allocated budgets.
Proactively monitor the effectiveness of controls and the compliance with established standards. The strategy must focus on physical and environmental protection goals - that is, a reduction in the number of facilities and physical security incidents, including theft, damage, disclosure, outage, health and safety problems and a reduction in the amount of downtime due to outage of utilities
These goals should be measured by key performance indicators (KPIs), which specify:
* Frequency of physical inspections.

* Reduced number of unauthorised accesses to restricted equipment rooms.

* Time lag between recording and closure of physical incidents.
Develop physical and environmental protection policies, and standards, that support and include the measurement criteria (KPIs) to fulfil the physical and environmental goals.
Physical and environmental protection controls may help prevent theft of your equipment. They may also prevent the loss of, or damage to records on your computer systems that can result from attempted theft or fire damage. However, you should always ensure that all critical information and equipment has a disaster recovery plan. There is no silver bullet when it comes to information security, therefore tactics and strategies must be constantly reviewed.

Others who read this also read these articles

Search Site


Previous Issues