September 17, 2007

Let’s Get Physical Part 2

In the second part of this post I am going to point out a top ten list of ideas and
concepts that should be used to ensure the safety and security of your environment.
Remember that we aren’t just concerned with strangers or outsiders perpetrating crimes
against our organization we must also be vigilant about how we keep our own employees
from turning against us. As Jeff Hayes points out in his blog, Jeff
Hayes’ Security Blog – Practical Security for Growing Companies, “…Disgruntled
employees, ex-employees, disassociated suppliers and partners, unhappy investors,
unhappy customers, ex-spouses/soon-to-be-ex-spouses, immediate family, extended family,
etc. can all pose a threat to an individual, group of individuals or the business’
entire workforce…”

Top Ten Interior Physical Security Measures

Funneling People – Entry ways should funnel people. If you walk
into a building you should be directed a single point of authorization. This
means no open doors, offices or hallways. Any access into or out of the building
at this point should be locked.

Receptionists – Use a receptionist or security guard. The physical
presence of someone greeting you upon entry establishes control.

Limit Network Access – Remove all network jacks, computers, and networking
equipment. If the security guard or receptionist uses a computer is should be
behind the desk with no physical access to it from visitors. Network jacks should
not be present at all. It will only take one time that you forget to disable
it. The easiest method is to eliminate it.

Clear the Area – The lobby areas should be free of overgrown plants
and the furniture should be minimal and simple. Lobbies are for people waiting
brief periods to be seen.

Logs – Use a sign in book. The receptionist or guard should check
a picture ID before assigning a visitor pass over to a person. No one should
ever be granted access without an escort.

Visitor Badges – Badges should expire. And be clearly displayed.
It should be easy for an employee to quickly identify a visitor. The easiest
way to do this is with a brightly colored visitor badge. Although I personally
dislike wearing badges around my neck that is exactly where a visitor should wear
it, if a visitor badge has a clip most males will attach it to a belt loop.
Just eliminate that option all together and place visitor badges on a string or lanyard
to be worn around the neck.

Employee Badges – Employees should have badges as well and should have
a picture of them on it. Too often employee badges, if present, only have a
name. Also the idea of not having employee badges and only having visitor badges
is a mistake. This uses the idea that everyone without a badge is an employee.
So a visitor could throw their badge away and then be accepted as an employee.

CCTV – Again the use of a visible CCTV system should be used.

As we move on to the heart of operations just as we would
use VLANS and ACLS within our LAN we should use restrictions within the environment.

Segment Access – Areas with sensitive data should be locked at all times
and only those employees that need access be granted keys. These areas should
have sign in logs as well.

Server Access – Server rooms should be kept in the center of a building
with no windows. Exterior walls of the server room should carry all the way
from the floor to the true ceiling and never stop short at drop ceilings. Entry
and exit should be scrutinized and logged and should have some type of CCTV monitoring.

Although extreme this door illustrates the mentality that
we should instill within ourselves when it comes to access to our environment.

Although this is not by any means an exhaustive physical security plan it is one that
as IT professionals we should work on and develop. Physical security is becoming
more and more IP enabled. That means that we are going to become more and more
involved in the physical security planning and architecting of our environment.
I intentionally avoided a fair amount of physically securing computers and network
equipment as I am going to post an entire blog entry just on that premise in the near
future.