Physical Controls: Ensuring the Security of Information Processing

In Lecture 15, we delve into the physical controls specified in ISO/IEC 27002. These controls are essential for ensuring the physical security of information assets, addressing threats that are not technological but still critical to cybersecurity. This article provides a detailed breakdown of key points discussed, emphasizing the importance of physical controls and their implementation.

Key ConceptsPhysical Controls

Definition: Measures related to the physical security of information processing facilities and equipment.Importance: Protects against physical threats that could compromise information security, such as unauthorized access, theft, and environmental hazards.

ISO/IEC 27002 Categories

Physical Controls: 14 controls covering various aspects of physical security.

Detailed BreakdownSecuring a Work Location

Physical Security Perimeters:

Definition: Define and use security perimeters to protect areas containing information and associated assets.Guidance: Includes measures like fences, walls, and entry controls to create a secure boundary.

Physical Entry:

Definition: Secure areas should be protected by appropriate entry controls and access points.Guidance: Consider restricted access, access logs, robust authentication methods, and visible identification for personnel.

Securing Offices, Rooms, and Facilities:

Definition: Implement physical security for offices, rooms, and facilities.Guidance: Address security measures like locks, surveillance, and environmental controls to protect these areas.

Working in Secure Areas:

Definition: Ensure that sensitive areas are only accessible to authorized personnel.Guidance: Use measures such as badges, biometric access, and escorting visitors.

Clear Desk and Clear Screen:

Definition: Define and enforce clear desk and clear screen rules for papers and information processing facilities.Guidance: Develop a clear desk and clear screen policy and ensure staff comply with it to prevent unauthorized access to information.

Equipment Siting and Protection:

Definition: Ensure that equipment is placed and protected to reduce risks from environmental threats and unauthorized access.Guidance: Considerations include physical location, secure enclosures, and protection from natural hazards.

Storage Media:

Definition: Manage storage media through their lifecycle, including acquisition, use, transportation, and disposal.Guidance: Use cryptographic techniques to protect information, authorize media removal, and handle media aging.

Supporting Utilities:

Definition: Ensure utilities like power and HVAC systems support the safe operation of information systems.Guidance: Regular maintenance and protection from disruptions.

Cabling Security:

Definition: Protect cables carrying power and data from interception, interference, or damage.Guidance: Consider threats to power cables (availability) and network cables (confidentiality and integrity).

Equipment Maintenance:

Definition: Regularly maintain equipment to ensure its proper functioning and security.Guidance: Follow manufacturer guidelines and schedule regular checks.

Secure Disposal or Reuse of Equipment:

Definition: Verify that sensitive data and licensed software are removed or securely overwritten before disposal or reuse.Guidance: Physically destroy or securely overwrite storage media, remove organizational labels, and follow secure disposal protocols.

Physical Security Monitoring:

Definition: Continuously monitor premises for unauthorized physical access.Guidance: Use surveillance systems, guards, alarms, and video monitoring to detect and respond to physical security breaches.

Protecting Against Physical and Environmental Threats:

Definition: Protect against threats like natural disasters and other physical hazards.Guidance: Conduct risk assessments, seek specialist advice, and implement protective measures against fire, flood, earthquake, and other threats.

Control Description: Protect assets taken off-site.

Guidance: Avoid leaving equipment unattended in public places, maintain logs, define the chain of custody, require authorization for removal, and implement location tracking and remote wiping capabilities.

Scenario: A company wants to secure its data center.Actions:

Security Perimeter: Erect fences and secure walls around the data center.Entry Controls: Implement biometric access and badge systems to control entry.Surveillance: Install CCTV cameras and intrusion detection systems.

Scenario: An organization needs to securely manage its storage media lifecycle.Actions:

Acquisition and Use: Authorize and document media acquisition and use.Transportation: Use encryption and secure containers for media transport.Disposal: Overwrite or physically destroy media before disposal.

Scenario: A company is located in an area prone to natural disasters.Actions:

Risk Assessment: Conduct assessments to identify potential environmental threats.Protective Measures: Install fire suppression systems, elevate equipment to avoid flood damage, and reinforce buildings against earthquakes.

Standard: ISO/IEC 27002 provides guidelines for implementing security controls to protect information assets.Clauses to Review:

Clause 11: Physical and environmental security.

Document: National Institute of Standards and Technology. Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 (Rev 5), 2020.Chapter to Review: Chapter 2 (pp. 7–15) for an overview of security controls, including those for protecting information processing resources.

Book References for Further Reading
“Information Security Management Principles” by Andy Taylor, David Alexander, Amanda Finch, and David Sutton
Provides a foundational understanding of information security management, including measures to implement physical controls effectively.
“Security Risk Management: Building an Information Security Risk Management Program from the Ground Up” by Evan Wheeler
Discusses practical approaches to managing security risks, integrating broader principles that complement the implementation of physical controls.
“Cybersecurity and Cyberwar: What Everyone Needs to Know” by P.W. Singer and Allan Friedman
Offers a broader context for understanding cybersecurity principles, including the various types of physical controls and how to implement them.
“Network Security Essentials: Applications and Standards” by William Stallings
Covers key concepts in network security, including methods to implement and manage physical controls effectively.
Summary

Lecture 15 emphasizes the importance of implementing physical controls to maintain cybersecurity within an organization. These controls include securing work locations, managing on-site working and equipment security, physical security monitoring, protecting against environmental threats, and securing assets off-premises. The ISO/IEC 27002 standard provides detailed guidance on these controls, which are essential for addressing physical threats that could compromise information security. The recommended books and standards offer further insights and practical guidance on implementing these controls within an organizational context.