Domain 6
Physical Security Considerations
THE KEY TO A SUCCESSFUL PHYSICAL PROTECTION SYSTEM is the integration of people, process, and technology. The Physical Security domain recognizes the importance of physical security and personnel controls in a complete information system security model. The security architect is required to demonstrate understanding of the risks and tools used in providing physical security. This includes secure management, administration and deployment of physical access controls, and whether to prevent, detect, or react to suspicious activity.
TOPICS
Assess Requirements
Policies and standards
- Export controls
- Escort policy
- Liaise with law enforcement and external media
Integrate physical security with identity management
- Wiring closet access
- Badge and enterprise identity management
Map physical security needs against business drivers
- Outsourcing
- Relocations
- Mergers and acquisitions
- Divestitures
- Plant closings
Integrate Physical Secufity Products and Systems
Review common techniques, technologies and architectural principles
Perimeter protection and internal zoning
-
Evaluate Solutions
Define test scenarios
Evaluate test deficiencies
OBJECTIVES
Key areas of knowledge within the Physical Secuirty Considerations domain include:
Identification and protection of restricted work areas, including traffic control, access control, and monitoring.
Selecting the locations of and designing secure facilities.
Addressing facility infrastructure risk and requirements, including identity management and facility protections.
Remediation of risks associated with portable data processing and storage devices.
Physical Security Policies and Standards
There are many standards, policies, and guidelines that the security architect needs to be aware of as the totality of the security architecture is examined. There are a variety of RFC’s such as 2904, AAA Authorization Framework, the draft standards for SAML2.0 and XACML 3.0, as well as ISO 27005 among many others; all of which address one or more aspects of security and secure design1. What is not as clear and readily apparent in all of these standards and frameworks is what structures need to look like at the next layer down in the security architecture. Specifically, as the security architect seeks to design secure systems to address the needs of the organization, what do the logical and physical design elements of the architecture look like moving from the 50,000 foot view to the 25,000 foot view and ultimately to a ground level view of the system?
The need to create defined structure that is clear and unambiguous is a key goal for the security architect, as the organization will only be able to achieve the level of security that is readily apparent and clearly defined. As a result, the security architect needs to be able to draw ever more detailed pictures for the organization to help define the who, what, when, where, why, and how of security to help guide the organization to achieve as secure a state as is required. The use of policies and standards help the security architect to provide answers to the questions that the organization has in relation to security, and therefore to create the clarity required enabling a well-defined security solution to be implemented.
The security architect will need to address a broad set of issues through the application of standards and policies to the organization. These can range from physical security issues such as facility design, location, and access control, to industry specific issues such as export control and regulatory compliance based on industry verticals. Export controls are one area where the security architect will need to either have industry specific knowledge, or seek out expertise in the areas required in order to ensure compliance activities are being carried out correctly and that the security controls required to be in place are specifically designed to address whatever levels of compliance are required based on the regime(s) that are applicable.
In the United States of America, Export Control regulations are federal laws that prohibit the unlicensed export of certain commodities or information for reasons of national security or protections of trade. Export controls usually arise for one or more of the following reasons:
The nature of the export has actual or potential military applications or economic protection issues.
Government concerns about the destination country, organization, or individual.
Government concerns about the declared or suspected end use or the end user of the export.
An export is considered to be any oral, written, electronic or visual disclosure, shipment, transfer or transmission of commodities, technology, information, technical data, assistance or software codes to anyone outside the U.S. including:
a U.S. citizen
a non-U.S. individual wherever they are (deemed export)
a foreign embassy or affiliate
U.S. exports are controlled for a variety of reasons, such as:
National Security
Proliferation of chemical and biological weapons
Nuclear Nonproliferation
Missile Technology
Anti-Terrorism (Cuba, Iran, North Korea, Libya, Sudan and Syria)
Crime Control
High Performance Computer
Regional Stability
Short Supply
U.N. Sanctions
Methods of Disclosure can include:
Fax
Telephone discussions
E-mail communications
Computer data disclosure
Face-to-face discussions
Training sessions
Tours which involve visual inspections
From the perspective of the United States, A “Foreign National” is any person who is NOT a:
U.S. Citizen or National
U.S. Lawful Permanent Resident
Person Granted Asylum
Person Granted Refugee Status
Temporary Resident
The “Foreign National” designation includes:
Persons in the U.S. in non-immigrant status (for example, H-1B, H-3, L-1, J-1, F-1 Practical Training, L-1)
Persons unlawfully in the U.S.
Most exports do not require government licenses. However, licenses are required for exports that the U.S. government considers “license controlled” under:
The United States Department of Commerce’s Export Administration Regulations (EAR) which covers [15 CFR 730-774]:2
Dual use items
Items designed for commercial purpose but which could have military applications (computers, civilian aircraft, pathogens)
Both the goods and the technology
Deemed Exports
The Commerce Control List (Short Version)3
Nuclear Materials, Facilities & Equipment (and Miscellaneous Items)
Materials, Chemicals, Microorganisms, and Toxins
Materials Processing
Electronics Design, Development and Production
Computers
Telecommunications and Information Security
Sensors and Lasers
Navigation and Avionics
Marine
Propulsion Systems, Space Vehicles and Related Equipment
The Department of State’s International Traffic In Arms Regulations (ITAR) (also known as the U.S. Munitions List) covers defense-related items and services [22 CFR 120-130]:4
Covers military items or defense articles
Regulates goods and technology designed to kill or defend against death in a military setting
Includes space related technology because of application to missile technology
Includes technical data related to defense articles and services
The United States Munitions List (Short Version)5
I – Firearms, Close Assault Weapons and Combat Shotguns
II- Guns and Armament
III- Ammunition/Ordnance
IV- Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs and Mines
V- Explosives and Energetic Materials, Propellants, Incendiary Agents and Their Constituents
VI- Vessels of War and Special Naval Equipment
VII- Tanks and Military Vehicles
VIII-Aircraft and Associated Equipment
IX- Military Training Equipment
X- Protective Personnel Equipment
XI- Military Electronics
XII- Fire Control, Range Finder, Optical and Guidance and Control Equipment
XIII- Auxiliary Military Equipment
XIV-Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment
XV- Spacecraft Systems and Associated Equipment
XVI- Nuclear Weapons, Design and Testing Related Items
XVII- Classified Articles, Technical Data and Defense Services Not Otherwise Enumerated
XVIII-Directed Energy Weapons
XIX- Reserved
XX- Submersible Vessels, Oceanographic and Associated Equipment
XXI- Miscellaneous Articles
The Treasury Department’s Office of Foreign Assets Control (OFAC) administers and enforces economic and trade sanctions that have been imposed against specific countries based on reasons of foreign policy, national security, or international agreements. OFAC covers [31 CFR §§500-599]:6
Regulates the transfer of items/services of value to embargoed nations.
Imposes trade sanctions, and trade and travel embargoes aimed at controlling terrorism, drug trafficking and other illicit activities.
Prohibits payments/providing value to nationals of sanctioned countries and some specified entities/individuals.
May prohibit travel and other activities with embargoed countries and individuals even when exclusions to EAR/ITAR apply.
An export license may be required before a controlled item or material may be exported. There is usually a lengthy processing time period (currently 2-3+ months). Denial is always a possibility, and approval may contain restrictive conditions. Researchers must curtail or modify activities pending license issuance by the appropriate government body. The Bureau of Industry and Security (BIS) of the U.S. Department of Commerce is responsible for regulating the export of most commercial items, often referred to as “dual-use” items which are those having both commercial and military or proliferation applications. Relatively few exports of dual-use items require obtaining an export license from BIS prior to shipment. Dual use export licenses are required in certain situations involving national security, foreign policy, short-supply, nuclear non-proliferation, missile technology, chemical and biological weapons, regional stability, crime control, or terrorist concerns. The license requirements are dependent upon an item’s technical characteristics, the destination, the end-use, and the end-user, and other activities of the end-user. There are several lists that are used to determine ineligibility under the EAR/ITAR:
Denied Persons List – A list of individuals and entities that have been denied export privileges. Any dealings with a party on this list that would violate the terms of its denial order are prohibited.7
Unverified List – A list of parties where BIS has been unable to verify the end-user in prior transactions. The presence of a party on this list in a transaction is a “Red Flag” that should be resolved before proceeding with the transaction.8
Entity List – A list of parties whose presence in a transaction can trigger a license requirement under the Export Administration Regulations. These end users have been determined to present an unacceptable risk of diversion to developing weapons of mass destruction or the missiles used to deliver those weapons and contrary to U.S. national security and/or foreign policy interests. Inclusion on the list may also be a result of activities sanctioned by the State Department and activities contrary to U.S. national security and/or foreign policy interests.9
Specially Designated Nationals List – Alphabetical master list of Specially Designated Nationals and Blocked Persons compiled by the Treasury Department, Office of Foreign Assets Control (OFAC).10
Debarred List – A list compiled by the State Department of parties who are barred by §127.7 of the International Traffic in Arms Regulations (ITAR) (22 CFR §127.7) from participating directly or indirectly in the export of defense articles, including technical data or in the furnishing of defense services for which a license or approval is required by the ITAR.11
EAR License Requirements (Dual Use/Commercial Technologies)
“Terrorist Supporting Countries” such as Cuba, Iran, Libya, North Korea, Sudan and Syria
“Countries of Concern” such as the former Soviet Republics, China and Vietnam
“Friendly Countries” such as all others (Europe, Central/South America, etc.)
