Now we are ready to focus on two areas of security that are very technical: physical security and security operations. While there are many ways to control security that are related to computer science, many agree that if an adversary has physical access to a server or even your wireless access point, then there is little that hardware, software, and communications can do to protect the confidentiality, integrity, or availability of your information assets; the game may be over before it starts. We will look at the primary means to control access to your facility and information assets.
Physical security controls are arguably the first (or outermost) layer in a defense-in-depth strategy. As a result, we will spend some time looking at ways to control physical access to an organization's computing resources, and what to do when we lose physical access control.
Our second topic this week is security operations. This area concerns operating and maintaining a production system and network that remains secure even when it is under attack. It involves knowing what is happening at all times so that your system can be kept in a known good state. Security operations is arguably the last layer in a defense-in-depth strategy. The issues are to prevent, detect, and react to loss of confidentiality, integrity, and availability. To do this effectively, you have to know your vulnerabilities, the nature of the threat, whether you are under attack, what kind of attack you are experiencing, and you must have plans to deal with all of those things. In essence, the job is to maintain readiness. Security operations is, in a sense, where the rubber meets the road.
One area of focus deals with ways to control access to business and personal information. Operations Security, or OPSEC as it is called, is a lot like a puzzle. One may be able to capture and arrange innocent-looking information to build a picture of how you protect your information assets, including how you protect your facilities and your people. It looks at how an adversary might "case the joint" (in bank robber terminology).
Objectives
1. Given an organization requiring physical security, be able to establish physical security guidelines for that organization.
Enablers
Examine the types of physical access controls.
List the layers of common physical access controls.
Discuss defense-in-depth.
Perform a physical security survey.
2. Given an organization requiring operational security, be able to establish operational security guidelines for that organization.
Enablers
Explain the basic principles of security operations.
Explore the relationship of change management to security operations.
Distinguish between security operations and operations security (OPSEC).
List important elements of situation awareness.