Previous
Next Top Detailed TOC
Last Update: 08 Jun 2000
Previous
Next Top Detailed TOC
Last Update: 08 Jun 2000
This document is not designed for a detailed study of physical security, however a brief summary of computer related issues are listed here.
Server rooms must be
locked, if possible with electronic card access (Audit list). Consider protect
sensitive computers against Van Eck radiation (see also Protecting against Snooping via Van Eck Radiation/ TEMPEST
).
Consider protecting
systems against Electromagnetic Pulses.
Server rooms must be
locked, with electronic card access (Audit list). Very few people should have access. Buildings must be
monitored 24 hrs x 7 days by security personnel. Access to server rooms
should be recorded on Video. Contingency plans should
exist which cover events such as power cuts, theft, fire, flooding, explosions,
earthquakes (where necessary) etc. In Nov.99, SecurityPortal produced an article on securing remote server rooms: http://securityportal.com/direct.cgi?/coverstory19991115.html . There's additional material to that listed above.
What is the company policy on the use of public, private, company transport as respects the transport of Information (paper, diskettes, disks, tapes, computers..)?
Backup media should be
stored in locked safes or locked rooms.
Regular backups (at least once per month) should be
stored off site.
Backups should only be transported by secure
methods (like money transport).
Floppy and removable disks are often a source of virus and illegal software (as is Email). They may be also used to illegally copy confidential data. When data is erased from diskettes, it must be completely erased (a standard product should be recommended for PCs). Floppy drives are rarely needed when users have reliable networked printers, file servers and email available.
Removable hard disks and
floppy disks should only be used where absolutely necessary. Avoid copying data to
floppy disk. Floppy drives
should be removed, unless the internal network is considered too insecure. Removable disks
can be more secure than using a network server since all data is kept locally. In
this case disks must be kept carefully in a locked safe. Confidential data should
be encrypted. If the network server is not considered secure enough, files may be treated
locally, encrypted (using DES for example) and then saved on the network server. This is
preferable to the use of removable disks since regular backups will be made. The risk of
losing data is minimised (unless the DES key is lost or forgotten). Forbid repair of
confidential disks, they must be destroyed unless it is 100% sure that the disk has been
written with nulls or 1s. Products which promise this feature presumably require that the
disk can still be accessed.. All disks should be
classified and the classification level should be written on the disks. Consider protecting media
against Electromagnetic Pulses. Protect (encrypt) Laptop
hard disks or individual files/directories (a standard software should be defined). Only Printers in
directors offices or restricted access rooms should be used for printing confidential
information.
EPROM passwords should be
used on PCs and workstations.
Screens not used for 15 min should be blanked
automatically with password protection.
Computer housings should be locked if possible
The principle of a "clean desk" each evening when an employee leaves his place of work is used by many corporations. It ensures that confidential data is not made available to (for example) cleaning personnel and encourages methodical management of one's workspace. Confidential information should be always under lock & key.
