The objective of physical and environmental security is to prevent unauthorized access, damage, and interference to business premises and equipment. In this chapter, with a focus on the physical environment, we discussed the three elements to security—obstacles that deter trivial attackers and delay serious ones, detection systems that make it more likely that the attack will be noticed, and a response capability to repel or catch attackers. We began at the security perimeter, worked our way gradually inward to the data center, and then back out to mobile devices. Starting at the perimeter, we saw the importance of having a layered defense model as well as incorporating CPTED (crime prevention through environmental design) concepts. Moving inside the building, we looked at entry controls and the challenge of authorized access and identification. We acknowledged that not all access is equal. Workspaces and areas need to be classified so that levels of access can be determined and appropriate controls implemented. Equipment needs to be protected from damage, including natural disasters, voltage variations (such as surges, brownouts, and blackouts), fire, and theft. Purchasing Energy Star–certified equipment and proactively reducing energy consumption supports the long-term security principle of availability.
We explored the often-overlooked risks of device and media disposal and how important it is to permanently remove data before handing down, recycling, or discarding devices. Even the most innocuous devices or media may contain business or personal data in metadata, hidden or temporary files, web or data caches, or the browser history. Deleting files or formatting drives is not sufficient. DoD-approved disk-wiping software or a degaussing process can be used to permanently remove data. The most secure method of disposal is destruction, which renders the device and/or the media unreadable and unusable.
Mobile devices that store, process, or transmit company data are the newest challenge to physical security. These devices travel the world and in some cases are not even company-owned. Threats run the gamut from nosy friends and colleagues to targeted theft. The detection, investigation, notification, and after-the-fact response cost of a lost or stolen mobile device is astronomical. The economic impact of lost customer trust and confidence is long-lasting. Encryption and antitheft technology solutions that enable remote locate, remote lock, and remote delete/wipe functionality must be added to the protection arsenal.
Physical and environmental security policies include perimeter security, entry controls, workspace classification, working in secure areas, clean desk and clean screen, power consumption, data center and communications facilities environmental safeguards, secure disposal, and mobile device and media security.