Three Areas of Information Security Part:3

In the previous post we discussed Informaation Security.In this post we will discuss in detail,the three areas of that:Physical,Operational and Management area.


Securing the Physical Environment


Physical security, as the name implies, involves protecting your assets and information from physical access by unauthorized persons. In other words, you’re trying to protect items that can be seen, touched, and stolen. Threats often present themselves as service technicians, janitors,customers, vendors, or even employees. They can steal your equipment, damage it, or take documents from offices, garbage cans, or filing cabinets. Their motivation may be retribution for some perceived misgiving, a desire to steal your trade secrets to sell to a competitor as an act of vengeance, or just greed. They might steal $1,000 worth of hardware that they can sell to a friend for a fraction of that and have no concept of the value of the data stored on the hardware.
Physical security is relatively easy to accomplish. You can secure facilities by controlling access to the office, shredding unneeded documents, installing security systems, and limiting access to sensitive areas of the business. Most office buildings provide perimeter and corridor security during unoccupied hours, and it isn’t difficult to implement commonsense measures during occupied hours as well. Sometimes just having a person present—even if it’s a guard who spends most of their time sleeping—can be all the deterrent needed to prevent petty thefts.
Many office complexes also offer roving security patrols, multiple lock access control methods, and electronic or password access. Typically, the facility managers handle these arrangements. They won’t generally deal with internal security as it relates to your records,computer systems, and papers; that is your responsibility in most situations.
The first component of physical security involves making a physical location less tempting as a target. If the office or building you’re in is open all the time, gaining entry into a business in the building is easy. You must prevent people from seeing your organization as a tempting target. Locking doors and installing surveillance or alarm systems can make a physical location a less desirable target. You can also add controls to elevators, requiring keys or badges in order to reach upper floors. Plenty of wide-open targets are available, involving less risk on the part of the people involved. Try to make your office not worth the trouble.

The second component of physical security involves detecting a penetration or theft. You want to know what was broken into, what is missing, and how the loss occurred. Passive videotape systems are one good way to obtain this information. Most retail environments routinely tape key areas of the business to identify how thefts occur and who was involved.These tapes are admissible as evidence in most courts. Law enforcement should be involved as soon as a penetration or theft occurs. More important from a deterrent standpoint, you
should make it well known that you’ll prosecute anyone caught in the act of theft to the fullest extent of the law. Making the video cameras as conspicuous as possible will deter many would-be criminals.
The third component of physical security involves recovering from a theft or loss of critical information or systems. How will the organization recover from the loss and get on with normal business? If a vandal destroyed your server room with a fire or flood, how long would it take your organization to get back into operation and return to full productivity?
Recovery involves a great deal of planning, thought, and testing. What would happen if the files containing all your bank accounts, purchase orders, and customer information became a pile of ashes in the middle of the smoldering ruins that used to be your office? Ideally, critical copies of records and inventories should be stored off-site in a secure facility.

Examining Operational Security


Operational security focuses on how your organization does that which it does. This includes computers, networks, and communications systems as well as the management of information.Operational security encompasses a large area, and as a security professional, you’ll be primarily involved here more than any other area.
Operational security issues include network access control (NAC), authentication, and security topologies after the network installation is complete. Issues include the daily operations of the network, connections to other networks, backup plans, and recovery plans. In short, operational security encompasses everything that isn’t related to design or physical security in your network. Instead of focusing on the physical components where the data is stored, such as the server, the focus is now on the topology and connections.
The issues you address in an operational capacity can seem overwhelming at first. Many of the areas you’ll address are vulnerabilities in the systems you use or weak or inadequate security policies. For example, if you implement a comprehensive password expiration policy, you can require users to change their passwords every 30 or 60 days. If the system doesn’t require password rotation, though (it allows the same passwords to be reused), you have a vulnerability that you may not be able to eliminate. A user can go through the motions of changing their password only to reenter the same value and keep it in use.
From an operational perspective, the system described has weak password-protection capabilities. There is nothing you can do, short of installing a higher-security logon process or replacing the operating system. Either solution may not be feasible given the costs, conversion times, and possible unwillingness of an organization—or its partners—to make this switch.Such dependence on a weak system usually stems from the fact that most companies use software that was developed by third parties in order to save costs or meet compatibility requirements. These packages may require the use of a specific operating system. If that
operating system has significant security problems or vulnerabilities, your duties will be mammoth because you’ll still be responsible for providing security in that environment.For example, when your secure corporate network is connected to the Internet, it becomes subject to many potential vulnerabilities. You can install hardware and software to improve security, but management may decide these measures cost too much to implement. Again,operationally there may be little you can do.Much of this book discusses the technologies and tools used to help ensure operational security. Figure 1.2 illustrates the various concerns you face from an operational perspective.