Physical and environmental assessment in information security
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via firstname.lastname@example.org; twitter: @moshoke
October 19, 20201.1K views0 comments
Most Nigerian companies store information in the cloud or designated physical data centres. There needs to be a high level of monitoring of these platforms, especially the physical data centres. Yet, most companies rarely pay attention to these physical assets until something happens.
For example, as I assessed a company’s physical and environment component, I found out that the door to their on-premise data centre was never locked which raised a red flag. After reporting to the stakeholders in that particular company, they realised that they’ve never paid attention to locking the doors to the data centre and, one of the stakeholders said, “who would want to steal data when there are cameras?”
We carried out further investigations and found blind spots where the so-called security cameras didn’t cover. The stakeholder was shocked by our discovery and supported our recommendations.
It is essential to state that information security is the overall protection of information to prevent the loss, authorised access or misuse. The moment a company allows unauthorised access to information or the misuse of information, they open themselves to potential data breaches.
Information security requires on-going assessment of threats and risks to information and the procedures and controls to preserve the data while paying attention to three main information security features, namely, confidentiality, integrity and availability.
Confidentiality ensures that the company limits authorised parties who have access to data. That means the salesperson in a health care company does not need to have access to the medical reports of the customer. At the same time, integrity means that the data is authentic and complete, meaning that the company has done all to ensure that they possess only quality data. And, perhaps, the essential feature in the protection of information is availability, which requires the company to be able to access data when needed especially to carry out their duties or obligations, according to their contractual agreement.
The protection of information is quite complicated. And, as such, set controls should be monitored and reviewed to ensure that the organisation meets its security objectives.
Private and public organisations in Nigeria must pay attention to security controls to protect the information in their possession. There are three types of security controls that Nigerian organisations must pay attention to, and they are physical control, administrative control and technical control.
My focus here is on the assessment of physical and administrative control. In another article, I will focus on technical control.
We can refer to physical and administrative controls as methods and controls used to protect an organisation from natural or human made threats to physical facilities and buildings.
Physical and environmental security protects an organisation’s personnel, electronic equipment and data/information. Like in the example I gave above, the physical and environmental protection now helps that particular company to protect their data centres.
But, what must companies pay attention to when building robust physical and environmentally safe controls?
They must create access cards and access controls to monitor and record who has access to data centres, when they accessed it and what they did when they accessed the information. These steps help eliminate guess works when there is a security risk in the future.
Alarms are vital components. It could help in the case of fire and water hazards. In this case, the right individuals know when such events happen and those individuals—if trained—know the safety steps to follow.
How does your company dispose of USB drives and hard drives? Companies must pay attention to their asset disposal methodologies. There must be safe ways to dispose of drives that carry important information. Simply throwing them away in the bin is not acceptable.
Companies, at all times, especially companies that serve the public must ensure that they identify and authenticate individuals who enter their premises. Identification and authentication can be captured by a single digital register which collects the information of every person that comes into the environment.
Video surveillance is another form of physical security control a company can maintain. In such situations, it is an excellent measure to inform people about the existence of the camera. Video surveillance will help prevent theft, and in the case of any security breach, the tapes from the video can serve as a tool during an investigation.
These are not exhaustive steps. However, this should serve as a guide to companies as they carry out their physical and environmental assessment.