Chapter 3 Physical Access Controls - Part 2

Quiz 2

Physical access controls are designed for/to:

➢ Protection organization from unauthorized access

➢ Limit access to authorized individuals by management

➢ Explicit and implicit authorization

Explicit

a door lock for which management has authorized who has a key

Implicit

as seen in a job description that implies the need to access sensitive reports and documents

Bolting door locks

Require the traditional metal key to gain entry

➔ Should be stamped “do not duplicate”

➔ Stored and issued under strict management control

Combination door locks (cipher locks)

Numeric keypad or dial to gain entry is often seen at airport key entry doors and smaller server rules

➔ change combination at regular intervals or whenever an employee with access is transferred or subject to disciplinary actions

➔ reduces risk of combination being known by unauthorized people

Electronic door locks

- Uses a magnetic/embedded chip-based plastic Card key or token and entered sensor reader

- Uses a special code, which is read by a sensor device to activate door locking mechanism

➔ Advantages of electronic door locks over bolting and combination locks:

1) Card assignment to an identifiable or specific individual, through the special internal code

2) Access restricted to individual’s unique access needs, through the special internal code and sensor devices

3) Difficult to duplicate

4) Easy deactivation of card entry upon employee termination or card stolen or lost

➢ Silent or audible alarms can be automatically activated if unauthorized entry is attempted

➢ Control card keys: Issuing and accounting for retrieving of the card keys is at administrative process that should carefully be controlled

Biometric door locks

- Activated by an individual’s unique body features, such as voice, retina, fingerprint, hand geometry, or signature

- Used in instances when extremely sensitive facilities must be protected, such as in the military

Manual logging

- Requires visitors to sign a visitor’s log, indicating their:
➢ Name
➢ the company they’re representing
➢ reason for visiting
➢ person to see, and;
➢ date & time of entry & departure

- Typically done at the front reception desk or entrance to the computer room
- Before gaining access, requires visitors to provide verification of identification such as:
➢ Driver’s license
➢ Vendor identification tag

Electronic logging

- A feature of electronic and biometric security systems

- All access can be logged with unsuccessful attempts being highlighted

Identification badges (photo IDs)

- Worn and displayed by all personnel

- Visitor badges should be in a different color from employee badges for easy identification

- Sophisticated photo IDs can also be used as electronic card keys

- Issuing, accounting, and retrieving badges are part of an administrative process that must be carefully controlled

Video cameras

- Located at strategic points and monitored by guards

- Retain video surveillance recording for possible future playback and it should be recorded with sufficient resolution to permit enlarging the image to identify an intruder

Security Guards

Very useful if supplemented by video cameras & lock doors

- Bond for guards supplied by external agency to protect organization from loss

Security Guard Agency Bond

ensures the lawful and honest conduct of the security guard agency, its personnel/staff, in providing security, investigation, and protection to its clients

• is a financial assurance that protects clients from any willful and dishonest acts committed by the security guard agency

Controlled visitor access

- Visitors escorted by responsible employee. They include:

• Friends

• Maintenance personnel

• Computer vendors

• Consultants (unless these are long-term consultants, in which case special access may be provided)

• External auditors

All service contract personnel such as the cleaning people and offsite storage services should be bonded personnel

• The bonding of these personnel does not improve physical security, but limits the financial exposure of the organization

• Same case with the security guard, so that in case there will be dishonest acts, the organization will be covered financially

Deadman doors

- AKA mantrap or airlock entrance

- Use two doors and is typically found in entries to facilities, such as computer rooms and high-security areas

- Reduces the risk of piggybacking, when an unauthorized person follows an authorize person through a secure entry

- In some installations, this effect is accomplished by the use of a full, high turnstile;

- May also be used for delivery and dispatch areas, where outer doors open to admit a truck and inner doors cannot be opened to load & unload until the outer doors are closed and locked

Turnstile

it is a post with arms post with arms pivoted on the top set in a passageway so that persons can pass through only on foot, one by one

Example/Variation: the one used in LRT & MRT stations. It is the metal equipment that turns when a passenger enters the train station

Computer workstation locks

- Secure the device to the desk to prevent use (being turned on or disengage keyboard recognition)

- Another feature is locks that prevent running on a PC workstation, until a key lock is unlocked by turnkey or card key

Controlled single-entry point

- Monitored by a receptionist; Should be used by all incoming personnel.

➔ Multiple entry points increase the risk of unauthorized entry

- Unnecessary or unused entry points such as doors to outside smoking or break areas should be eliminated

➔ Emergency exits can be wired to alarm panic bars for quick evacuation

Alarm system

- Should be linked to inactive entry points, motion detectors, and the reverse flow of enter- or exit-only doors

- Security personnel should be able to hear the alarm when activated

Secured report/document distribution carts

Mail carts: should be covered, locked and not left-unattended

Other physical controls on facilities

- On the computer room or information processing facility

- Not be visible or identifiable from the outside

➔ There shall be no windows or directional signs

- The building or department directory should discreetly identify only the general location processing facility

- If windows are present, use reinforced glass and if one the ground floor of the building, further protection by bars

Touring the computer site

is useful for the auditor for overall understanding & perception of the installation being reviewed.

As for environmental controls, the site is being owned by a third-party, a control right of audit may be required