Physical security deals with a different set of threats than information or computer security. These threats can be grouped into these broad categories:
- Natural environmental threats: Floods, earthquakes, storms and tornadoes, fires, extreme temperature conditions, etc
- Supply system threats: Power distribution outages, communications interruptions, and interruption of other resources such as water, gas, air, filtration, and so on
- Manmade threats: Unauthorized access (both internal and external), explosions, damage by disgruntled employees, employee errors and accidents, vandalism, fraud, theft, and others
- Politically motivated threats: Strikes, riots, civil disobedience, terrorist attacks, bombings, and so forth
Additionally, another unique aspect of physical security is the concern of life safety. Unlike in information or computer security, threats to physical security can be potentially deadly. Necessarily so, life safety becomes the primary concern whenever developing a physical security program.
Planning a physical security program
Planning a physical security program shares many of the same steps and considerations as planning other security programs. Management must decide what level of risk is acceptable for various assets so that it can determine the appropriate level of security to apply. A grocery store will not require the same level of physical security as a data center. To decide what level of security is appropriate, a risk analysis is performed which identifies threats and measures their potential business impact if exploited. It is important to additionally consider and legal or regulatory obligations that a company must meet in this step.
Once a team has been formed and a risk analysis has been performed, a physical security program can be developed that fits the organization's needs. Specifics as to what technologies, procedures, or equipment can be implemented will be discussed in the future, but the general goals of the security program are as follows:
- Crime and disruption prevention through deterrence: Fences, security guards, warning signs, and so forth
- Reduction of damage through the use of delaying mechanisms: Layers of defenses that slow down the adversary, such as locks, security personnel, and barriers
- Crime or disruption detection: Smoke detectors, motion detectors, CCTV, and so forth
- Incident assessment: Response of security guards to detected incidents and determination of damage level
- Response procedures: Fire suppression mechanisms, emergency response processes, law enforcement notification, and consultation with outside security professionals
As you can see, a physical security program must address both preventing and responding to incidents.
Finally, after a physical security program has been developed and implemented, it must be monitored and evaluated. It is possible to measure and determine the effectiveness of the program through a performance based approach. Under this approach, metrics must be developed to measure how well the program is working. The goal is to increase the performance of the program and decrease the risk to the company in a cost-effective manner. Possible metrics include:
- Number of successful crimes and disruptions
- Number of unsuccessful crimes and disruptions
- Time between detection, assessment, and recovery steps
- Business impact of disruptions
- Number of false-positive detection alerts
- Time it took for a criminal to defeat a control
- Time it took to restore the operational environment
- Financial loss as a result of a crime or disruption
Tests such as fire drills or penetration tests can help to evaluate weaknesses in the security program and identify areas of improvement.
No comments:
Post a Comment