Physical Security Concepts

Presentation of my Physical Security course

  1. Introduction
    What to protect ? assets, people, information, reputation
    Types of protection ? passive, active & procedural
  2. Physical security concepts
    Concepts used in the passive, active and procedural security.
    i. Risk management
    The risk assessment is a part of each decision on physical security.
    This shall consider the full spectrum of threats (i.e., natural, criminal, terrorist, accidental, etc.) for a given facility.
    The vulnerability assessment considers the potential impact of loss from a successful attack as well as the vulnerability of the facility/location to an attack. Impact of loss is the degree to which the mission of a Company would be disturbed by an occurence from the given threat.
    After having evaluated the risks for a given facility, the security manager has to recommend security and/or structural upgrades that could have a positive effect on the impact of loss and/or the vulnerability ratings for each threat.
    ii. Zoning model
    One of the best practices in security is to implement a zoning model with accurate access control.
    The general purpose of modular security zoning is to divide the different areas of a Company according to their individual risk level. Each zone consists of a number of different security measures and therefore similar areas should be clustered.
    This approach results in a shell-like structure where exceptions are unavoidable but shall be kept to a minimum. Higher rated physical barriers shall compensate this fact where necessary.
    Physical barriers to restrict access between the different security zones play an important role. They fall into two types: Outdoor physical barriers, typically including fences, walls, gates, bollards and landscape design elements such as trees, ponds and boulders ; Indoor physical barriers including walls, doors, security sluices, windows, utility ports, ceilings and floors.
    At best, physical barriers have a minimum number of openings, such as entry control points (outdoors) or Security desks (indoors) for persons.
    As in physical security, a Logical Zoning Model is typically adopted for multi-tiered network designs.
    For both domain, one must at least define 4 zones :
    ⦁ PZ (Public zone) the zone outside the company ie : public domain or internet.
    ⦁ PAZ (Public Access Zone) this contains first tier authentication. The PAZ also houses basic equipment that has limited access to both the PZ and the OZ ensuring no access to RZ.
    ⦁ OZ (Operational Zone) zone is understood as daily business operations.
    ⦁ RZ (Restricted zone) is the most critical zone, accessible on a need-to-go basis.
    iii. Human aspects
    All security activities involve persons, who are key factor of the success of a security strategy while at the same time they sometimes appear as the weakest link of the security chain.
    The different aspects to address concerning the human factor :
    ⦁ Access control : result of the risk assessment process and of the need to comply with the Company security zoning model, controlling the accesses is an essential part of the human activity. While this activity can be automated, human interaction must always be possible. When designing an access control system, one must not forget the exit control system, event in case of emergency. Facilities for emergency egress should not compromise the overall security concept.
    ⦁ Security assessment of the staff : one of the biggest risks to an organization’s security is often the human behaviour – action or inaction by employees that can lead to security incidents. For the company the human threat is associated with information confidentiality, information fraud, infiltration, espionage and human engineering. Instruments can be used both for pre-employment screening and for in-employment screening, for the employees and the security staff.
    iv. Data security
    data security has become a critical topic in the world of the physical security. This is true for the electronic documents manipulated during the life of building projects, as for the data exchanged by the security systems. Modern techniques of protecting those logical assets have to be deployed ;
    v. Build or renovate
    Over time, decision-making bodies of a Company are faced with deciding whether to renovate an existing building or build a new building. This chapter describes the influencing factors to be considered in that decision. In addition, the steps to be taken during the course of the process are explained in terms of a best-practise-approach.

Publié

dans

par

Étiquettes :