680 683


Handbook of Information Security Management:Physical Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next WHERE TO FOCUS ATTENTION Before implementing any form of physical security, it may be helpful to conduct a limited business impact analysis (BIA) to focus on existing threats to the computer systems and determine where resources can best be spent. It is very important to consider all potential threats, even unlikely ones. Ignore those with a zero likelihood, such as a tsunami in Phoenix or a sandstorm in Maui. A very simple BIA could be diagrammed as shown in Exhibit 1. Exhibit 1.  Business Impact Analysis Example An unlimited number of threats can be of concern to your organization. Any number of high-likelihood threats can be identified. First consider those threats that might actually affect your organization (e.g., fire, flood, or fraud). Three elements are generally associated with each threat: •  The agent: the destructive agent can be a human, a machine, or nature. •  The motive: the only agent that can threaten accidentally and intentionally is the human. •  The results: for the information systems community, this would be a loss of access or unauthorized access, modification, or disclosure or destruction of data or information. Note:Rank each impact based on 4 = high to 1 = low. Rank each resource based on 4 = weak resources available to 1 = strong resources available. The focus of physical security has often been on human-made disasters, such as sabotage, hacking, and human error. Don’t forget that the same kinds of threats can also occur from natural disasters. NATURAL DISASTERS AND CONTROLS Fire — A conflagration affects information systems through heat, smoke, or suppression agent (e.g., fire extinguishers and water) damage. This threat category can be minor, major, or catastrophic. Controls: install smoke detectors near equipment; keep fire extinguishers near equipment and train employees in their proper use; conduct regular fire evacuation exercises. Environmental failure — This type of disaster includes any interruption in the supply of controlled environmental support provided to the operations center. Environmental controls include clean air, air conditioning, humidity, and water. Controls: since humans and computers don’t coexist well, try to keep them separate. Many companies are establishing command centers for employees and a “lights-out” environment for the machines. Keep all rooms containing computers at reasonable temperatures (60 to 75ºF or 10 to 25ºC). Keep humidity levels at 20 to 70% and monitor environmental settings. Earthquake — A violent ground motion results from stresses and movements of the earth’s surface. Controls: keep computer systems away from glass and elevated surfaces; in high-risk areas secure the computers with antivibration devices. Liquid Leakage — A liquid inundation includes burst or leaking pipes and accidental discharge of sprinklers. Controls: keep liquid-proof covers near the equipment and install water detectors on the structural floor near the computer systems. Lightning — An electrical charge of air can cause either direct lightning strikes to the facility or surges due to strikes to electrical power transmission lines, transformers, and substations. Controls: install surge suppressors, store backups in grounded storage media, install and test Uninterruptible Power Supply (UPS) and diesel generators. Electrical Interruption — A disruption in the electrical power supply, usually lasting longer than one-half hour, can have serious business impact. Controls: install and test UPS, install line filters to control voltage spikes, and install antistatic carpeting. THE HUMAN FACTOR Recent FBI statistics indicate that 72% of all thefts, fraud, sabotage, and accidents are caused by a company’s own employees. Another 15 to 20% comes from contractors and consultants who are given access to buildings, systems, and information. Only about 5 to 8% is done by external people, yet the press and management focus mostly on them. The typical computer criminal is a nontechnical authorized user of the system who has been around long enough to locate the control deficiencies. When implementing control devices, make certain that the controls meet the organization’s needs. Include a review of internal access, and be certain that employees meet the standards of due care imposed on external sources. “Intruders” can include anybody who is not authorized to enter a building, system, or data. The first defense against instruders is to keep them out of the building or computer room. However, because of cost-cutting measures in the past two decades, very few computer facilities are guarded anymore. With computers everywhere, determining where to install locks is a significant problem. To gain access to any business environment, everybody should have to pass an authentication and/or authorization test. The three ways of authenticating users involve something: •  That the user knows (a password). •  That the user has (a badge, key, card, or token). •  Of their physiognomy (fingerprint, retinal image, voice). LOCKS In addition to securing the campus, it may be necessary to secure the computers, networks, disk drives, and electronic media. One method of securing a workstation is with an anchor pad, a metal pad with locking rods secured to the surface of the workstation. The mechanism is installed to the shell of the computer. These are available from many vendors. Many organizations use cables and locks. Security cables are multistrand, aircraft-type steel cables affixed to the workstation with a permanently attached plate that anchors the security cable to the desk or other fixture. Disk locks are another way to secure the workstation. These small devices are quickly inserted into the diskette slot and lock out any other diskette from the unit. They can prevent unauthorized booting from diskettes and infection from viruses. Cryptographic locks also prevent unauthorized access by rendering information unreadable to unauthorized personnel. Encryption software does not impact day-to-day operations while ensuring the confidentiality of sensitive business information. Crypographic locks are cost-effective and easily available. Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.

Wyszukiwarka

Podobne podstrony:
680 03 (2)
index (683)
683,21,artykul
680 11
www mediweb pl sex wyswietl vad php id=683
675 680
680 Ewidencja aportu wniesionego do spółki z o o
680 07
680 00
683 (2)
680 13 (2)
680,14,artykul

więcej podobnych podstron