ITAR Licensing Policy (Military/Space Technologies)12
Policy of Denial:
State Sponsors of Terrorism (Cuba, Iran, Libya, North Korea, Sudan and Syria)
Arms Embargo (Burma, PR China, Haiti, Liberia, Somalia and Sudan)
Others (Belarus, Iraq, Vietnam)
Policy of Denial Based on Item/End-User:
Afghanistan
Congo
Iraq
Rwanda
The U.S. is a member of various multilateral nonproliferation regimes, including:
Nuclear Suppliers Group (NSG) – With 39 member states, the NSG contributes to the nonproliferation of nuclear weapons through implementation of guidelines for control of nuclear and nuclear-related exports13.
Zangger Committee – The purpose of the 35-nation Nuclear Non-proliferation Treaty (NPT) Exporters (Zangger) Committee is to harmonize implementation of the NPT requirements to apply International Atomic Energy Agency (IAEA) safeguards to nuclear exports. The Committee maintains and updates a list of equipment and materials that may only be exported if safeguards are applied to the recipient facility (called the “Trigger List” because such exports trigger the requirement for safeguards)14.
Missile Technology Control Regime (MTCR) – MTCR partners have committed to apply a common export policy (MTCR Guidelines) on a common list of controlled items, including all key equipment and technology needed for missile development, production, and operation. MTCR Guidelines restrict transfers of missiles – and technology related to missiles – for the delivery of WMD. The regime places particular focus on missiles capable of delivering a payload of at least 500 kg to a distance of at least 300 km -- so-called “Category 1” or “MTCR-class” missiles15.
Australia Group (AG) – The objective of the AG is to ensure that the industries of the thirty-two participating countries do not assist, either purposefully or inadvertently, states or terrorists seeking to acquire a chemical and/or biological weapons (CBW) capability. All AG participants exercise national export control over items listed on the AG control list16.
Wassenaar Arrangement (WA) – The objective of the WA is to prevent destabilizing accumulations of arms and sensitive dual-use equipment and technologies that may contribute to the development or enhancement of military capabilities that would undermine regional security and stability, and to develop mechanisms for information sharing among the partners as a way to harmonize export control practices and policies17.
The Government of Japan controls sensitive goods and technologies, including relevant dual-use goods and technologies, in order to maintain both national and international peace and security. Japan bases its control regime on the Foreign Exchange and Foreign Trade Act (1949) and its relevant legislations18. In 1998 when the foreign exchange business was completely liberalized, the Act of 1949 was amended and was superseded by the current Foreign Exchange and Foreign Trade Act, in which the law’s “control” implication was removed. As a principal economic law concerning trade and foreign exchange, the Act covers such broad areas of cross-border transactions as foreign trades, foreign payments, foreign capital transactions, and direct investments in Japan; export control is only a small part of them. Article 48-(1) of the Act stipulates that any person intending to export specific goods must obtain permission from the Ministry of Economy, Trade, and Industry (METI); Article 25-1-(1) says that those intending to transfer specific technology to a foreign person or to a foreign country must obtain permission from the ministry.
The Center for Information on Security Trade Control (CISTEC), is the Government of Japan’s clearing house for information pertaining to export activities and regime compliance19. Under the Foreign Exchange and Foreign Trade Act, Japan implements list control and catch-all control for the purpose of preventing proliferation of weapons of mass destruction, destabilizing accumulation of conventional arms, and terrorism.
In Japan, the Ministry of Economy, Trade and Industry (METI), is the competent authority administering export controls. Placed in METI, under the Trade and Economic Cooperation Bureau, is the Trade Control Department, which has four divisions. Of the four, the Security Export Control Policy Division, the Security Export
Inspection Office established under the division and the Security Export Licensing Division are the units in charge of security export control. The responsibility of each unit is as follows:
(1) The Security Export Control Policy Division
The Security Export Control Policy Division is responsible for export control policy setting, legislation, and overall administration. It joins discussions in international export control regimes.
(2) The Security Export Licensing Division
The Security Export Licensing Division is responsible for examining license applications and issuing licenses. It has some one hundred officers including those in regional offices.
(3) The Security Export Inspection Office
The Security Export Inspection Office is responsible for:
Enforcement activity including on-site or on-the-spot inspections.
Awareness promotion and enlightenment activity to prevent illegal exports.
Japan is actively taking part in international nonproliferation initiatives. It is a signatory to major treaties on nuclear, biological and chemical nonproliferation, and serves all the existing international export control regimes: the Nuclear Suppliers Group (NSG), the Australia Group (AG), the Missile Technology Control Regime (MTCR), and the Wassenaar Arrangement (WA).
The security architect needs to work with the relevant national, regional and international regimes and organizations to understand what the Export Controls that their organization may be subjected to are in order to be able to fully integrate the required compliance activities and controls into the security architecture of the organization. In order to fully communicate the required compliance activities to the organization in a timely fashion, and to ensure that all members of the organization understand their responsibilities under the compliance regime, the security architect should create the appropriate policies required to support the compliance activities, and then ensure that they are communicated broadly within the organization, at all levels. These policies could include a variety of different approaches and requirements, depending on what compliance activities are being addressed.
For example, it should be a standard practice today in almost all organizations to have visitors “check – in “in some form with either a receptionist, a guard, a sign-in log, or an automated system that can announce them to the appropriate party. While any, or all of these activities are important to ensure the security of the employees of the organization by preventing unknown and unwanted people from gaining access to the organization, they are not uniform in their application, nor are they standardized as to the details of implementation, monitoring, compliance, and reporting. The application of standards that address the key compliance requirements and activities helps the security architect to ensure that all activities surrounding compliance are undertaken with a common goal in mind, and are uniform in their application, so that the organization is able to ensure that the key requirements for successful compliance are met.
Activities within the organization that help to ensure compliance will include escort policies for non-employees, vendors, partners, and visitors, policies and controls for data access from remote locations, mobile device access policies and controls, data classification, separation of duties, the use of system baselines for deployment and monitoring, and multi-factor authentication.
In addition, the security architect should also be focused on activities such as change management, version control, incident and problem reporting, availability management, the service catalog, and release management. While some of these activities may not be thought of as “ traditional “ security activities, they are able to directly impact many of the compliance requirements and behaviors that the security architect needs to implement in the organization.
Physical Security Risks
Physical security is often described as the “forgotten side of security,” and yet it is a key element of an overall protection strategy. Protection of restricted work areas is important to the overall functionality of the company’s operation. Proprietary, sensitive, and classified material must be protected from the general population or from other employees who do not have a need to know. In the case of a company, such areas may be protected by restricting unauthorized personnel from entering the area. General traffic flow to the area must be diverted away to minimize the entry of unauthorized personnel. Personnel who are authorized to enter these restricted areas must have a badge or credential that quickly identifies them as authorized. Moreover, these authorized personnel must be on an access roster that a guard can use to verify their credentials. If the area is a large area where vehicles are used, guards at the sentry post have to verify the vehicles being used to enter the premise along with personal identification. Verification may be accomplished by using access rosters for both vehicles and personnel. By applying these preventive measures, the risk of loss or damage is reduced.
Many organizations spend thousands of dollars on IT hardware and software, only to forget about securing the actual building that houses them. Remember: Even if no one can steal or corrupt the organization’s data over the network, they may still be able to walk out the front door with it.
Unauthorized Access
Access control is the regulation of movement into, from, and within a designated building or area. The primary objective of controlling entry into a facility or area is to ensure that only authorized persons are allowed to enter. Unauthorized access in simple terms is trespassing, which is defined as making an unwarranted or uninvited incursion; to enter unlawfully the land of another. The security architect’s mantra is protecting property, information, and personnel. Keeping unwanted intrusion away from the facility is paramount, and the function of the security architect is to incorporate knowledge, technology, vigilance, and professionalism into a sound security program.
