This awareness and training module concerns physical security relating to tangible information assets, particularly IT systems and data storage media, plus paperwork, authentication tokens, keys ... and workers, often our most valuable and vulnerable information assets.
The kinds of physical security events and incidents that can befall tangible information assets include:
- Straightforward theft or loss;
- Tailgating or physical intrusion, allowing intruders to observe, copy, steal, replace or damage information assets (both physical and digital) on-site;
- Damage - criminal or accidental such as fires, floods, storms, lightning, static electricity, voltage surges or drop-outs, electromagnetic disturbances, mold;
- Mechanical/electronic failure or obsolescence, IT equipment becoming ‘worn out’ and unreliable, intermittent or failing completely;
- Subversive hardware e.g. surveillance using microphones and cameras built-in to many IT devices, installation of bugs and wireless network taps;
- Interception of wireless transmissions, both intentional (e.g. WiFi, Bluetooth, microwaves) and unintentional (TEMPEST);
- Compromise of technological security controls e.g. reset device to factory defaults, replace firmware, disable physical security controls, hardware hacking, copying/cloning/counterfeiting;
- Shortage of suitable secure physical spaces, stores, cabinets, safes, vaults etc., leading to people storing devices and media insecurely;
- Illness, accident, death, coercion, bribery and corruption etc. of workers.
Physically securing tangible information assets involves identifying, assessing and treating the risks, typically using controls such as:
- Physical access controls – enclosures, barriers, walls, doors, locks, passes, intruder alarms, CCTV monitoring, security guards, anti-tamper and tamper-evident devices etc.;
- Fire, smoke and flood protection – detectors, alarms, manual and automated responses;
- Redundant/spare equipment, supplies, communications routes and people;
- Uninterruptible power supplies, generators;
- Lightning conductors, surge arrestors etc.;
- Health and safety plus welfare arrangements for workers;
- Laws, policies, agreements and other rules and regulations;
- Physical security-related processes and activities (e.g. visitor procedures, security guard tours, incident response procedures, emergency evacuation procedure, pass checks, polite challenges of possible intruders or social engineers … oh and security awareness of course!).
- Remind everyone about the need to secure and protect tangible information assets in all their forms, against various physical security risks;
- Highlight the value and purpose of competent site penetration testing as a pragmatic means of checking and improving the physical protection of tangible [information] assets;
- Provide a mixture of information and motivational content, stimulating people to think - and most of all behave - more securely, for example by spotting and reporting suspicious activities, possible intruders, social engineers, ineffective controls etc.
Some questions to consider when determining your own learning objectives and customizing the supplied content:
- What are the most common kinds of physical information security incident? Which are the most costly? Do incidents vary markedly across departments, business units, locations etc.?
- How does your organization compare to its neighbors and peers? Is it perceived as physically strong and resistant, or weak and vulnerable?
- Are physical security incidents being reported routinely and addressed promptly?
- Are there persistent root-cause issues that deserve to be tackled, for once and for all?
Physical infosec awareness
An awareness and training module about protecting information assets (including people!) against physical threats such as unauthorized or inappropriate physical access, fires, floods, and various workplace hazards.