Information Security Jobs: Physical and Environmental Concerns

By Peter H. Gregory

Physical security is concerned with the protection of personnel at work locations, as well as information systems and related media and equipment. Supporting environmental controls and power protection are also a concern.

Site access security

The following types of controls contribute to the security of a work location, whether a facility is a data center or primarily used by employees:

  • Key cards: Plastic cards with a magnetic strip, an RFID circuit, or an embedded processor and memory. Key cards are assigned to individual workers and are used to activate door locks to permit entry. With a key card system, a building can be divided into zones that restrict entry to specific areas or rooms as needed. Key card systems record successful and unsuccessful access attempts. Lost or stolen key cards can be deactivated in the system so that they will no longer function.

  • PIN pads: Keypads with numbers or letters usually used with key cards. PIN pads reduce the risk associated with a lost or stolen key card: On a door controlled by a key card reader and a PIN pad, both the key card and knowledge of the PIN are required to unlock the door.

  • Biometric access controls: Devices such as fingerprint readers, palm scanners, and iris scanners. These biometric access controls can be used as a more effective site access control than key cards and PIN pads alone because an intruder could steal a key card and obtain a PIN code.

  • Metal keys: Still used for individual offices, but no longer recommended for rooms where several personnel need to routinely enter because there is no way to know which person entered a room.

  • Mantraps: A set of two interlocked doors with a short passage between, to control movement of personnel through a door. A mantrap permits only one person at a time to pass, thereby preventing “tailgating,” where one or more people can follow an authorized person into a room or building.

  • Guards: Personnel with duties to protect facilities and personnel.

  • Guard dogs: An effective deterrent that can assist in searches for persons and in apprehending intruders.

  • Visitor logs: Written or electronic records of visitors to a building. Visitors can also be requested to present a government-issued identification to confirm their identity.

  • Fences and walls: Deterrent and preventive measures to protect the perimeter of a facility or areas of particular interest. A fence or wall at least 8 feet high with strands of barbed wire or razor wire will keep out all but the most determined intruders.

  • Video surveillance: Systems of cameras, monitors, and possibly recording equipment such as digital video recorders (DVRs) used to monitor key locations inside and outside a facility. A video system may include personnel who are observing in real-time, or it may be recording for later viewing when needed.

  • Exterior lighting: Protects a facility by illuminating areas where an intruder would otherwise be able to work in darkness in an attempt to enter a facility.

  • Visible notices: Posted signs and placards informing personnel of the presence of video surveillance, guards, guard dogs, and other controls. Visible notices can also inform visitors of the consequences of entering a facility.

Secure siting

Secure siting, also known as a site survey, is a process of searching for and analyzing a work site for nearby hazards and threats that could pose a risk to the security or safety of a work site and the personnel and equipment within.

Typical hazards that a site survey would identify include the following:

  • Transportation: nearby airports, railroads, and highways

  • Hazardous substances: nearby chemical facilities and petroleum pipelines

  • Behavioral: nearby sites where mass gatherings, riots, and demonstrations could take place

  • Natural: risk of flooding, landslide, avalanche, volcano, or lahar

Equipment protection

Measures need to be taken to protect equipment and personnel in work locations, including the following:

  • Theft protection: locking doors, video surveillance, and cable locks

  • Damage protection: earthquake bracing, and tip-over prevention

  • Fire protection: smoke detectors, heat detectors, sprinklers, inert gas suppression, and fire extinguishers

  • Cabling security: conduit or better siting to avoid exposure of communications or power cabling

  • Photography: notices and intervention to prevent photography in sensitive areas

Electric power

Information-processing equipment (computers, network devices, and so on) is highly sensitive to even slight fluctuations in electric power. The following specialized equipment ensures a continuous supply of clean electric power:

  • Line conditioner: Absorbs noise present in utility power, such as spikes and surges.

  • Uninterruptible power system (UPS): Equipped with backup batteries that can supply power to computing equipment from several minutes to an hour or more.

  • Electric generator: Powered by gasoline, diesel fuel, natural gas, or propane and can generate electric power for hours, days, or more.

An electric generator and a UPS are typically used together to ensure continuous power. Because electric generators take several seconds to a minute or longer to activate, a UPS supplies power while the generator is starting up.

Heating, ventilation, and air conditioning (HVAC)

People and information-processing equipment operate best within a narrow temperature and humidity range. (Humans are more tolerant of a wider range in temperature.)

Heating, ventilation, and air conditioning (HVAC) systems regulate temperature and humidity in buildings containing personnel, computers, or both. HVAC systems are especially important in data centers, which generate a considerable amount of waste heat that must be continuously moved away from computers to prevent overheating and premature failure.

Many newer data centers rely on circulation of outside ambient air (with particulate filtering) as opposed to refrigeration to provide cooling at a significantly lower cost.

Redundant controls

Many facilities incorporate redundant controls to ensure continuous availability of environmental needs. Redundancy allows for continuous protection in the event of equipment failure as well as routine maintenance. Examples of redundant controls follow:

  • Utility power feeds

  • UPSs

  • Generators

  • HVAC systems