Guard Force
With surveillance devices, the human element is necessary for determination of whether the event is critical and requires intervention or response. Security officers are the physical presence and the deterrence to unauthorized entry into the facility along with being the response force to an alarm activation. With all the alarm technology, it still requires human intervention to respond to an alarm, make contact with an intruder, interact with employees, and provide first-aid when necessary.
Security officers are required to conduct foot patrols of building interiors, exteriors, and parking areas. Some officers are assigned a fixed or stationary position at entrances and other designated areas in order to prevent unauthorized entrance or the introduction of prohibited items. Another security officer responsibility is to control access to the facility by checking identification badges, issuing temporary badges, and registering visitors. Officers are required to respond to fire, security, and medical emergencies, and render assistance when needed as well as submit written or oral reports regarding significant events to security management. They also escort designated visitors, usually construction and maintenance contractors, who require “after hours” access to facilities or access to areas where classified or proprietary information is accessible. They must immediately report potentially hazardous conditions and items in need of repair, including inoperative lights, leaky sprinkler heads, leaky faucets, toilet stoppages, broken or slippery floor surfaces, trip hazards, etc.
Access Control System
The primary function of an Access Control System (ACS) is to ensure that only authorized personnel are permitted inside the controlled area. This can also include the regulation and flow of materials into and out of specific areas. Persons subject to control can include employees, visitors, customers, vendors, and the public. Access control measures should be different for each application to fulfill specific security, cost, and operational objectives.
Control can begin at the facility property line to include such areas as parking lots. Exterior building entrances can then be controlled. Within the facility, any area can be controlled at the discretion of management. However, the applied control is normally consistent with identified risk, and the protective value that is desired. Protected areas can include street level entrances, lobbies, loading docks, elevators, and sensitive internal areas containing assets such as customer data, proprietary information, and classified information.
The goal of an access control program is to limit the opportunity for a crime to be committed. If the potential perpetrator of a crime cannot gain access to financial assets, data files, computer equipment, programs, documentation, forms, operating procedures, and other sensitive material, the ability to commit a crime against the institution is minimized. Thus, only identified, authorized personnel should be permitted access to restricted areas.
The basic components of an ACS include card readers, electric locks, alarms, and computer systems to monitor and control the ACS.
In order for the system to identify an authorized employee, an ACS needs to have some form of enrollment station to assign and activate an access control device. Usually, a badge is produced and issued with the employee’s identifiers, with the enrollment station giving the employee specific areas that will be accessible.
In general, an ACS compares an individual’s badge against a verified database. If authenticated, the ACS sends output signals that allow authorized personnel to pass through controlled areas such as a gate or door. The system has the capability of logging and archiving entry attempts (authorized and unauthorized).
A second scenario is to have an ACS reader next to a guard’s desk, so that when the individual places his badge on the reader, a picture is generated from the ACS system and verifies to the guard that the person holding the badge is in fact the correct card holder and his or her card is valid. This eliminates the chance of a perpetrator stealing or finding a badge and falsely using it to gain entry.
Another safeguard is to use a card reader with a Personal Identification Number (PIN) pad. This requires the user to utilize a unique PIN number that will be needed in connection with the badge in order for the access point to open. Coded devices use a series of assigned numbers commonly referred to as a PIN. This series of numbers is entered into a keypad and is matched to the numbers stored in the ACS. This style of reader is mostly used at employee entrances that are not manned by guards and higher-security areas within the facility. This provides additional security because if a badge is lost or stolen, it will not grant entry into a controlled area without the proper PIN number, similar to an ATM bank card.
Another feature the access control system can provide is an event tracking/event log. These are lists or logs of security events recorded by the access control system that indicate the actions performed by an individual with an access badge and monitored by the system. Each event log entry contains the time, date, and any other information specific to the event.
Card Types
Magnetic Stripe (mag stripe) cards consist of a magnetically sensitive strip fused onto the surface of a PVC material, specific to a credit card. A magnetic stripe card is read by swiping it through a reader or by inserting it into a position in a slot. This style of card is old technology; it could be physically damaged by misuse and its data can be affected by magnetic fields. In terms of overall security measures, magnetic stripe cards are easy to duplicate.
Proximity Cards (prox cards) use embedded antenna wires connected to a chip within the card. The chip is encoded with the unique card identification. Distances at which proximity cards can be read vary by manufacturer and installation. Readers can require the card to be placed within a fraction of an inch from the reader to six inches away. This will then authenticate the card and will release the magnetic lock on the door. Proximity cards are moderately difficult to duplicate.
Smart Cards are credential cards with a microchip embedded inside. Smart cards can store data, such as access transactions, licenses held by individuals, qualifications, safety training, security access levels, and biometric templates. This card can double as an access card for doors and can be used as an authenticator for a computer. The United States government has mandated smart cards to provide Personal Identity Verification (PIV) to verify the identity of every employee and contractor in order to improve data security. The card is used for identification, as well as for facility and data access. Smart cards are hard to duplicate.
Badge Equipment
Employee badges are an excellent method of control for both identification and access. The badges need to be created and encoded by security personnel. The badges need to be maintained and accounted for, similar to key controls. These badges will allow entry into the facility, and they must be protected and controlled. The equipment necessary for a badging access control system will include:
Camera for capturing photographs.
Software for creating badge images.
Badge printer capable of printing a color ID template on the front and back of the badge, and capable of encoding a magnetic stripe or smart card (where applicable). There are new-technology printers that are capable of printing pseudo holograms on the clear protective laminate, which may be considered for higher-security applications.
Computer for retention and programming of the security credential database. This computer may be a stand-alone or client workstation that is connected to the ACS server database in a client–server architecture.
The badges that fit the needs of the operation, either magnetic, proximity, or smart, can be purchased in bulk and can be encoded and printed when needed.
The security architect should be aware of alternate mechanisms for badge management that exist. For instance, the United States government has moved to a central provisioning model for credentialing. The USAccess Program was established to provide Federal agencies with a complete solution for issuing a common federal credential (called the PIV credential) to employees and contractors. HSPD-12 requires that all federal agencies issue interoperable credentials to all federal employees and contractors20.
The USAccess program is designed to provide a comprehensive set of services, creating a secure, standards-based enterprise identity management capability with various PIV related components implemented with high availability and disaster recovery capabilities. Credential Production, Issuance, Activation and Management are handled as follows21:
Automatically batches and processes PIV credential requests, produces the credential in a central facility, and ships to designated agency locations.
Once the applicant receives the credential, his/her identity is confirmed using biometric verification followed by credential “personalization” with the applicant’s biographic information, fingerprint templates, and PIN and generates the suite of digital certificates.
Credential management activities, such as suspensions, reprints or revocations, may be performed by authorized role holders via an intuitive user interface.
Agencies using Light Activation stations provide applicants and credential holders with more convenient locations to easily activate their credential or perform maintenance activities such as certificate updates.
The security architect will also need to ensure that all authorized users within the organization are given awareness training regarding the badge issued to them. A sample of the type of information that should be provided to users regarding their badge and its use and maintenance can be found here: http://www.fedidcard.gov/viewdoc.aspx?id=54
Access Control Head End
The application software housed in the CPU is the physical intelligent controller where all access control systems are activity monitored, recorded into history, commanded, and controlled by the operator. Current access systems allow each local security panel to hold the system logic for its associated devices. The CPU retains the system-specific programming to allow entry (access) for authorized personnel and deny access to unauthorized personnel.
Communications failure between the CPU and the local access control panel could result in new users not being permitted entry; however, the system is set so that the panel will recognize personnel already installed and will grant access to an authorized badge holder.
These systems can integrate with CCTV and provide instant visual recognition along with visual alarm activation in order to provide the security console operator visual information before dispatching a security response team.
Another feature of an access control system is it can provide event tracking/event logs, which are lists or logs of security events recorded by the access control system that indicate the actions performed by employees as they enter or attempt to enter a controlled area. Each event log entry contains the time, date, and any other information specific to the event. This is useful when identifying who has access to a specific area and verifying with management if that employee still needs access.
Physical Security Needs and Organization Drivers
The security architect needs to be able to provide guidance to the organization concerning the best ways to achieve the identified goals that the organization may have. These goals are usually represented in the form of organization drivers that have been identified at a point in time as being important catalysts for organization decisions and actions within one or more areas of the organization.
