3.9 Physical Security

General Building and Server Room Security
1. List steps that should be taken to properly secure the physical building and premises of an organization:
  1. Survey the perimeter for possible security breaches, including doors, windows, locks, fences, and even the roof.
  2. If any potential hiding places are found during this survey, they should be removed.
  3. The area surrounding the building should be well-lit.
  4. If your organization believes it to be necessary, employ security guards, and equip and train them properly.
  5. Set up a video surveillance system around the building perimeter, as well as in critical infrastructure areas such as server rooms, wiring closets, R&D areas, and executive offices. Properly secure these devices behind your firewall.
    1. Closed-Circuit Television (CCTV):
      1. A video system (often used for surveillance) that makes use of traditional coaxial-based video components, but is used privately, within a building or campus.
  6. Motion detector, heat sensors, and other sensors are sometimes used as part of an organization's security system. This depends on your organization's security policy and budget.
2. List the steps you should take to secure the organization's server room:
  1. When choosing the location of the server room, avoid the basement or any area that could be prone to water damage.
  2. The server room should only be accessible to authorized IT personnel. To accomplish this, use a security token, badge, or card authentication system.
  3. Video surveillance should be implemented. The footage recorded by this surveillance system should not be stored on the servers in the server room.
  4. All devices and servers in the server room must have complex authentication requirements that only authorized IT personnel have knowledge of.
  5. All devices and servers in the server room must be physically locked with cable locks to prevent theft.
Door Access
1. List the steps you should take to secure the doors to enter the building of the organization, and/or its server room:
  1. Door locks are essential for entrances to critical areas.
  2. Electronic access control systems are common in larger organizations. These systems are controlled by a Cardkey Controller. This device should be placed in a secure location, such as a wiring closet or the server room. That room should be locked.
  3. Some systems may use other forms of identification, such as:
    1. Photo ID Badges
    2. RFID Chips
    3. Magnetic Stripes
    4. Key Card Door Access Systems
2. Security Token:
  1. A physical device used to gain access to an electronically restricted resource.
  2. The token is used in addition to or in place of a password. It acts like an electronic key to access something.
3. Mantrap:
  1. Areas between two doorways, meant to hold people until they are identified and authenticated.
Biometric Readers
1. Biometrics:
  1. A security process that relies on the unique biological characteristics of an individual to verify their identity.
2. List two problems associated with biometric authentication, due to improper categorization and lack of scanning precision in today's technology:
  1. False Acceptance:
    1. A biometric system authenticates a user who has provided incorrect credentials.
  2. False Rejection:
    1. A biometric system fails to authenticate a user who has provided correct credentials.
  3. A security administrator should monitor the biometric system for errors. If either the False Acceptance Rate (FAR) or False Rejection Rate (FRR) falls outside your organization's security policy guidelines, the system should be taken offline and evaluated.
  4. Crossover Error Rate (CER): also known as the Equal Error Rate (EER) The collective analysis and comparison of the false acceptance rate (FAR) and false rejection rate (FRR).