Answer to Tutorial 11 – Information Security

1. What is physical security?

Answer:

Physical security addresses the design, implementation, and maintenance of countermeasuresthat protect the physical resources of an organization. This means the physical protection ofthe people, hardware, and the supporting system elements and resources associated with themanagement of information in all its states: transmission, storage, and processing.

2. How do the roles of IT, security, and general management differ with regard to physical se-curity?

Answer:

Physical security is designed and implemented in several layers. Each community of interestin the organization is responsible for components within these layers.

• General management: Responsible for the security of the facility in which the organiza-tion is housed and the policies and standards for secure operation. This includes exteriorsecurity, building access, as well as other controls.

• IT management and professionals: Responsible for environmental and access security intechnology equipment locations and for the policies and standards of secure equipmentoperation. This includes access to server rooms, server room temperature and humiditycontrols.

• Information security management and professionals: Perform risk assessments and im-plementation reviews for the physical security controls implemented by the other twogroups.

3. How does physical access control differ from logical access control?

Answer:

Physical access control refers to the countermeasures aiming at protecting the physical re-sources of an organization (people, hardware, supporting system elements, and resourcesassociated with the management of information in all its states).

Logical access control refers to the countermeasures aiming at protecting the critical infor-mation that, a potential attacker, could steal without having to physically access the devicesstoring that kind of information. Logical access controls are mainly technology-based controls(firewalls, intrusion detection systems, and monitoring software).

1

4. Define a secure facility.What is the primary objective of designing such a facility?

Answer:

A secure facility is a physical location that has been engineered with controls designed tominimize the risk of attacks from physical threats.

The primary objective of designing such a facility is to ensure physical security in that facilityin order to protect the physical resources of the organization.

5. Why are guards considered the most effective control for situations that require human rea-soning?When should dogs be used for physical security?

Answer:

They are the only control discussed where human intellect is online to be applied to theproblems being faced.

Dogs are useful when keen senses are needed within a controlled setting.

6. What are the two possible modes that locks use when they fail?What implications does this have for human safety?In which situation is each preferred?

Answer:

Fail-safe and fail-secure.

Fail-secure locks will be unable to be opened in the event of failure and human safety couldbe compromised in the event of a life-safety emergency.

Whenever humans can be trapped inside, fail-safe locks are required.

7. What is the most common form of alarm?What does it detect?What types of sensors are commonly used in this type of alarm system?

Answer:

The most common form of alarm is the burglar alarm.

Burglar alarms detect an intrusion.

2

The types of sensors they use are motion, glass breakage, weight and contact sensors.

8. Describe a physical firewall that is used in buildings.List the reasons you can think of for why an organization might need a firewall for physicalsecurity controls.

Answer:

A firewall is an interior wall constructed of non-combustible materials that extends to theceiling height to prevent the spread of fire.

Computer rooms and wiring closets should be compartmentalized between firewalls to preventfire damage and intrusion. Firewalls help to prevent intrusion because they do block areas inthe plenum that are not blocked by normal walls.

9. What is considered the most serious threat within the realm of physical security?Why is it valid to consider this threat the most serious?

Answer:

Fire.

More losses come from this threat than all others combined.

10. List and describe the four classes of fire described in the text.Does the class of the fire dictate how to control the fire?

Answer:

(i) Class A – Fires that involve ordinary combustible fuels such as wood, paper, textiles,rubber, cloth, and trash. Class A fires are extinguished by agents that interrupt theability of the fuel to be ignited. Water and multipurpose dry chemical fire extinguishersare ideal for these types of fires.

(ii) Class B – fires fueled by combustible liquids or gases, such as solvents, gasoline, paint,lacquer, and oil. Class B fires are extinguished by agents that remove oxygen fromthe fire. Carbon dioxide, multipurpose dry chemical fire extinguishers, and halon fireextinguishers are ideal for these types of fires.

(iii) Class C – Fires with energized electrical equipment or appliances. Class C fires areextinguished with agents that must be non-conducting. Carbon dioxide, multipurposedry chemical fire extinguishers, and halon fire extinguishers are ideal for these types offires.

3

(iv) Class D – Fires fueled by combustible metals, such as magnesium, lithium, and sodium.Fires of this type require specials extinguishing agents and techniques.

11. List and describe the four primary types of UPS (Uninterruptible Power Supplies) systems.

Answer:

For basic configurations of UPS are:

(i) A standby or offline UPS, which is an offline batter backup that detects the interruptionof power to the power equipment;

(ii) A ferroresonant standby UPS, which is also an offline UPS that provides power throughelectrical service and uses the UPS as a battery backup;

(iii) The line-interactive UPS, which also uses a battery backup as source of power butgenerates power through inverters and converters inside the model; and

(iv) The true online UPS, which works in the opposite fashion to a standby UPS since theprimary power source is the battery.

12. List and describe the three fundamental ways that data can be intercepted.

Answer:

Three methods of data interception are:

(i) Direct observation, which requires close enough distance between an individual and theinformation to breach confidentiality;

(ii) interception of data transmission, which can be done in several ways such as throughsniffer software or tapping into a LAN; and

(iii) electromagnetic interception, which occurs when an individual eavesdrop on electromag-netic signals that move through cables.

4