There are certain goals that almost all organizations will have in common, and as a result, the security architect should be able to easily identify these goals and plan for them. For instance, risk management is a common theme among security-related organization drivers. Therefore, risk assessment techniques are very useful in identifying and prioritizing an organization’s security agenda. This enables companies to target scarce resources at the most likely and potentially damaging threats.
Among the most common organization drivers are the following:
Governance / Compliance
Regulations
Certification
Asset Protection
Authentication
Integrity
Authorization
Personnel Protection
Life safety
Business Building
Mergers and Acquisitions
New Business Models
Business Continuity
Cost Control
Process reengineering
Workflow automation
Productivity
Whether it is a common organization driver, or one that is unique to a specific organization or industry vertical, the security architect needs to be able to maintain general system capability and flexibility in the system architecture in order to enable the organization to respond quickly and appropriately to the ever-changing landscape of need and opportunity.
There are many approaches that the security architect can examine and potentially utilize. For instance, if the security architect has a need to address cloud based infrastructure and systems, then the Cloud Security Alliance’s Trusted Cloud Initiative (TCI) Reference Architecture would be a good place to begin researching22. If the security architect is in need of basic building blocks for a security architecture to address the most common needs of organization, then they can examine frameworks such as COBIT and ITIL, and ISO standard 2700223. The security architect can also look to solutions that are emerging as new and innovative ways to address common security issues and concerns for organization, such as Physical Security Information Management (PSIM) systems24. If the organization is considering outsourcing some, or all of its management, monitoring and production capabilities, then the security architect will need to engage in all of the appropriate due diligence activities necessary to ensure that the vendor(s) selected will be able to perform the required activities, and provide the necessary levels of reporting, and system access necessary to allow for seamless integration with the systems that the organization still retains control over. Paying special attention to the Service Level Agreements (SLAs) negotiated, and the specifics of the coverage that they offer will be important for the security architect, as these details can negatively impact all of the remaining services that the organization still controls and manages in house if they are not understood and managed properly.
Facility Risk
It is the responsibility of the security architect to identify the facility risks and do everything possible to mitigate them. A vulnerability assessment tour of a facility is designed to gather information regarding the general layout of the facility, the location of key assets, information about facility operations and production capabilities, and locations and types of physical protection systems.
Facility risk assessments have an enormous potential to improve the safety of a facility by recognizing and eliminating potential problems. Restricted area physical security is not just about keeping bad people out with biometrics and retinal scans. It is also about keeping out the fires, floods, and hurricanes that can ravage the facility – and its data. An acceptable risk profile can only be achieved by identifying hazards and assessing the associated risks and control measures.
There are many potential risks that can take out a facility, from human error, natural disasters, to corporate espionage. The security architect needs to be aware of all types of risk and take the necessary steps to mitigate and prepare for potential hazards.
The purpose of a data security program is to ensure adherence to three basic tenets:
Confidentiality: Only authorized people should be able to see the data.
Integrity: Only authorized people should be able to change the data and then, only in authorized ways.
Availability: Authorized persons should be able to access the data whenever they are allowed to do so.
Compromises may be necessary to provide a level of security that does a fair job of keeping out intruders but does not make the information inaccessible to authorized users. A comprehensive security program must include written policies and procedures, access control systems, user authentication technologies, auditing systems, encryption, and content security.
In order to understand how physical security dovetails with IT security, it is necessary to fully understand the basic concepts of the following:
Threat – Anything that can harm assets
Vulnerability – Anything that allows the harm to occur or a weakness that allows security breaches to occur
Counter Measure – Steps taken to reduce the risk of the occurrence or magnitude of asset loss
The following measures outline the requirements that physical security must satisfy to provide the necessary facility protections and the means to protect the personnel, information, and other assets of an organization.
Target identification involves identifying the most valuable asset that needs to be protected. Assets can be personnel, property, equipment, or information. To identify assets to be protected, it would be prudent to prioritize the assets or establish a matrix and identify the asset in conjunction with the probability of attack, along with the question: What would be the impact and consequence of the loss of the asset?
Walking a team of security professionals though a facility will provide a static picture of how to protect it. However, one of the best ways to build a comprehensive approach toward protecting the facility is by doing on-site interviews. Everyone has an opinion on security, and it is amazing that often the best insight and information on what needs to be protected and how it should be protected comes from interviewing the staff. It is important for the security architect to bear in mind that any changes proposed to the security controls of the organization will need to be vetted through the standing change management processes in place. It is the responsibility of the security architect to be familiar with the change management processes that exist, and to ensure that they are followed at all times. Some questions that the security architect will want to make sure that they have answers for in this area are as follows:
How do changes get made to existing security controls?
Who authorizes changes?
When are users notified of the changes?
How are users notified of the changes?
The American Institute of Architects has established some key security questions that need to be addressed while performing a security assessment.25
What do we want to protect?
What are we protecting against?
What are the current or expected asset vulnerabilities?
What are the consequences of loss?
What specific level of protection do we wish to achieve?
What types of protection measures are appropriate?
What are our protection constraints?
What are the specific security design requirements?
How do the integrated systems of personnel, technologies, and procedures respond to security incidents?
Once these questions have been answered and a thorough facilities evaluation and staff interview completed, it is time to develop and outline a physical protection system for the facility.
Site Planning
The primary goal of a physical protection program is to control access to the facility. In the concept of defense in depth, barriers are arranged in layers with the level of security growing progressively higher as one comes closer to the center or the highest protective area. Defending an asset with a multiple layer posture can reduce the likelihood of a successful attack; if one layer of defense fails, another layer of defense will hopefully prevent the attack, and so on. This design requires the attacker to circumvent multiple defensive mechanisms to gain access to the targeted asset.
The single most important goal in planning a site is the protection of life, property, and operations. The security architect needs to make decisions in support of this goal, and these decisions should be based on a comprehensive security assessment of the threats and hazards so that planning and design countermeasures are appropriate and effective in the reduction of vulnerability and risk.
Technology is not the only answer to heightened security needs. It is essential to start by first looking at the way the facility is laid out and then assessing what electronic devices are needed to achieve enhanced overall security. The positioning of security personnel for presence and response capability is a key to the overall success of a comprehensive security protection program.
There is a natural conflict between making a facility as convenient and open as possible for staff and visitors and maintaining a secure facility. However, with most applications and design requirements, there needs to be cooperation between several departments. Expediency should be considered during the different phases of the design review; however, the requirement for security should not be sacrificed for convenience. Proper security controls will reduce the flow rate and ease of entry and egress into and out of a facility, but will also allow for rapid evacuation in case of emergency. These issues must be addressed in the initial planning to facilitate additional entry points or administrative requirements. Once a process has been established and there is buy-in from the employees, the acceptance of operational policy is generally embraced.
Designing a new building to mitigate threats is simpler and more cost-effective than retrofitting an existing building. Important security benefits are achieved not by hardware and electronic devices but by shrewd site selections, proper placement of the building on the site, and careful location of building occupants and functions to minimize exposure to threat. These factors also have the benefit of reducing operating expenses over the lifetime of the building, such as limiting the number of entrances to the site that must be monitored, staffed, and protected.
When there are changes to the design after the fact and personnel are used to doing something a certain way, there will be reluctance, questions, and push back. Organizations generally resist change. However, if a sound explanation is presented through an effective change management process the impact can be minimized.
To maximize safety and security, a design team should implement a holistic approach to site design that integrates security and function to achieve a balance among the various design elements and objectives. Even if resources are limited, significant value can be added to a project by integrating security considerations into the more traditional design tasks in such a way that they complement the design.
The movement of people and materials throughout a facility is determined by the design of its access, delivery, and parking systems. Such systems should be designed to maximize efficiency while minimizing conflicts between the entry and departure of vehicles and pedestrians. Designers should begin with an understanding of the organization’s requirements based on an analysis of how the facility will be used. The design process of a security plan for a new facility should begin with the interior, then the exterior, and finally the outer perimeter.
When designing the data center, make sure that only durable materials are used that can exceed normal design loads. At a minimum, the facility must be capable of withstanding 200 mile per hour winds and driven rain or snow. Material such as masonry and concrete will afford the most protection to the facility, along with fire resistance. Include only necessary windows in the structure. 20-foot high ceilings provide tolerance of over-temperature conditions.
