http://www.computerworld.com/securitytopics/security/story/0,10801,101220,00.html Opinion by Douglas Schweitzer APRIL 25, 2005 COMPUTERWORLD A San Jose-based medical practice recently notified about 185,000 current and former patients about the theft of their personal information. Stored on two computers, the data was stolen from the medical office during a burglary that occurred March 28. Under California law SB 1386, the medical group was required to publicly disclose the computer security breach because the confidential information of California residents may have been compromised. Unfortunately, that law promises to teach both businesses and the public plenty of lessons about insufficient security practices like those highlighted in the San Jose case. Let's face it: Hardware and software are usually less secure when they're located in an open workspace than they are when they're located in a separate computer room. Security is further decreased when the hardware and/or software is used within a network of computers that aren't housed at a single location. And the level of vulnerability is even higher when the network extends beyond the organization's premises. Some assets -- like hardware devices and data and software that are stored on file servers, PCs or removable media like tapes and disks -- need to be secured physically. Part of physical security is ensuring that only authorized personnel are permitted to transmit data and access devices on LANs. The National Computer Security Center's "Glossary of Computer Security Terms" defines physical security as "the application of physical barriers and control procedures as preventive measures or countermeasures against threats to resources and sensitive information." According to security expert and author Kevin Beaver, CISSP, "You cannot have any sense of information security if you don't implement proper physical security measures." Unfortunately, IT departments may disregard physical security, fearing that it's too expensive or too much of a burden. But effectively controlling physical access to an organization's facilities should be the security staff's top concern. When it comes to physical security, most organizations use one or a combination of mechanisms. Security guards are at the front line and should be trained to restrict the removal of assets from the premises. Among other things, they should be trained to record the identity of anyone removing assets. In addition, an authorization procedure should be established for those occasions when removing hardware and software from the premises is necessary. A traditional lock is, of course, one of the simplest ways to secure physical access to IT assets. This ubiquitous security system has effectively impeded access for centuries. While it's decidedly low tech, this approach nevertheless remains appealing to those on a budget, since it's simple and doesn't cost very much. If you wish to add another layer to this security model, you can use keys that can't be duplicated or build "mantraps" in which those who wish to gain entry must pass through two doors, so only one person can enter at a time. Electronic key cards are another good option, and they provide a higher level of security than the traditional lock-and-key approach. With this technology, a user gains entry by swiping an electronically coded plastic card through a magnetic badge reader. An advantage of key-card systems is that they eliminate some of the management problems that arise when you use locks and keys. For example, if an employee quits and walks off with his card, you don't have to change the locks; you just deactivate his card. Perhaps the most intriguing approaches to physical security are those that utilize biometrics. Biometric authentication involves the examination of physical traits of users. The examined feature is compared with stored reference data. Identifiable traits include fingerprints, hand geometry, voice patterns, facial patterns, and iris and retina patterns. Biometrics, or at least the promise of the various technologies involved, is currently at the forefront of thinking about authentication. But organizations have been slow to adopt biometrics, partially because the products available can be expensive and aren't as foolproof as they should be. Remembering that control procedures are necessary for all of the hardware and software you use will go a long way toward protecting less-secure environments. Of course, the level of access control you choose will have to be adjusted depending upon the sensitivity of the data being accessed. Other variables include the significance of the applications processed, the cost of the equipment and the availability of backup equipment. Because laptops are portable and hence targets for theft and misuse, they must be included in the security policy equation. Again, their location and the amount of sensitive data they contain will determine how much physical security they require. This may sound basic, and it is. But any comprehensive security plan has to start with physical security. _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Tue Apr 26 2005 - 14:07:42 PDT