This installment in the NG-SEC series discusses physical security guidelines. Although one may not think of physical security as a topic in a cyber security arena, without physical security, network devices are left unprotected from the surrounding environment. All NG9-1-1 information resources must be kept physically secured and protected from theft, misappropriation, misuse, unauthorized access and damage. NG-SEC section 8, Physical Security Guidelines includes:
- Building and Physical Access Control
- Authorized Physical Entry
- Storage Media and Output
- Mobile Devices
- Environmental Controls
- Server Room
- Data Communications Network
During PSAP assessments L.R. Kimball observes PSAPs are generally cognizant of physical security. Among positive findings are closed circuit cameras, keypad entry, attended reception area, and logging visitors. However, once access is gained to the facility, it is common to find the doors to the call center and equipment rooms left open and unattended.
A particular concern for physical security is third-party vendors with open access to the facility. While it is understood that there is a need for certain vendor employees to gain access to the facility on a 24 hour basis, it is not to say that their presence should be completely unattended. It is recommended that such personnel be logged in and their actions while in the facility monitored. It is important that the PSAP is aware of tasks that are performed by all personnel who have access to sensitive areas to prevent mishaps and to remain informed of actions taken.
Another point of concern during assessments is minimal concern afforded to areas with environmental controls. Physically securing the environmental controls is an important and often overlooked aspect of security. With server rooms and workstations that are reliant upon proper temperature and humidity control to operate, environmental controls are necessary. If equipment is not properly cooled, it will overheat resulting in system shutdown, data loss and possible equipment and software damage.
Similar areas of physical concern are:
- Commercial power rooms
- Emergency power rooms
- Communications rooms
- Cable vaults
- Switch rooms
- HVAC equipment rooms
- Operations control rooms
As PSAPs become connected via IP enabled networks, physical security is a growing responsibility that requires further attention. Unattended areas provide the opportunity for data theft and network interruptions. PSAPs should address physical security throughout the facility to assure restricted areas are available only to personnel with a business need.
Our next post will discuss network and remote access security.
Comments