Restricted Work Areas
Sensitive Compartmental Information Facilities (SCIF)26
In highly restricted work areas or government SCIFs, there is a requirement to increase the security measures to ensure stricter access control to these areas. The physical security protection for a SCIF is intended to prevent as well as detect visual, acoustical, technical, and physical access by unauthorized persons. An organization may not be required to maintain government classified information; however, the organization’s profitability and employment may be tied to proprietary information that requires the same level of security.
SCIF walls will consist of three layers of 5/8 inch drywall and will be from true floor to true ceiling. There will typically be only one SCIF entrance door, which will have an X-09 combination lock along with access control systems. All SCIF perimeter doors must be plumbed in their frames and the frame firmly affixed to the surrounding wall. Door frames must be of sufficient strength to preclude distortion that could cause improper alignment of door alarm sensors, improper door closure, or degradation of audio security. All SCIF primary entrance doors must be equipped with an automatic door closer.
Basic HVAC requirements are that any duct penetration into the secured area that is over 96 square inches will require bars so as to prevent an intruder from climbing through the ducts.
White noise or sound-masking devices need to be placed over doors, in front of plenum or pointed toward windows to prevent an eavesdropper from listening to classified conversations. Some SCIFs use music or noise that sounds like a constant flow of air to mask conversation.
All access control must be controlled from within the SCIF. Intrusion detection is sent out to a central station with the requirement that a response force will respond to the perimeter of the SCIF within 15 minutes.
Data Centers
When discussing the need to secure the data center, security architects tend to immediately think of sabotage, espionage, or data theft. While the need is obvious for protection against intruders and the harm caused by intentional infiltration, the hazards from the ordinary activity of personnel working in the data center present a greater day-to-day risk for most facilities.
Personnel within the organization need to be segregated from access areas where they do not have a “need to know” for that area. The security officer will have physical access to most of the facility but has no reason to access financial or HR data. The head of computer operations might have access to computer rooms and operating systems, but not the mechanical rooms that house power and HVAC facilities. It comes down to not allowing wandering within the organization. As data centers grow, the need for physical security at the facility is every bit as great as the need for cyber security of networks. The data center is the brains of the operation and, as such, only specific people should be granted access.
The data center should have signs at the doors marking the room as “restricted access” and prohibiting consumption of food and drink, and smoking in the computer room. There should be a mandatory authentication method at the entrance to the room such as a badge reader, biometric control, or a guard station.
The Network Operations Center (NOC) is the central security control point for the data center. This is the internal gatekeeper for the data center. It must have fire, power, weather, temperature, and humidity monitoring systems in place. The NOC must have redundant methods of communication with the outside world, including telephone, cell phone, or two-way radio system. The NOC must be manned 24 hours a day.
Access to the data center should be restricted to those who need to maintain the servers or infrastructure of the room. Service engineers must go to the NOC to obtain access to the computer room.
Cleaning crews should work in groups of at least two. Cleaning crews should be restricted to offices and the NOC. If cleaning staff must access a data center for any reason, they will be escorted by NOC personnel.
The standard scenario for increased security at a data center would consist of the basic security-in-depth: progressing from the outermost (least sensitive) areas to the innermost (most sensitive) areas. Security will start with entry into the building, which will require passing a receptionist guard, and then using a proximity card to gain building entry. Access to the computer room or data center will now require the same proximity card along with a PIN and a biometric device.
Combining access control methods at an entry control point will increase the reliability of access for authorized personnel only. Using different methods for each access level significantly increases security at inner levels, because each is secured by its own methods as well as those of outer levels that must be entered first. This would also include internal door controls. For a data center, the use of an internal mantrap or portal would provide increased entry and exit control. A portal (Figure 6.1) allows only one person in at a time and will only open the inner door once the outer door is closed. The portal can have additional biometrics within the device that must be activated before the secured side door opens.
Figure 6.1 – A portal allows only one person in at a time and will only open the inner door once the outer door is closed
Protection Plans
The primary foundation of effective building security requires careful planning, design, and management of the physical protection system, in order to integrate people, procedures, and equipment into the process. Protecting a building, its occupants, and related assets can pose a complex problem, and there is no perfect defense to all of the potential threats a target may face. Optimizing building security with respect to performance, cost, and efficiency ultimately requires compromise and balance in the application and consideration of people, procedures, and equipment. The fundamental aspects of building operations, however, are built upon three basic components: people, procedure, and technology. The combination of these elements contributes to overall organizational security as well as providing the basis for effective emergency preparation and response.
People are the most important consideration for any security plan. People are not considered expendable assets. Yes, people can be replaced with new personnel, but they are still an asset that must be protected to the greatest extent possible. Personnel within an organization have specific functions depending on the department in which they work and the expertise they possess. A successful plan takes into consideration which departments need to be functional in the shortest amount of time possible. It is important to understand the pattern of movement of a building’s occupants. This will help to ensure the procedures outlined in the plan take into account where the highest concentration of personnel may be located. With the examination of people within an organization, it is important to determine the type of security personnel an organization will use. Contract or proprietary personnel can be utilized. The most effective and efficient methods and locations to deploy those security personnel assets must also be determined.
The other category of people is those who provide protection. In the people element of security operations, the integration of people as a layer of security in the form of security guards and other security personnel is another consideration. The architectural layout of the building can be designed to influence the movement of people for rapid evacuation, limited congregation, increased visibility, and to limit the need for a large amount of security personnel.
Security is a dynamic process, and for it to be effective, it must be procedural in nature. For example, emergency response and business continuity plans must be developed well in advance of a critical incident and must define the plan of action or steps to be taken in a logical, orderly, and procedural manner. The development of procedures involves planning for such events as evacuation, emergency response, and disaster recovery in response to fires, natural disasters, and criminal intrusions. Policies and procedures are then developed to assist with the proper response and recovery actions in the event a crisis strikes. It should be noted that policies and procedures are guides to actions that should be taken in the event of an emergency, and should not be inflexibly construed. No critical incident is the same, and it would be impossible to develop a procedure for every possible event that could occur. Procedures should be written in such a way that they can be adapted to any application.
The third element of the security operation, technology, involves hardware, electronics, and other equipment used in the security mission. In building security design, technologies can be built in or retrofitted into the existing structure to perform a variety of functions such as access control, surveillance, personnel screening, intrusion detection, and fortification. Technology has also helped to advance competitive intelligence gathering and espionage activities. Global positioning systems and high-resolution surveillance are pushing security to new levels. Using this technology, the security architect can track an item taken from a facility via GPS with a tiny sensor attached or scanned onto it.
These elements of security, people, procedures, and technology are interdependent because they rely on each other to be effective. For example, the behaviors and needs of people dictate what procedures and equipment may be deployed; procedures depend on people to be effective; and equipment requirements depend on the particular procedures to be followed in a critical incident. A cost-effective and comprehensive plan necessitates a balance of these three elements, taking into account their particular contribution to the mission; one application may be security personnel intensive, where as another may be equipment intensive.
Evacuation Drills
Every organization should have an emergency management plan developed in partnership with public safety agencies, including law enforcement, fire, and local emergency preparedness agencies. The plan should address fire, natural, and manmade disasters. An organization’s plan should be tailored to address the unique circumstances and needs of the operation. For example, organizations on the east coast of the United States do not need to prepare for frequent earthquakes, but all operations in California will put this as one of their top-priority drills. The security architect needs to have a general awareness of the historical events pertinent to the geographies where the organization does business in order to be able to effectively plan and prioritize for the different kinds of events that are more or less likely to occur.
Staff training, particularly for those with specific responsibilities during an event, will include a combination of security personnel, facilities, and selected employees designated as floor fire wardens. Holding regularly scheduled practice drills, similar to the common fire drill, allows for plan testing, as well as employee and key staff rehearsal of the plan, and increases the likelihood of success in an actual event.
If the organization has a visitor management software program incorporated with access control, this will provide a system for knowing who is in a building, including customers and visitors.
In the United States, the FEMA Emergency Management Guide for Business and Industry outlines specific areas that need to be addressed and implemented during an evacuation of a facility27:
Decide in advance who has the authority to order an evacuation. Create a chain of command so that others are authorized to act in case your designated person is not available. If local officials tell you to evacuate, do so immediately.
Identify who will shut down critical operations and lock the doors, if possible, during an evacuation.
Choose employees most able to make decisions that emphasize personal safety first. Train others who can serve as a backup if the designated person is unavailable. Write down, distribute, and practice evacuation procedures.Locate and make copies of building and site maps with critical utility and emergency routes clearly marked.
Identify and clearly mark entry–exit points both on the maps and throughout the building. Post maps for quick reference by employees. Keep copies of building and site maps with your crisis management plan and other important documents in your emergency supply kit and also at an off-site location. Make copies available to first responders or other emergency personnel.Plan two ways out of the building from different locations throughout your facility.
