Question

Physical security is often a second priority in an information security program. Since physical security has technical and administrative elements, it often takes a backseat to the security of data and other information technology assets.

Protecting important data, confidential information, networks, software, equipment, facilities, company’s assets, and personnel is what physical security is about. There are two major types of physical security issues: natural and man-made. Natural physical security issues include floods, fire, power fluctuations, severe weather, war, etc., which can cause a permanent loss of data. Man-made physical security issues are typically some form of an attack by a malicious party, which includes terrorism, vandalism, and theft. These events affect the entire organization.

Identify two physical security threats (one of each type), their potential damage and its impact on the organization, and the countermeasures you'd install or implement to mitigate their disruptions.

Answer 1

Physical Security Threats comes in two types:

1. Natural: Examples of natural threats include Fire and Earthquake

• Fire: Fire can occur in a building or office premises due to many reasons like human carelessness (throwing unextingushed cigerette carelessly, etc), electrical circuit fault, etc. Fire can cause a lot of damage to organization - it can damage/destroy computer systems, data centers, IT equipments, other organizational property. It can even engulf the the whole premise, disrupt the communication network and cause loss of valuable data/digital property as well as loss of precious human life. Fire can be avoided by adopting and maintaining proper fire-safety standards and protocols in the organization, ensuring availability of fire extinguishers at key locations, regular fire safety drills, employee awareness of do's and don't, regular maintenance of electrical circuits, etc. Critical data and digital property must be replicated or backed up at regular interval.
• Earthquake: Earthquake are a serious issue at various earthquake prone locations across the globe where earthquakes are a ever looming threat. Earthquakes with high richter scale could potentially damage the office buildings or even make them collapse. This could in turn lead to destruction of computer systems, data centers and other IT hardware equipment and property as well as loss of human life. It could also potentially cause loss of critical data/digital property. The impact of Earthquakes can be reduced by construction earthquake resistent offices/buildings, having appropriate earthquake safety prototcols and standards in place, regular drills, employee awareness of do's and don'ts, etc. Critical data and digital property must be replicated or backed up at regular interval. Another possible solution can be choice of such sites for offices which are less earthquake prone.

2. Man-made: Examples of Man-made threats include theft and vandalism:

• Theft: It is one of the most common man-made threat and includes theft of company provided laptops, mobile phones and other hardware devices like USB drive, CD/DVD, etc as well other organization valuables like confidential or proprietary documents. It includes occurences outside the office premises as well as within. Theft can caused by some person not related to organization as well as by an existing or ex-employee of organization. Theft can not only cause loss of organization owned hardware/system, it can lead to loss of critical data and digital property of organization and unauthorised access to confidential information, which can lead to much higher financial, competitive or reputational loss. Theft can be controlled by protecting the office premises as well as key organisational areas with physical security personnels/guards who restrict the physical access to the area only authorised people (automated systems can also be used alongside). The previous solution requires establishment of an working authorisation and authentication system/standard in organisation (Identification card, RFID card, etc). CCTV camera should be installed at all key locations and employees should be made aware of do's and don't especially if they are going to carry some organisational hardware property outside the premises. Critical data/digital property must be replicated or backed up at regular interval while access to confidential data must always be handled with stricter physcial security protocol.
• Terrorism: This threat highly concern certain geopolitical areas which have history of terrorism activities or are suspecible to terrorism attacks. A terrorism attack on an organisational premises can cause disruption of work and communication network, potential damage/destruction of organisational property (including computer system, data center, IT equipment, etc) and loss of human life. Impact of such attacks can be controlled by having proper security and safety protocols and standards in place, employee awareness of do's and don'ts, protection of office premises and key locations with physical security personnels (guards), regular drills, and proper liasoning with the government authorities of the location. Critical data/digital property must be replicated or backed up.