PHYSICAL ACCESS CONTROLS

CHAPTER 3 - PART 1

TOPICS COVERED Routine operations which affect information

● Introduction security:
● Managerial, Technical and Physical Controls a. Access control
● Control Monitoring and Effectiveness b. User identity management
● Physical Access Controls and Exposures c. Configuration management of other
a) Introduction security building blocks
b) Physical Access Exposures
Other security building blocks:
TYPES OF CONTROLS 1. Intrusion detection and penetration
PDC Model - According to timeline testing system
● Preventive 2. Anti-malware
● Detective 3. Other process
● Corrective
● Protecting confidentiality, integrity and
According to environment authenticity of assets
● Physical ○ Hindi availability yung A sa CIA dito
● Logical ● Proactive (safeguards) and reactive
● Environmental (countermeasures) controls

INTRODUCTION Controls can be:

● Logical, physical and environmental security 1. Proactive controls - attempt to prevent
are needed an incident
● Logical, physical and environmental security 2. Reactive controls - allow the detection,
controls are designed and implemented by containment and recovery from an
the facility management and not by the incident.
information security manager or IT
● *IT assets require a controlled environment ● Risk assessment
● Controls should be evaluated by the IS ● Controls may be sufficient or need adjustment
auditor ○ Kung hindi sufficient, kailangan ng
adjustment
*Controlled environment for IT assets: ● Effective control
1. Temperature ○ one that prevents, detects and/or contains
2. Humidity an incident and enables recovery from an
3. Power event.
● There are situations that existing controls are
not sufficient, hence, requiring adjustment or
The information security management function implementation of controls
provides: ● At times, adjustment or implementing of
● Management direction – policy creation, controls are not feasible due to cost, job
information security strategies, information requirements, or availability of controls
security architecture, information security ● Use compensating controls to reduce risk
strategies ○ Ex. SOD
● Management oversight and execution of ○ Increase supervision
essential information security operations – ■ DURING
oversight (routine operations that affect ■ During the accounting mo siya
information security); execution (information sinusupervise
security incident management and security ○ Independent verification
forensics) ■ AFTER
● Management of information security ■ ex. Audit
technologies ■ Tapos na yung recording, narecord
na sa SL

1
 Chapter 3: Physical Access Controls - Part 1

Preventive User Login screen Fence (a wall)

EXAMPLES OF COMPENSATING CONTROLS: registration
1. Layered defense process
● a type of security system using Detective Audit Intrusion Motion sensor
multiple tools to safeguard or protect detection (pag may
multiple areas of the network against system (IDS) gumalaw
madedetect)
multiple threats.
● Also known as multilayered defense. Corrective Remove access Network Close fire
isolation doors
● Layered defense should provide the
following security:
1. System-level security Intrusion Detection System (IDS)
2. Network-level security ● A type of security software that
3. Application-level security automatically alerts administrators
4. Transmission-level security - when ● When someone is trying to compromise the
you transfer information, ex. Email information system
● Popular: encryption, firewall ● There are malicious activities or security
2. Increased supervision policy violations
3. Procedural controls Network isolation
- establish a framework for validating and ● Also known as network segmentation,
maintaining the computer system network segregation, network partitioning
● Ensure that the user know how to use ● Divides the computer network into smaller
the system parts
● Can be: ● Purpose is to improve network performance
1. Standard operating procedures and security
(SOPS)
2. User manuals - Network isolation works by controlling how
4. Increased audits traffic flows among the parts and you could
5. Logging of systems activity choose to stop all traffic in one part from
reaching another, or you can limit the flow by
traffic type, source, destination, and many
MANAGERIAL, TECHNICAL other options.
AND PHYSICAL CONTROLS

Figure 5.4 – Control Methods CONTROL MONITORING AND EFFECTIVENESS

CATEGORY DESCRIPTION The IS auditor should:
Managerial Controls related to the oversight, reporting, ● Validate that processes, logs and audit hooks
(administrative) procedures and operations of a process. (red flags) are in place
These include policy, procedures, balancing,
● Ensure that logs are enabled, controls are able
employee development, and compliance
reporting to be tested, and regular reporting
Technical Controls are also known as logical controls
procedures are developed
and are provided through the use of ● Ensure that the capability to monitor a control
technology, piece of equipment or device. and to support monitoring systems are
Examples include firewalls, network or addressed
host-based intrusion detection systems
(IDSs), passwords, and antivirus software. A
technical control requires proper managerial PHYSICAL ACCESS CONTROLS AND
(administrative) controls to operate
correctly.
EXPOSURES – INTRODUCTION
Physical Controls that are locks, fences, closed-circuit
TV (CCTV), and devices that are installed to PHYSICAL EXPOSURES
physically restrict access to a facility or
hardware. Physical controls require ● Financial loss, legal repercussions, loss of
maintenance, monitoring and the ability to credibility, or loss of competitive advantage
assess and react to an alert should a ● These primarily originate from:
problem be indicated.
a. Natural hazards/disasters
b. Man made hazards
Figure 5.5 - Control Matrix ● Can expose the business to:
Managerial Technical Physical 1. Unauthorized access

2
 Chapter 3: Physical Access Controls - Part 1

2. Unavailability of business information ● Computer terminals locked or secured?

● Authorized equipment passes required?
PHYSICAL ACCESS ISSUES
● Major concern FACILITIES TO BE PROTECTED
● Programming area
● Computer room
PHYSICAL ACCESS CONTROLS AND
● Operator consoles and terminals
EXPOSURES – PHYSICAL ACCESS EXPOSURES
● Tape library, tapes, disks and all magnetic
PHYSICAL ACCESS EXPOSURES media
● Unauthorized entry ● Storage rooms and supplies
● Damage, vandalism or theft to equipment or ● Offsite backup file storage facility
documents ● Input/output control room
● Copying or viewing of sensitive or ● Communications closets
copyrighted information ● Telecommunications\ equipment
● Alteration of sensitive equipment and ○ Radios
information ○ Satellites
● Public disclosure of sensitive information ○ Wiring
● Abuse of data processing resources ○ Modems
● Blackmail ○ External network connections
● Embezzlement ● Microcomputers and PCs
● Wiretapping/eavesdropping
Console
POSSIBLE PERPETRATORS (EMPLOYEES)
● basic computer and a keyboard connected
● Disgruntled to a server over a network
● On strike ● Used to monitor the status of a certain
● Threatened by disciplinary action or dismissal computer or a network
● Addicted to a substance or gambling
● Experiencing financial or emotional problems
● Notified of their termination ● Power sources
● Disposal sites
OTHER POSSIBLE PERPETRATORS ● Minicomputer establishments
● Dedicated telephones/telephone lines
● Former employees
● Control units and front-end processors
● Interested or informed outsiders
● Portable equipment
● An accidental ignorant
○ Handheld scanners and coding devices
- Most likely source of exposure
○ Barcode readers
○ Laptop computers
Interested or informed outsiders ○ Printers
a) Competitors ○ Pocket LAN adapters
b) Thieves ● Onsite and remote printers
c) Organized crime ● Local area networks
d) Hackers
● System, infrastructure and software
Accidental ignorant - someone who application documentation should also be
acknowledges perpetrators a violator protected
● Safeguards should be extended beyond the
Most likely source of exposure: unknowing computer facility
person ● IS auditor may require assurance that similar
controls exist within service providers or other
Exposure with the greatest impact: from those third parties
with malicious interest
Areas beyond the computer facility:
OTHER QUESTIONS AND CONCERNS 1) Remote locations
● Hardware facilities protected? 2) Rented, leased, or shared facilities
● Keys to computer facilities controlled?