Consider the feasibility of installing emergency lighting or plan to use flashlights in case the power goes out.
Establish a warning system.
Test systems frequently. Plan to communicate with people who are hearing impaired or have other disabilities and those who do not speak the local language.Designate an assembly site.
Pick one location near your facility and another in the general area in case you have to move farther away. Talk to your people in advance about the importance of letting someone know if you cannot get to the assembly site or if you must leave it. Ensure the assembly site is away from traffic lanes and is safe for pedestrians.Try to account for all workers, visitors, and customers as people arrive at the assembly site.
Take a head count. Use a prepared roster or checklist. Ask everyone to let others know if they are leaving the assembly site.Determine who is responsible for providing an all-clear or return-to-work notification. Plan to cooperate with local authorities responding in an emergency.
Plan for people with disabilities who may need help getting out in an emergency.
If your organization operates out of more than one location or has more than one place where people work, establish evacuation procedures for each individual building.
If your company is in a high-rise building, an industrial park, or even a small strip mall, it is important to coordinate and practice with other tenants or organizations to avoid confusion and potential gridlock.
If the organization rents, leases, or shares space with other organizations, make sure the building owner and other companies are committed to coordinating and practicing evacuation procedures together.
There are also special requirements for high-rise buildings, which are buildings with more than seven floors:
Note where the closest emergency exit is.
Be sure personnel know another way out in case the first choice is blocked.
Take cover against a desk or table if objects are falling.
Move away from file cabinets, bookshelves, or other objects that might fall.
Face away from windows and glass.
Move away from exterior walls.
Listen for and follow instructions.
Take an emergency supply kit, unless there is reason to believe it has been contaminated.
Do not use elevators.
Stay to the side while going down stairwells to allow emergency workers to come up.
There may also be requirements to shelter-in-place. There may be situations when it is best to stay in the building to avoid any uncertainty outside. There are other circumstances, such as during a tornado or a chemical incident, when specifically how and where personnel take shelter is a matter of survival. The security architect should understand the different threats and plan for all possibilities. FEMA has developed a system to put into place if personnel are instructed by local authorities to take shelter.
Determine where personnel will take shelter in case of a tornado warning:
Storm cellars or basements provide the best protection.
If underground shelter is not available, go into an interior room or hallway on the lowest floor possible.
In a high-rise building, go to a small interior room or hallway on the lowest floor possible.
Stay away from windows, doors, and outside walls. Go to the center of the room. Stay away from corners be-cause they attract debris.
Stay in the shelter location until the danger has passed.
If local authorities believe the air is badly contaminated with a chemical, you may be instructed to “shelter-in-place” and seal the room (Figure 6.2). The process used to seal the room is considered a temporary protective measure to create a barrier between your people and potentially contaminated air outside. It is a type of sheltering that requires preplanning28.
Identify a location to “seal the room” advance.
If feasible, choose an interior room, such as a break room or conference room, with as few windows and doors as possible. If your organization is located on more than one floor or in more than one building, identify multiple shelter locations.To seal the room effectively:
Close the organization, and bring everyone inside. Lock doors, and close windows, air vents, and fireplace dampers. Turn off fans, air conditioning, and forced air heating systems. Take your emergency supply kit unless you have reason to believe it has been contaminated. Go into an interior room, such as a break room or conference room, with few windows, if possible. Seal all windows, doors, and air vents with plastic sheeting and duct tape. Measure and cut the sheeting in advance to save time. Be prepared to improvise, and use what you have on hand to seal gaps so that you create a barrier between yourself and any contamination.
Local authorities may not immediately be able to provide information on what is happening and what you should do. However, you should watch TV, listen to the radio, or check the Internet often for official news and instructions as they become available.
Incident Response
An incident response plan takes its place beside business continuity and disaster-recovery plans as a key corporate document that helps guarantee that companies will survive whatever glitch, emergency, or calamity comes their way. And while a business continuity plan aims to preserve operations in the face of adversity and a disaster recovery plan details what to do in case of a disaster, an incident response plan is broader, laying out how to respond to scenarios as diverse as data security breaches and network crashes.
Figure 6.2 – Shelter-in-Place is a process used to seal a room as a temporary protective measure to create a barrier between your people and potentially contaminated air outside.
(Source: http://www.ready.gov/sites/default/files/shelter_in_place.jpg)
Plans and procedures, including recovery plans, emergency response, and evacuation, are deployed in response to different kinds of security and safety threats such as earthquakes, explosions, lightning damage, and fires. Once the plans and procedures have been established, policies can be deployed to show how security personnel respond to the foregoing threats and to assist in recovery from other incidents that may occur.
Technology involves where and how screening of personnel and materials will be accomplished, and what kinds of systems and equipment will be used. The technology must be suitable for the operations or mission of the facility.
There is no way to prevent a natural disaster from occurring; however, the security architect can take action to avoid the most devastating damage that the organization may face. The lack of knowledge and fear of the unknown about what to do in the case of emergency has caused organizations to fail or increased their cost due to an extended recovery time. Companies must identify the risk and hazards facing their organization, and determine what types of training are useful, and deal with and categorize the risk rationally. The goal of emergency preparedness is to be reasonably prepared and not to be swept up in the sea of confusion.
The best time to respond to a disaster is before it happens. A relatively small investment of time and money now may prevent severe damage and disruption of life and organization in the future. Every area of the world is subject to some kind of disaster. Floods, hurricanes, earthquakes, ice storms, and landslides could happen anytime. Every one responds to disasters differently; however, security architects can take advantage of typical human behavior in the aftermath of an event. Seek out those individuals who rise above the chaos, and get them trained and involved in recovery activities. This will improve the organization’s chances for a shorter recovery time, and a successful recovery effort.
The security architect needs to put together a plan of action, and in doing so will identify areas that need to be addressed when an incident response is required. There are five topics that can be initiated and prepared for before an actual Incident Response becomes necessary.
Identify what can happen
Put together the team
A communication plan
Identify who does what and when
Test the plan
Design Validation
Penetration Tests
A penetration test is a good way to test the security operations of the organization. From an IT standpoint, the idea of a penetration test is immediately connected to testing the network defenses by attempting to access a system from the outside using “hacker” techniques. However, from the physical security aspect, there is a personal approach that needs to be addressed. There are several variations of physical penetration methods used by perpetrators, including dumpster diving, lock picking, social engineering, physical access compromise, and simulated sabotage. While these techniques may seem extreme, it is important to remember that bad guys do not follow the rules, and they do not play nice.
There are many benefits to conducting a penetration test on a facility. It will identify vulnerable areas that need to be immediately addressed. In order to determine the effectiveness of the security apparatuses in place, a penetration test is essential. It easy to say we have outstanding security personnel and a security program in place, but it is another matter to verify and confirm.
Will the guard at the front desk actually look for a perpetrator or an individual without a badge?
Can the guard spot a forged badge or if the picture on the badge is the same as the individual?
Will employees stop and question someone who looks out of place inside the building? Will they contact security and notify that there is someone on their floor who does not belong?
Will employees hold open a door for someone trying to enter through an employee-only entrance or will they make them use their access card; and does the employee-only entrance require a dual-technology badge and pin number?
Having an outside entity attempt the penetration is the best method. They look for easy accesses into the facility or they try and mingle with the crowd during morning hours when everyone is coming into work. If the facility utilizes a contract guard force, this can be done with the coordination of their upper management. There are also several companies that specialize in penetration testing.
Another perimeter area to look at: is there construction going on? Can a perpetrator put on a hard hat and walk in with the construction crew, then discard the construction gear and walk into the facility as though he belongs? How are construction, contractors, and vendors controlled?
Are secured areas truly secured? Are there layers of security within the structure? Or, is all of the security emphasis and monitoring focused externally? These facilities place all the emphasis on the outer security perimeter, but once you have navigated through into the building, there are virtually no security measures in place.
A penetration test can determine if security measures are enforced within the building. Are all employees required to wear identification badges in plain sight while they are inside the building? Are security awareness posters displayed?
After an intruder has entered through the perimeter, can they walk into areas within the facility and go through an employee area without being disturbed? Will anyone confront them and question their presence in the area?
The penetration test will identify vulnerabilities at the perimeter, but what about exiting the facility – are there any safeguards set up to deter the removal of classified information or property from the facility?
