In the previous two installments of this series, we examined information security management and the implementation and monitoring of security controls. Now, in this third and final part of this article series, we’ll be looking at the physical and environmental protection of information assets. We’ll also take a moment to summarize some of what we’ve learned and close with a few thoughts on information security best practices.
Physical and Environmental Protection of Information Assets
Physical access controls for the identification, authentication and restriction of users to authorized facilities.
Physical access controls/countermeasures for the protection of facilities include but are not limited to: bolting door locks, cipher locks, electronic door locks, biometric door locks, manual logging, electronic logging, ID badges, video cameras, security personnel, guard dogs, controlled visitor access, bollards, deadman doors, mantraps, turnstiles, computer workstation locks, controlled single entry point, bug sweeping, alarm systems, and even barbed wire if necessary.
These may seem extreme, but there are many potential forms of physical access issue which may necessitate these responses. Possible physical access issues include tailgating, vandalism, sabotage, espionage, unauthorized copying or modification of data, blackmail, public disclosure of data, theft and embezzlement
Example: RFID chips can be used to grant physical access. From August 2017 onwards, employees at Three Square Market in Wisconsin can have microchips implanted under their skin. Once that “upgrade” is completed, these employees can enter office buildings or pay for cafeteria goods with a wave of the hand.
Environmental Protection Devices and Supporting Practices
The following is a list of environmental factors with attendant vulnerabilities and protective measures. Please note that this is not necessarily a complete list.
- Electric Power Vulnerabilities: spike/surge, inrush, outage
- Electrical Power Protection: electric generator, uninterruptible power supply (UPS), dual power feeds, power distribution unit (PDU)
- Physical Environment Vulnerabilities: extreme temperatures, fire, humidity, dust, dirt, physical attacks
- Popular Physical Environmental Controls: fire prevention, fire detection, fire alarm, fire suppression (dual suppression system); water detection
An auditor should check: appropriate power protection, physical firewalls, detectors, fire extinguishers, the fire marshal report and multiple power feeds.
Storage and Retrieval of Confidential Information
All parts of the information life cycle have their hazards: confidential information assets are even vulnerable during storage, retrieval and transport. Companies should also adopt a proper disposal procedure, to ensure that no one can retrieve and misuse the information.
When in storage, data should be encrypted. During retrieval, the encryption should be carried out only by a select few number of people with high enough access. Transporting physical data should again be handled only be authorized personnel.
Ethical Hacking Training – Resources (InfoSec)
The disposal of data should take place in such a way as to completely and irrevocably erase the data, both digital and physical. Digital data should be completely erased; physical data should be burned, magnetically erased, or shredded beyond recognition.
Example: A failure to dispose of sensitive information resulted in a monetary penalty of two hundred thousand British pounds imposed on NHS Surrey by the Information Commissioner’s office, a UK body that upholds information rights in the public interest. More than 3,000 patient records were inadvertently left and subsequently found on a secondhand computer sold on an online auction site by the data destruction company hired to dispose of obsolete computer equipment. A high cost for a single mistake.
These articles have clearly illustrated the importance of protecting information assets. Generally speaking, the term “best practices” may have different scope in the context of information assets and should be determined on a case-by-case basis; however, one should consider the possibility of using a holistic process that covers every significant layer.
It’s also important to remember that the threat landscape is constantly changing. As the threats adjust, so too must you.
ICO issues £200,000 penalty for failed IT disposal, Computer Weekly
The Case for Corporate Single Sign-On, Identity 360
Log management is leading use case for Big Data, CSO Online