Things to Watch

Physical security is usually the most well understood area of information security, but this does not mean that there are not frequent physical security failures.

Whilst many organisations have manned front entrances there are often unprotected access points typically the external door propped open with a fire extinguisher or similar. Many organisations use access control systems, but the access rights granted are rarely monitored for continued business need. It is often the case that access is granted to staff or contractors who have left some considerable time ago or who no longer need (but may still want!) the authorised level of access. The Auditor will review access control lists for continued business need and also check how temporary passes are used (or abused).

Power supplies and backup power supplies are often only checked at installation time. The addition of further equipment onto a power supply is rarely considered in a change management process and can lead to catastrophic failure. The failure to supply appropriate UPS to be used on main power failure can be another major area of concern. Regular testing of the UPS and generator systems is necessary to ensure that they are operationally effective. The Auditor will require access to the records that prove that these actions take place. Oh - don't forget to keep adequate fuel in the generator!

Cabling security and management is another area often found to be wanting. A 'spaghetti-like' set of cabling with no documentation or cable maps will alert an Auditor to possible poor cable management. The Auditor will inspect cabling (lifting floor tiles to inspect sub-floor voids) and will ask for cabling documentation.

Equipment should be maintained in accordance with the manufacturer's recommendations and with business need. The Auditor will check a selection of maintenance records to ensure that an appropriate maintenance schedule is in place.

In today's era of portables and home working it is sometimes onerous to try to manage equipment movement on and off site - especially if the organisation is split over a number of sites. Equipment being taken off site should be assigned an owner who is accountable and responsible for that equipment until it is returned to the organisation stores. The Auditor will check records to ascertain what equipment has been signed out to a selection of staff and ensure that this is current. The Auditor will also check to see what security training has been given to staff holding equipment off site to determine if it is appropriate or not.

The press has many stories of information being found on rubbish tips or on computers have been inappropriately disposed of and that the new owner has found details like bank records or Ministers private correspondence. The Auditor will examine the disposal and re-use process to ensure that there is no chance of unauthorised access to that information. Typically the Auditor will inspect the disposal log and the re-use of pooled equipment to ensure that appropriate controls are in place.

Clear desks are often hard to achieve given the cost of office space but the Auditor will check that there are no unlocked safes or cupboards containing sensitive information, that combinations are not in the back of a diary close by, or that confidential information is not left out on an unattended desk. At the end of the day or at any other time during the day the Auditor will check a number of PCs to ensure that they actually are 'screen locked' or logged off. It only takes one PC with a high level of privilege for an unauthorised person to create havoc on the system or copy sensitive information that you would probably not ever discover.

An Introduction To Information, Network and Internet Security
Things to Watch Physical security is usually the most well understood area of information security, but this does not mean that there are not frequent physical security failures. Whilst many organisations have manned front entrances there are often unprotected access points typically the external door propped open with a fire extinguisher or similar. Many organisations use access control systems, but the access rights granted are rarely monitored for continued business need. It is often the case that access is granted to staff or contractors who have left some considerable time ago or who no longer need (but may still want!) the authorised level of access. The Auditor will review access control lists for continued business need and also check how temporary passes are used (or abused). Power supplies and backup power supplies are often only checked at installation time. The addition of further equipment onto a power supply is rarely considered in a change management process and can lead to catastrophic failure. The failure to supply appropriate UPS to be used on main power failure can be another major area of concern. Regular testing of the UPS and generator systems is necessary to ensure that they are operationally effective. The Auditor will require access to the records that prove that these actions take place. Oh - don't forget to keep adequate fuel in the generator! Cabling security and management is another area often found to be wanting. A 'spaghetti-like' set of cabling with no documentation or cable maps will alert an Auditor to possible poor cable management. The Auditor will inspect cabling (lifting floor tiles to inspect sub-floor voids) and will ask for cabling documentation. Equipment should be maintained in accordance with the manufacturer's recommendations and with business need. The Auditor will check a selection of maintenance records to ensure that an appropriate maintenance schedule is in place. In today's era of portables and home working it is sometimes onerous to try to manage equipment movement on and off site - especially if the organisation is split over a number of sites. Equipment being taken off site should be assigned an owner who is accountable and responsible for that equipment until it is returned to the organisation stores. The Auditor will check records to ascertain what equipment has been signed out to a selection of staff and ensure that this is current. The Auditor will also check to see what security training has been given to staff holding equipment off site to determine if it is appropriate or not. The press has many stories of information being found on rubbish tips or on computers have been inappropriately disposed of and that the new owner has found details like bank records or Ministers private correspondence. The Auditor will examine the disposal and re-use process to ensure that there is no chance of unauthorised access to that information. Typically the Auditor will inspect the disposal log and the re-use of pooled equipment to ensure that appropriate controls are in place. Clear desks are often hard to achieve given the cost of office space but the Auditor will check that there are no unlocked safes or cupboards containing sensitive information, that combinations are not in the back of a diary close by, or that confidential information is not left out on an unattended desk. At the end of the day or at any other time during the day the Auditor will check a number of PCs to ensure that they actually are 'screen locked' or logged off. It only takes one PC with a high level of privilege for an unauthorised person to create havoc on the system or copy sensitive information that you would probably not ever discover.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security