Page 696 - StudyBook.pdf
P. 696
680 Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery
To be effective, policies must apply to everyone or there is no point
in having them. Policies and procedures exist to protect personnel, equip-
ment, data, and other assets of a company, and are generally imple-
mented for well thought out reasons. If someone fails to adhere to
policies, then situations can result that have a widespread impact on
security.
Physical Security Policies
Security policies should also address physical security. Physical security is the applica-
tion of preventative measures, countermeasures, and physical barriers that are
designed to prevent unauthorized individuals from accessing facilities, areas, or
assets of a company.These unauthorized individuals can be intruders or employees
of the business.After all, if a user does not have the ability to perform certain
actions from their own workstation, a security risk may still exist if they can physi-
cally sit at a server and modify security settings or delete important data.The solu-
tion to such intrusions would be that servers and other vital equipment should be
locked in a secure room (or closet) to prevent unauthorized persons from accessing
it. Physical security policies outline how to restrict physical access, limiting the
potential impact of various threats.
There are numerous assets and aspects of physical security that must be
addressed in security policies.These include:
■ Facilities, which focuses on the buildings and properties of an organiza-
tion, and outlines access controls used to enter and leave various areas.The
policy should also incorporate section security, where specific areas like
server rooms, reception areas, labs, and other areas that are restricted or
open to the public are addressed.
■ Assets, which focuses on the hardware, software, data, equipment, per-
sonnel, and other items of value in an organization.The policy should
address issues that could result in tampering, theft, or damage. For
example, a courthouse with heightened security may need to limit phys-
ical access to front desk personnel, and require a barrier made of bullet-
proof/shatterproof glass to be erected.
■ Control measures, which outline how facilities and other assets of the com-
pany are secured.Areas that are designated as restricted zones may require
locks, biometric authentication, or any number of other control measures.
Workstations, servers, and other equipment may also be physically secured,
www.syngress.com