Other methods used in penetration testing include a social engineering scheme, in which the attacker relies on human nature to gain access to unauthorized network resources. This could be in the form of eavesdropping or “shoulder surfing” (looking over your shoulder) to obtain access information. The basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. The natural human willingness to accept someone at his or her word leaves many of us vulnerable to attack. The concept of “trust but verify” needs to be instilled in all staff. All employees should be trained on how to keep confidential data safe. The simple statement “I’m sorry but I do not know who you are and I will not be providing that information over the phone” will provide for a level of security.
Another of the penetration tests is the simple task of checking your trash. “Dumpster diving” is the practice of searching through the trash of an individual or organization in an attempt to obtain something useful. It can also include data aggregation by looking for passwords written on sticky notes, unwanted files, letters, memos, photographs, IDs, and other paperwork that has been found in dumpsters. This oversight is a result of many people not realizing that sensitive items such as passwords, credit card numbers, and personal information they throw in the trash could be recovered anywhere from the dumpster to the landfill.
Every organization has information that is confidential and must be disposed of properly. Carelessly discarded correspondence, financial statements, medical records, credit card statements, photocopies and computer printouts are all easily removed from the trash. Should this data get into the wrong hands, it can cause acute embarrassment, financial loss, or legal action. Loss of government data can result in a serious breach of national security29. The European Union may force companies operating critical infrastructure in areas such as banking, energy and stock exchanges to report major online attacks and reveal security breaches. The European Union’s executive Commission presented a proposal on cybersecurity in February, 2013 once it had received feedback from the European Parliament and EU countries.
Personal information in the wrong hands can be just as damaging. Protecting personnel privacy is a vital necessity, and shredding has become standard practice in offices as well as homes. There are several methods for proper destruction of information. Organizations can contract with a licensed and bonded shredding company that will come to a site with a mobile shredding truck and dispose of classified material and sensitive information while an organization representative watches and verifies the destruction (with a photo), or organizations can shred on site depending on the volume of information that needs to be destroyed. Shredding services also have the capacity to irretrievably destroy hard drives and physical components. Table 6.1 lists some common intrusion tactics and strategies for prevention30.
Access Control Violation Monitoring
When doors are not physically controlled by a guard, there is a tendency for personnel to violate entry procedures. Violation of access control systems, when controlled by card reader, may occur by “tailgating” or “piggybacking,” where an authorized employee with a valid entry card is accompanied by a closely spaced non-authorized perpetrator or an authorized employee who inadvertently failed to follow proper entry procedures without considering the security consequences.
If the facility has an employee entrance that does not have a mantrap or turnstile entry system and has only a single door, there are products available to announce when a tailgate has occurred. This could be a buzzer local to the door that sounds to alert a valid cardholder to challenge someone tailgating behind them.
In higher-end security systems, the alarm may be used to alert a control room operator and trigger live closed circuit television (CCTV) images allowing immediate action to be taken. When coupled with a modern integrated security management system, a full alarm event history can be produced indicating the date, time, and location of the alarm, the cardholder who allowed someone to tailgate, and the digital CCTV images of the person tailgating.
This is why a defense-in-depth approach is necessary. If a perimeter door is compromised and an individual has gained entry into the facility, the area that has been entered will not be a high-value area, and a response team can cordon off the area that has been breached and make contact with the violator.
Maintaining an audit trail of improper entry attempts or entry violations (allowing tailgating) is a way to identify employees who need additional training on proper security entry requirements; more drastically, for continual violations, notify their supervisor, and if all else fails, revoke their badge and require them to be escorted all day. This is a drastic move, but they will only need to be escorted once by a fellow worker before they get the message and will adhere to proper security procedures.
Summary 
In summary, the security architect should have an understanding of the physical security domain to assist the organization in being prepared for the variety of risks that it will face through the operation of facilities and infrastructure, as well as the maintenance of data, and the safeguarding of resources.
The way facilities are planned will continue to evolve. Improvements in facility construction techniques and materials, as well as in the core infrastructure systems that are used to create the networks that drive access to organization data will continue to improve. There are some things that do not change however, such as the need for physical access control to secured areas of an organization, and the need to stay at least one-step ahead of those actors that look to gain access to system data through unregulated and unauthorized channels and means. The security architect will have to continue to be vigilant in all areas in order to ensure that the organization is always positioned to weather the many storms that will be hurled against it as new attacks and new exploits are found and tried. A strong and well-designed defense-in-depth architecture, one that takes both physical and logical security elements into account to create the strongest possible controls and overlapping areas of coverage that mutually reinforce one another is the goal, and the security architect needs to be continuously assessing and reassessing the viability of the current architecture against the latest organization drivers, need, and issues in order to make sure that the organization can continue to move forward safely and securely.
References
1. Security Planning and Design (The American Institute of Architects. 2004). 92.
2. J. Gompers (7/1/2004). Security Hot Spot: Loading Docks. SecuritySolutions.Com.
3. FEMA. Mitigate Potential Terrorist Attacks Against Buildings. 2003/426-2.6.
4. K. O’Conner. TDR 2006. https://engineering.purdue.edu/TDR/Papers/10_Paper.pdf.
5. http://stats.bls.gov/OCO/OCOS159.HTM.
6. Security Planning and Design (The American Institute of Architects. 2004).
7. M. Brunelli (6/3/2004). Data Center Security: 10 things not to do. SearchCIO.com. Web site: http://searchdatacenter.techtarget.com/news/article/0,289142,sid80_gci1071551_tax305172,00.html.
8. L. Fennelly. Effective Physical Security, 3rd edition (Butterworth-Heinemann, 2004). 195.
9. M. Desman. Building an Information Security Awareness Program (Auerbach Publications, 2001). 73.
10. http://www.hackingalert.com/hacking-articles/cellphone-hacking.php. Phones fall within the first-generation category.
11. M. Desman. Building an Information Security Awareness Program (New York: Auerbach Publications, 2001). 72.
12. NIST Special Publication 800-16. http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf.
13. http://bizsecurity.about.com/od/staffingandsecurity/a/SAwarenessP.htm.
14. http://sema.dps.mo.gov/04%20Business%20plan.pdf.
15. http://www.nfpa.org.
16. http://www.fire-extinguisher101.com/.
17. Cramsession.com (2007). Building a Defense in Depth Toolkit. Retrieved March 1, 2007. Website: http://www.cramsession.com/articles/get-article.asp?aid=1105.
18. J. Viega and G. McGraw. Building Secure Software: How to Avoid Security Problems the Right Way. (Boston, MA: Addison-Wesley. 2002).
19. M. Garcia. Vulnerability Assessment of Physical Protection Systems (Boston, MA: Butterworth-Heinemann, 2006). 35.
20. J. Tiller. The Ethical Hack: A Framework for Business Value Penetration Testing (New York: Auerbach Publications, 2004).
21. H. Tipton and M. Krause. Information Security Management Handbook (New York: Auerbach Publications, 2006). 181.
22. S. Granger. (12/1/2001). Social Engineering Fundamentals, Part I: Hacker Tactics. http://www.securityfocus.com/infocus/1527.
23. S. Granger (1/9/2002) Social Engineering Fundamentals, Part II: Combat Strategies. http://www.securityfocus.com/infocus/1533.
Review Questions
1. The primary function of a physical protection system is to
determine, direct, and dispatch.
deter, detection, delay, and response.
display, develop, initiate, and apprehend.
evaluate, dispatch, and detain.
2. The single most important goal in planning a site is
protection of life, property, and operations.
threat definition, conflict control, and facility characterization.
risk assessment, threat identification, and incident review.
threat identification, vulnerability appraisal, and access review.
3. The strategy of forming layers of protection around an asset or facility is known as
secured perimeter.
defense in depth.
reinforced barrier deterrent.
reasonable asset protection.
4. The regulation of movement into, from, and within a designated building or area is called
restricted access.
access control.
security access.
security control.
5. The key to a successful physical protection system is the integration of
people, process, and technology.
technology, risk assessment, and human interaction.
protecting, offsetting, and transferring risk.
detection, deterrence, and response.
6. What is the primary objective of controlling entry into a facility or area?
Provide time management controls for all employees.
Ensure that only authorized persons are allowed to enter.
Keep out potential hazards and dangerous material that could be used to commit sabotage.
Identification purposes.
7. The BEST way to test your physical security operation is by
observation.
penetration test.
security survey.
social engineering.
8. CCTV technologies make possible three distinct yet complementary functions. The first is visual assessment of an alarm or other event. What are the other two functions of CCTV?
Surveillance and deterrence.
Intrusion detection and response.
Optical and lighting.
Monitoring and inspection.
