Physical, technical, and procedural controls [CISMP]
The course is part of this learning path
The physical environment is as much at risk as the IT systems themselves.
An organisation can have the most modern and complex firewalls, intrusion detection systems and access controls, but a lack of physical security will leave systems vulnerable.
Designing a work environment that reduces physical vulnerabilities helps mitigate risk. This is why physical controls are a crucial aspect of the layered approach described earlier. In the physical space, there are various controls you can implement. Let’s take a look at some examples:
- Gates and barriers that staff must pass through add a layer of complexity for an intruder entering a building.
- Photo ID badges with names to identify authorised personnel mean individuals without the correct identification can be challenged.
- Alternative routes in and out of buildings like fire escapes, delivery areas, and windows create vulnerabilities. Assessing how to secure these vulnerabilities is an important design element.
You’ll come back to learn more about these later in this step, as they are some of the key physical controls you need to be aware of.
AAA: Authentication, Authorisation, and Accounting
When thinking about physical security controls, it’s easy to dismiss other frameworks designed for intelligently controlling access to computer resources.
However, physical access controls depend on the same access control fundamentals as network or operating system security.
AAA is one of these frameworks. Consider whether this approach would work in the context of physical security.
- Authentication (who are you?): create access lists and identification mechanisms to allow approved persons through the barriers.
- Authorisation (what resources are you permitted to use?): create barriers around a resource so that access can be controlled through defined entry and exit points.
- Accounting (what resources were accessed, at what time, by whom, and what commands were issued?): keep a record of when entry/exit points are used and detect security breaches.
You can clearly see how influential this approach could be in maintaining your own organisation’s physical security.
Often described as the first line of defence, perimeter protection sums up the whole idea of physical security, to make it as difficult as possible for unauthorised personnel to gain entry.
Perimeter security covers a lot of ground. The use of walls, fences, doors, gates, lockable windows and more, creates access boundaries, while acting as a deterrent for unwanted visitors.
It’s important that you learn what the potential flaws are in perimeter protection, so you can mitigate the risk of intruders entering your building.
Apart from being vulnerable to lock picking, the main problem with a simple door or gate as an entry mechanism is that it cannot accurately record who has entered or left an area. This goes against everything the AAA framework teaches us about security controls and could put you and your colleagues at risk.
Another problem here is that multiple people may pass through the gateway at the same time. For example, a user may hold a door open for the next person, resulting in an unauthorised user ‘tailgating’ or piggybacking behind the authorised user.
These risks may be mitigated by installing a turnstile (a type of gateway that only allows one person through at a time). A mantrap is where one gateway leads to an enclosed space protected by another barrier. The other option is to add some sort of surveillance on the gateway.
Where security is critical and funding is available, an access control vestibule, or mantrap, could be used. A mantrap is where one gateway leads to an enclosed space protected by another barrier, only allowing one person in at a time
Most commonly, a gated system is used as a controlled entry (ingress) or exit (egress) point that effectively allows authorised personnel through. If you close the gate, the strength of the barrier in that location should be no weaker than the rest of the fence. Gates can be automatic or manned by guards, but whatever mechanism you employ, they need to be rigorous in their security control.
You’re likely to have used a turnstile entry when visiting a stadium to watch sport or a concert. This is another type of controlled entry point within a fence that permits only one person at a time to enter. They can be programmed to force authentication of the person trying to enter the facility, maybe using a smartcard or pin number on a cipher lock. The combination of fences, gates and turnstiles make up the typical set of physical controls you would expect to see around a facility.
Security guards and dogs
Unless your perimeter security is to the same level of Alcatraz, you have to assume that your first line of defence could be breached. This is why you need to consider other deterrents than those already discussed in this step.
While we live in an age with an abundance of sophisticated computer-based security systems, the physical nature of security work means that we cannot always rely on these systems to protect us.
