1) introduction
Security is an integral part of every business, from the smallest office to the largest corporation. It is a critical aspect of the protection of all the assets and information in your organization's chain of custody.
There are many different types of physical security, each with some unique characteristics and benefits to an organization. As a result, there are many products on the market.
In this topic we will discuss different types of physical security solutions and what they offer for organizations. We will also discuss which products are right for different situations and applications.
2) Definition of physical security
Physical security is the protection of personnel, hardware, software, networks, and data from physical actions or events. It can be defined as the same as cyber security but defines physical security in a different way.
The definition of physical security is basically the same as in Cyber Security but it doesn’t mean that they are two separate concepts.
The definition of physical security means to prevent the loss or damage of an enterprise's assets because of threats that may come in its ways like fire, theft, explosion, and flood.
It also means preventing people from performing malicious activities to take over for some other purpose like hacking or vandals.
3) Types of physical security
Physical security is the protection of personnel, hardware, software, networks, and data from physical actions and events that could cause serious loss or damage to an enterprise.
There are three types of physical security:
1. Protection against physical attacks
2. Protection against unauthorized access to computer systems
3. Protection against unauthorized access to data
4. Protection against unauthorized destruction of data and information (hacking)
5. Protection against the unauthorized modification or removal of hardware and software (software piracy)
4) Physical security planning
The physical security of your systems and assets is as essential as the physical security of your personnel.
What kind of physical security planning is necessary? Physical security planning (PSP) covers the three pillars, which are:
a. Protection of personnel
b. Protection of assets
c. Protection of systems and networks
While each pillar has its own level of importance, there’s definitely a difference between them when it comes to physical security planning.
The first pillar that needs to be addressed is the protection of personnel. All organizations have people who could become vulnerable at any given time — from sensitive areas to places that require more time to properly secure, like the back-end data centers away from the prying eyes of consumers and employees alike. So what do we need to do? Well, in theory, we need a system in place that will prevent such vulnerabilities from occurring in the first place . . . but let’s not get ahead of ourselves here. In practice, how can you make sure there aren’t any vulnerabilities in your environment?
5) Physical security threats.
“Physical security planning” is the term for the planning of physical security for businesses. Physical security planning is a crucial step in any company’s business plan, which provides clues to where an organization will build its program and investment.
Therefore, it is important to understand the nature of physical security threats that can happen to an organization and how their physical security program can be protected against these threats.
The purpose of physical security is to minimize the effects of a physical security risk by increasing protection such as building or system-wide safeguards, implementing effective detection systems, and establishing a comprehensive event record system.
A physical security risk is generally defined as any threat that could cause loss or damage against your company. This includes psychosocial threats such as employee theft, sabotage, terrorism-related activities, industrial espionage, etc.
The definition of the types of physical security can be categorized into a few categories:
1. Physical access control: These are programs or processes set up to ensure that only authorized individuals have access to work areas and software repositories (examples: building access control systems).
2. Physical entry/exit control: These are programs or processes set up so that unauthorized individuals cannot gain access to granted areas and software repositories (examples: building exit control systems).
3. Fire/ventilation controls: These are programs or processes set up so that fires cannot spread throughout an area (examples: fire sprinklers).
4. Security measures at electrical facilities/switches/cables/etc.: These are programs or processes set up so that unauthorized individuals do not gain access to electrical facilities (examples: fire alarm systems).
5. Access control at workstations/servers/etc.: These are programs or processes set up so that authorized individuals do not gain access to authorized areas on workstations (examples: password protectors).
6) Prevention of physical security threats.
Physical security is the protection of personnel, hardware, software, networks, and data from physical actions and events that could cause serious loss or damage to enterprises. It should be understood that physical security is not just about protecting computer equipment but also encompasses protecting the entire infrastructure of a business.
By way of example, a company might have an office with old computers in a storage room. If one of those computers fails there will be an immediate risk to all other computers because they also rely on this specific computer as part of their network. The physical security plan would need to take into account the failure of these computers and protect against such threats.
A physical security threat can be anything that has the capacity to cause loss or damage to the organization’s infrastructure that could affect confidentiality, integrity, or availability; it may include corporate espionage or sabotage; it may include malicious software or hacking attacks; or it may include natural disasters such as earthquakes, floods, and fires.
The solution needs to be multifaceted due to the existence of many types of threats in today’s world such as cyber-attacks on individual users and servers; access control breaches; physical attacks by criminals (e.g. identity theft); asset misappropriation; insider threats; employee theft; environmental hazards such as fire and flooding; public health threats (e.g., viruses); and operational disruptions (e.g., power outages).
7) Conclusion.
Subject matter experts are on the lookout for the following threats:
Physical security planning should be based on a detailed analysis (identifying weaknesses) and a detailed assessment (imagining possible events) to know where your organization is vulnerable. The key things to consider are:
* How vulnerable are you?
* What can you do about it?
* What defenses have been put in place?
* What can you do about it?
* What are your vulnerabilities? Do you have them? Are they working as intended? Is there a chance they will be exploited by external actors? Does your staff know how to exploit those weaknesses? Do you have any plans in place for adapting them if you don't have them yet? If not does that mean your organization is at risk of becoming highly vulnerable? What types of attacks can happen if someone got their hands on that data? What types of attacks did we just talk about and how do we prevent them? How quickly can we respond to these threats? Should we encrypt our data before it leaves our premises? Should we use firewalls or other technologies that protect against this type of attack? Should we configure VPNs or other technologies that allow us to connect securely even if our network goes down or is otherwise inaccessible? ..etc. Should we consider implementing encryption protocols/services inside our network infrastructure as well as between our network infrastructure and the internet protocol endpoints in order to ensure that all data leaving our network is encrypted before being transmitted over the internet protocol backbone (IPv4 or IPv6)? Is there any proof-of-concept research done on encryption protocols/services implemented internally within an organization's own topology/infrastructure/network architecture, including public-facing web applications, internal databases, etc.? Does this research show any significant improvements in security efficiency with regard to cost-benefit analysis, performance metrics, etc.? What does this mean for physical security planning overall? Do we need additional layers of physical security technology like firewalls, virtual private networks (VPN), specialized intrusion detection systems (IDS), host-based intrusion detection systems (HIDS), etc., on top of what we're already using today? Does this research show significant improvements in physical security efficiency with regard to cost-benefit analysis, performance metrics