9. High-tech integrated technologies not only offer greater protection opportunities but also help minimize cost by
reducing electrical costs.
reducing reliance on multiple operators and guard force.
providing government tax incentives for increased physical protection systems.
increasing capital value of property.
10. During a vulnerability assessment tour of a facility the team should be looking to
Determine where all the fire exits are located.
Examine the locations of physical protection system components.
Count the number of employees within the facility.
Determine the structural strength of the perimeter walls.
11. Designing a new building to mitigate threats is simpler and more cost-effective than retrofitting an existing building. An obvious example of this is planning for
limiting the number of entrances to the site that must be monitored, staffed, and protected.
reducing the cost associated with energy needs in providing the physical protection system.
giving employees easy access to the facility without their knowledge of the security components used in monitoring their activities.
blast reinforcement film on all perimeter windows.
12. How must classified material and sensitive information be disposed of?
Torn in half and thrown in the trash can.
It should be shredded.
Removed to a decontamination room.
Marked declassified and thrown in a trash can.
13. Effective security solutions call for the systematic integration of
design, technology, and facility operations and management.
reducing vulnerability by protecting, offsetting, or transferring the risk.
operational readiness, physical protection systems, standard operating processes.
increase awareness, environmental design, and physical security.
14. In which order should the designing of a security plan for a new complex progress?
Outer perimeter, interior, exterior
Interior, outer perimeter, exterior
Interior, exterior, outer perimeter
Exterior, interior, outer perimeter
15. Physical security measures to prevent or minimize theft, unauthorized access, or destruction of property are applied by using
layers.
methods.
varieties.
types.
16. Two functions that employee badges serve are
identify and credit.
payroll and identification.
identification and access.
access and personal information.
17. Which security control is most effective in curtailing and preventing “piggybacking” or “tailgating” as a means of unauthorized access?
Cameras
Turnstiles
Security guards
Mantraps
1 See the following for information:
RFC 2904:http://tools.ietf.org/html/rfc2904
The Version 2 Standard Draft for SAML: https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
The Version 3 Standard Draft for XACML: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf
ISO 27000 series: http://www.iso27001security.com/
2 See the following for complete information on The Department of Commerce’s Export Administration Regulations (EAR) which covers [15 CFR 730-774]: http://www.bis.doc.gov/policiesandregulations/ear/index.htm
3 See the following for the full version of the Electronic Code of Federal Regulations, Title 15: Commerce and Foreign Trade, Part 774-The Commerce Control List: http://bit.ly/11OEjRW
See the following for the Supplement No.1 to Part 774-The Commerce Control List (Full Version) from which the Short Version is derived: http://bit.ly/12bMIxB
4 See the following for complete information on The Department of State’s International Traffic In Arms Regulations (ITAR) (also known as the U.S. Munitions List) which covers defense-related items and services [22 CFR 120-130]: http://www.pmddtc.state.gov/regulations_laws/itar.html
5 See the following for the ITAR document, ITAR part 121, which is the basis for the U.S. Munitions List: http://1.usa.gov/19SGps4
6 See the following for full information on The Treasury Department’s Office of Foreign Assets Control (OFAC): http://1.usa.gov/fv5LZd
7 See the following for the current Denied Persons List: http://1.usa.gov/nieNAO
8 See the following for the current Unverified List: http://1.usa.gov/TEXyfP
9 See the following for information on the Entity List: http://1.usa.gov/mcuO84
10 See the following for information on the Specially Designated Nationals List: http://1.usa.gov/efgDN5
11 See the following for the current Debarred List: http://1.usa.gov/nZTcy
12 See the following for Section 126 of ITAR, which lays out specific details for each of these issues: http://1.usa.gov/19jaMVK
13 See the following for full information on the NSG: http://bit.ly/SwAKvM
14 See the following for full information on the Zangger Committee: http://bit.ly/11Mzc3I
15 See the following for full information on the MTCR organization: http://bit.ly/dlsSqW
16 See the following for full information on the AG organization:l http://bit.ly/16hmleh
17 See the following for full information on the WA organization: http://www.wassenaar.org/
18 See the following for the full text of the Foreign Exchange and Foreign Trade Act (1949): http://www.japaneselawtranslation.go.jp/law/detail/?id=21&vm=04&re=02
19 See the following for the CISTEC website: http://www.cistec.or.jp/english/index.html
20 See the following for the full text of HSPD-12: http://1.usa.gov/14gWCEKHSPD-12 mandates a federal standard for secure and reliable forms of identification.
21 See the following for a step by step breakdown of the PIV credential issuance process under the USAccess Program: http://www.fedidcard.gov/credget.aspx
22 See the following for an overview of the TCI Reference Architecture:http://bit.ly/olmojL
23 Control Objectives for Information and related Technology (CobiT), the International Organization for Standardization 27002:2005 (ISO/IEC 27002:2005), and the Information Technology Infrastructure Library (ITIL) have emerged worldwide as the most respected frameworks for IT governance and compliance. Other frameworks such as the United States’ National Institute of Standards and Technology Risk Management Framework provide a free framework that can be tailored to any size organization.
24 While not a “new” technology, since PSIM systems have been around in some form since approximately 2005, there has been a tremendous amount of growth and change in the nature of these systems as the technology has continued to evolve. The most recent iterations of these systems are nothing like their distant cousins from the first generations of PSIM systems released in the aftermath of the 9/11 attacks on the United States and its infrastructure.
The goal of PSIM solutions is to provide a comprehensive and holistic view of a physical security environment through the integration of numerous physical security subsystems and the correlation of data from these subsystems. the ability to analyze the data from disparate, interconnected systems and then assess, based upon a range of factors including chronology, location, priority and prevailing threat, the correct response procedure which will conform to not only the regulatory requirements but also the procedural and operational needs of the enterprise.
25 See the following: Security Planning and Design (The American Institute of Architects. 2004)
26 See the following for detailed information on SCIF/SAPF design requirements and guidelines:
Unified Facilities Criteria (UFC) DRAFT Sensitive Compartmented Information Facilities Planning, Design, and Construction: http://bit.ly/12dp8AM
Intelligence Community Standard Number 705-1: Physical and Technical Security Standards for Sensitive Compartmented Information Facilities (Effective: 17 September 2010) http://bit.ly/16j2F9S
Director of Central Intelligence Directive No. 6/9 Physical Security Standards for Sensitive Compartmented Information Facilities (18 November, 2002) http://bit.ly/19UVV6L
US Army Corps of Engineers, Engineering and Support Center, Huntsville, Engineering Guidance Design Manual, CEHNC 1110-1-1, 7th Edition, March 2008 http://1.usa.gov/1bZJW4C
NAVFAC Naval Facilities Engineering Command Physical Security of Sensitive Compartmented Information Facilities (SCIF) NAVFAC NORTHWEST, November 14, 2012 http://bit.ly/195ktdK
NISPOM.US The web resource for the National Industrial Security Program and Cyber Security Business/Law http://bit.ly/14M4ugi
Joint Air Force- Army- Navy JAFAN 6/9 Manual Physical Security Standards for Special Access Program Facilities 23 March 2004 http://bit.ly/flMXZl
National Oceanic and Atmospheric Administration (NOAA) Western Regional Center SCIF overview briefing: http://1.usa.gov/16j3Cil
27 See the following for the FEMA Emergency Management Guide for Business and Industry: http://www.fema.gov/pdf/business/guide/bizindst.pdf
28 See the following for the Federal Emergency Management Agency (FEMA) of the United States Government’s FAQ page regarding emergency preparedness: http://www.ready.gov/faq#q11
Security architects should read through the entire FAQ, as many of the questions answered will provide valuable information for planning and response purposes. In particular, the following question will prove to be very important for pre-planning activities:
- How long can a family stay in a sealed room?
- Will we run out of air to breathe?
* - DHS recommends that individuals allow ten square feet of floor space per person in order to provide sufficient air to prevent carbon dioxide build up for up to 5 hours assuming a normal breathing rate while resting.
29 See the following for overviews of data breaches from around the world: http://www.databreaches.net/
See the following for detailed reporting on data breaches within the United States of America at all levels of government and the private sector: http://www.privacyrights.org/data-breach
See the following for the ICS-CERT Industrial Control Systems Cyber Emergency Response Team Control Systems Security Program - Incident Response Summary Report 2009–2011: http://1.usa.gov/Lx8156
30 See the following for full information on this table: S. Granger (1/9/2002) Social Engineering Fundamentals, Part II: Combat Strategies. http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-ii-combat-strategies