Security guards are therefore still key in monitoring and maintaining your other physical security controls. Some guards may be employed to patrol your grounds to further deter intruders from jumping your fences or sneaking through locked gates. Other guards are trained to perform searches on personnel in reception, looking for stolen items or prohibited equipment.
A specially trained team of security guards will monitor and run your surveillance systems, such as external CCTV or motion detectors, while some will be trained as dog handlers to help track down and find guns, explosives, drugs, or intruders. Dogs do make an effective deterrent and detective system, although they are also expensive and require specialist handling.
You might think that throwing more security guards at your physical security problem might be the answer, but you need to seriously consider the high cost and management of employing them. Also, not all facilities can utilise guards, as some may contain dangerous chemicals or potentially hazardous conditions, such as high pressures or temperatures.
Advances in technology in the security space provide organisations with alternative options. Here are some examples:
- Camera systems and robotics can use AI and machine learning to implement smart physical security.
- Motion recognition: the camera system might be configured with gait identification technology. This means that the system can generate an alert when anyone moves within sight of the camera and the pattern of their movement does not match a known and authorised individual.
- Object detection: the camera system can detect changes to the environment, such as a missing server, or unknown device connected to a wall port.
- Robot sentries: surveillance systems (and in some cases weapon systems) can be mounted on a wholly or partially autonomous robot (switch.com/switch-sentry).
- Drones/UAV: cameras mounted on drones can cover wider areas than ground-based patrols. https://percepto.co/
Ultimately, it’s about finding the right balance, as guarding the old-fashioned way cannot yet be fully automated. After all, technology is often described as an enabler, and this is no different when it comes to physical security.
When starting a new job, one of the items on your onboarding checklist is likely to be picking up your ID badge. This ID badge will prove that you’re an authorised member of staff and should have your name and picture on the front, so that anyone, not only security guards, can challenge people who should not be in a certain location.
ID badges can double up as smartcards or proximity passes, so that the owner of the badge can be visually identified by security, as well as authenticated to access certain areas of the site. You’ll learn more about how these work later.
We’ve all seen a movie heist with fancy laser beam detectors surrounding the case where the jewels are kept. Even if you’re not quite protecting priceless jewels, motion detectors are a useful internal control within a building, to locate or detect where members of staff might be. If no one is supposed to be in a computer room, yet your motion detector shows some movement, that could be an indication that you have an intruder. Motion detectors are useful controls where it’s inappropriate to use CCTV, such as where highly sensitive information might be displayed on PC screens.
Returning to the heist, when the thief moves the jewels from their place, the motion detector issues an alarm, which in turn notifies the local security guards, and then, to make matters worse for the thief, the police are called! Most modern alarm systems can be configured to work in the same way as in the movies.
Some companies outsource the response to intruder alarms being tripped to private security firms who have a service level agreement to have a patrol reach the premises within a specified period of time – something that the police cannot guarantee.
Security lighting has the benefit of illuminating an area so that it is easier to identify criminals, but also acts as a deterrent, preventing any attempt of criminal activity to begin with.
- Support guards and CCTV.
- Not cause nuisance or hazards.
- Be cost effective and compatible with site conditions.
The purpose of lighting is not to illuminate security controls, such as CCTV, motion detectors, or guard posts.
NIST (National Institute for Standards and Technology) has provided certain standards regarding outdoor lighting, they recommend at least two candle feet of power at a height of eight feet off the ground.
If you’re interested in reading more about security lighting including the four types (continuous, emergency, moveable, standby), then head over here.
Although lighting adds to the security of a facility, it is best when applied with the other types of deterrents you have looked at in this step.
All of the controls described in the last step demonstrate best practice physical security, but there are lots of other controls available for consideration. At the same time, it’s important to stay on top of emerging threats, that could jeopardise your operations. You’ll now hear from our expert Mark, who will offer a unique insight into physical security threats and controls.
In this Course, you’ll learn how you can protect your organisation using physical, technical, and procedural controls. Part of this Course involves learning what techniques attackers use to work around these controls, which will help you take the necessary steps to stop them should a threat arise.
A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.