The Official (ISC)2 SSCP CBK Reference - Mike Wills

Скачать книгу

capabilities.

       Cameras: Cameras serve a deterrent purpose but can be combined with monitoring capabilities (such as guards watching a video feed or motion sensors) for detection functions. Know that it's fairly easy for dedicated attackers to separate the cameras that are actually monitored from those that are “perimeter dressing” and most often ignored.

       Buried lines: While these serve no deterrent function, underground sensors can be used for intrusion detection within the border of a property.

       Access control points: Guard stations or gates can be staffed or equipped with additional mechanisms (card readers, cameras, turnstiles, etc.).

       Patrols: Guards (human or canine) can provide deterrent, detective, corrective, and recovery controls.

       Motion sensors: There are a variety of technologies that support the organization's ability to surveil the perimeter and any area outside facilities, including the cameras and buried lines, as well as microwave, laser, acoustic, and infrared systems.

       Lighting: Well-lit areas serve both deterrent and detective purposes. Continual maintenance of all lighting sources is crucial, as a burned-out or broken bulb can defeat any security benefit the light might provide.

      Parking

      The most dangerous workplace location is the site where vehicles and pedestrians meet. It is imperative to include sufficient lighting, signage, and conditions (width of right-of-way, crosswalks, etc.) to minimize the possibility of threats to human health and safety. Monitoring is also useful, as parking areas are often locations that are accessible to the public and have been frequently used to stage criminal activity (workplace violence, robbery, rape, murder, etc.).

      If the parking structure allows for entry to the facility, this entry should be equipped with access controls, and all entryways should feed to a single reception point within the facility.

      Generators and fuel storage, as well as utility access (power lines, water/sewer pipes, etc.), should be protected from vehicular traffic, either with distance or with additional physical obstructions. There must be sufficient access for fuel delivery traffic, but this should be severely limited to reduce risk.

      Facility Entrance

      In addition to the other entrance controls already mentioned, the entry to the facility might include the following:

       Reception staff: This includes guards or administrative personnel who observe people entering and leaving the facility.

       Logging: This may be as technologically rudimentary as a sign-in book or combined with sophisticated badging/monitoring capabilities.

       Flow control: Turnstiles or other mechanisms ensure only one person at a time can pass, typically only after presenting a credential (such as a badge or biometric element).

      In addition to the other access control elements used for maintaining physical control of the workplace environment listed elsewhere in the book, the security practitioner should be familiar with the following:

       Safes: Secure containers that can offer protection from unauthorized access, fire, water damage, and, in some cases, chemical contaminants. Both the safe itself and the lock on the safe should be rated by a standards body for specific criteria, according to the particular needs of the organization.

       Secure processing areas: Specific areas within the workplace that are set aside, both administratively, technically, and physically, from the rest of the production environment. These are typified by secure entryways, severe limitations on personnel access, hardened structures (walls, no windows, etc.), and electromagnetic shielding. In the U.S. government sphere, these are referred to as sensitive compartmented information facilities (SCIFs), although the term has begun to see wider use in nongovernment activities in recent years.

      TIP Can Visitors Spot your Vulnerabilities? “Reconnaissance by walking around” is a time-honored component of many an intrusion; it's even easier nowadays when smartphones can conduct full Wi-Fi surveys. Try it yourself, as part of an ethical penetration test.

      The Data Center

      As the focal point of the data assets of the organization, the data center is in particular need of protection within the property/facility. The data center also has some specific requirements that make it somewhat different than the rest of the production environment. In addition to the other access controls placed on secure areas within the workplace (discussed earlier in this chapter and in Chapter 5), security of the data center should include consideration of the following factors:

       Ambient temperature: IT components generally function better in relatively cold conditions; if the area is too hot, the machines will not function optimally. However, if the area is too cold, it will cause discomfort for personnel.

       Humidity: An interior atmosphere that is too dry will increase the potential for electrostatic discharge. An atmosphere that is too damp will increase the potential for development of mold, mildew, and insects.

      Standards for maintaining a desirable range of data center environmental conditions should be used to establish targets. One such reference is the ASHRAE Technical Committee 9.9 thermal guidelines for data centers; see http://ecoinfo.cnrs.fr/IMG/pdf/ashrae_2011_thermal_guidelines_data_center.pdf.

      The Uptime Institute publishes a multitier standard for use by data center owners in determining and demonstrating their particular requirements and capabilities (“Data Center Site Infrastructure Tier Standard: Topology”; see https://uptimeinstitute.com/tiers). The tiers range in purpose and requirements from basic data centers that might be used for archiving or occasional data storage to facilities that support life-critical processes. The CISSP should have a cursory knowledge of the four-tier levels and their descriptions. (For more information, see https://journal.uptimeinstitute.com/explaining-uptime-institutes-tier-classification-system/.)

      The standard is free for review/guidance; certification against the standard is performed only by the Uptime Institute and requires payment.

      Organizations that receive Uptime Institute tier certification for their data centers can be listed in the Institute's online register: https://uptimeinstitute.com/TierCertification/allCertifications.php?page=1&ipp=All.

      Finally, fire poses a significant, common risk to data centers because of the high potential for occurrence and because of the disproportionately heavy impact a data center fire would have on the organization. The selection, design, implementation, maintenance, and use of fire protection and alarm systems can be quite complex, and in many jurisdictions must be undertaken by a properly licensed fire protection engineer. Municipal standards such as building codes also must be taken into account. Insurance providers may also levy strict inspection and compliance constraints on any and all fire protection systems and practices in order to maintain policy coverage. This all goes well beyond what the SSCP can or should attempt to take on.

      Service Level Agreements

      In the modern IT environment, there are many reasons (not the least of which is cost) for an organization to consider contracting with an external service provider to handle regular operational tasks and functions. To create a contract favorable for both

Скачать книгу