8.1 Planning for the Forgotten Threats

Surprisingly, many organizations do not consider physical security to be of the utmost concern. As an example, one New York investment house was spending tens of thousands of dollars on computer security measures to prevent break-ins during the day, only to discover that its cleaning staff was propping open the doors to the computer room at night while the floor was being mopped. A magazine in San Francisco had more than $100,000 worth of computers stolen over a holiday. An employee had used an electronic key card to unlock the building and disarm the alarm system; after getting inside, the person went to the supply closet where the alarm system was located and removed the paper log from the alarm system's printer.

Other organizations feel that physical security is simply too complicated or too difficult to handle properly. No amount of physical security on the part of the tenants of the World Trade Center could have protected them from the collapse of their office buildings after the terrorist attack of September 11, 2001. Likewise, few organizations have the ability to protect their servers from a nuclear attack. But it is important not to let these catastrophic possibilities paralyze and prevent an organization from doing careful disaster planning. Those organizations that did the best job of restoring operations after September 11 were the ones that had spent the money to build and maintain redundant off-site mirror facilities.

Physical security is one of the most frequently forgotten forms of security because the issues that physical security encompasses?threats, practices, and protections?are different for practically every site and organization. Physical security resists simple treatment in books on computer security, as different organizations running the identical system software might have dramatically different physical security needs. To make matters worse, many popular books on computer system security do not even mention physical security! Because physical security must be installed on-site, it cannot be preinstalled by the operating system vendor, sold by telemarketers, or downloaded over the Internet as part of a free set of security tools.

Anything that we write about physical security must therefore be broadly stated and general. Because every site is different, this chapter can't give you a set of specific recommendations. It can give you only a starting point, a list of issues to consider, and suggested procedures for formulating your actual plan.

8.1.1 The Physical Security Plan

The first step to physically securing your installation is to formulate a written plan addressing your current physical security needs and your intended future direction. Ideally, your physical plan should be part of your site's written security policy. This plan should be reviewed by others for completeness, and it should be approved by your organization's senior management. Thus, the purpose of the plan is for both planning and political buy-in.

Your security plan should include:

  • Descriptions of the physical assets that you are protecting

  • Descriptions of the physical areas where the assets are located

  • A description of your security perimeter?the boundary between the rest of the world and your secured area?and the holes in the perimeter

  • The threats (e.g., attacks, accidents, or natural disasters) that you are protecting against and their likelihood

  • Your security defenses, and ways of improving them

  • The estimated cost of specific improvements

  • The value of the information that you are protecting

If you are managing a particularly critical installation, take great care in formulating this plan. Have it reviewed by an outside firm that specializes in disaster recovery planning and risk assessment. Consider your security plan a sensitive document: by its very nature, it contains detailed information on your defenses' weakest points.

A detailed security plan may seem like overkill for smaller businesses, some educational institutions, and most home systems. Nevertheless, simply enumerating the threats and the measures that you are using to protect against them will serve you well in understanding how to protect your informational assets. Is fire a possibility? If so, you may wish to invest in a fireproof safe for backups (cost: as little as $200), or you may wish to contract with an off-site backup provider (cost: approximately $20/month per PC). Is theft a possibility? If so, you may wish to purchase a lock for your computer (cost: approximately $30). Do you back up your server but not your desktop PCs? If so, you may wish to make sure that people in your organization know this, so that they store files on the file server, and not on their computer's "desktop."

At the very least, you should ask yourself these five questions:

  • Does anybody other than you ever have physical access to your computers?

  • What would happen if that person had a breakdown or an angry outburst and tried to smash your system with a hammer?

  • What would happen if someone in the employ of your biggest competitor were to come into the building unnoticed?

  • If there were a fire in your building and the computers were rendered unusable, would the inability to access these systems cripple or destroy your organization?

  • If some disaster were to befall your system, how would you face your angry users?

If the very idea of planning is repulsive to you, then this aspect should be delegated to someone in your organization who is more suited to the task.

8.1.2 The Disaster Recovery Plan

You should have a plan for immediately securing temporary computer equipment and for loading your backups onto new systems in case your computer is ever stolen or damaged. This plan is known as a disaster recovery plan .

We recommend that you do the following:

  • Establish a plan for rapidly acquiring new equipment in the event of theft, fire, or equipment failure.

  • Test this plan by renting (or borrowing) a computer system and trying to restore your backups.

If you ask, you may discover that your computer dealer is willing to lend you a system that is faster than the original system for the purpose of evaluation. There is probably no better way to evaluate a system than to load your backup tapes onto the system and see if they work.

Be sure to delete your files and purge the computer's disk drives of all information before returning them to your vendor! Simply running newfs or re-installing the operating system is not sufficient. Use a tool especially suited to the task.

8.1.3 Other Contingencies

Beyond the items mentioned earlier, you may also wish to consider the impact of the following on your operations:

Loss of phone service or network connections

How will the loss of service impact your regular operations?

Vendor continuity

How important is support? Can you move to another hardware or software system if your vendor goes out of business or makes changes you don't wish to adopt?

Significant absenteeism of staff

Will this impact your ability to operate?

Death or incapacitation of key personnel

Can every member of your computer organization be replaced? What are the contingency plans?

    Part VI: Appendixes