Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Jan 1, 2013

SMotW #38: physical security maturity

Security Metric of the Week #38: physical and environmental security maturity

Without decent physical access controls, most other information security controls can be undermined, bypassed or literally busted wide open - for example, a thief who steals the server can analyze its security configuration at his leisure, using whatever tools and methods he and his underworld pals own or "borrow" for the purpose.  Persuading a university researcher to pop the lid off a chip and examine it with an electron microscope was one of the techniques allegedly used to reverse-engineer the early smartcards used to encrypt naughty channels on satellite TV.

Compared to the complex technological controls used elsewhere in information security, physical security controls are relatively obvious, tangible and simple to measure.  We have the benefit of thousands of years' experience with fences, walls and locks, while the insurance companies have millions of data points regarding control failures.  The strength of a padlock and chain, for example, is easy to test by applying force.  Its weight is a rough indicator.  It can be measured more accurately using test jigs to determine the point at which the test force overcomes the lock's capabilities.  There are lots of standards for physical security controls.

Other physical controls such as environmental monitoring and Uninterruptible Power Supplies ensure the provision and quality of vital supplies for the computer systems.  They are legitimately classed as information security controls for the simple reason that they are protecting the availability of information processing.   Even office air conditioners are information security controls in the sense that they enable office workers to think straight when it is boiling hot or freezing cold outside!

Section 9 may not be the crowning glory of ISO/IEC 27002:2005, but it does at least offer basic guidance in the area of physical and environmental security.  This week's security metric uses the standard to structure another of our maturity scoring tables.  

As with the information security maturity metrics we have previously discussed for HR, asset management, business continuity and compliance, the approach we used to develop the physical security maturity metric is as follows:
  1. Consider a control requirement within the domain, like for example the need to maintain stable and reliable electrical power for the computer suite. 
  2. Using standards, knowledge and experience, identify the controls that are typically used to satisfy the control requirement (e.g. whole room and/or rack-mounted and/or internal UPS units, generators, dual feeds from the electricity grid, redundant hot-swappable computer power supplies, power monitoring and alarms, maintenance and testing procedures ...).
  3. Develop a suite of scoring or assessment criteria ranging across four points on the scale, from absent/totally inadequate at the bottom end up through good practice to excellence at the top.
  4. Use the criteria to consider, score, compare and contrast hundreds of organizations, discussing the findings with subject matter experts, auditors and managers, continually refining the criteria, fine-tuning the wording and generally proving the approach as you go.
Like the others, this maturity metric shines with an overall PRAGMATIC score of 86%:

P
R
A
G
M
A
T
I
C
Score
90
95
70
80
90
85
90
85
90
86%




Maturity metrics like this are:
  • Quite expensive to develop, requiring an investment of many highly-skilled man-hours;*
  • Cost-effective to use, generating a wealth of potentially useful details concerning the highs and lows of the area being evaluated, as well as the overall evaluation scores;
  • Generic, incorporating good practice guidance and ideas from numerous sources (including the organizations being measured) and yet easily customized to suit a given organization's specific security requirements (e.g. any physical security obligations imposed on it, as defined in contracts, laws and regulations);
  • Extensible, readily updated to reflect new control requirements and controls as they emerge and are adopted; 
  • Simple to use: well-written scoring criteria are easily understood and interpreted by competent assessors, such as information security and IT audit professionals, despite their differing levels of skill and experience;
  • Flexible, allowing assessors to apply common sense interpretations of the risks in the context of the organization's actual situation (something that formal certification standards such as ISO/IEC 27001 struggle to get to grips with).
Of the 150+ example metrics laid out in the book, this one falls just outside the top ten percent as far as ACME Enterprises is concerned.  There's one other physical security metric that scored even better but - sorry - we're not going to give the game away right now by revealing what that is, nor why it achieved an even better PRAGMATIC score.  You'll just have to wait a few more days until the book is published, or hold on until we cover it in the blog.

Happy new year all.  Here's hoping that 2013 measures up to your highest expectations.

Regards,
Gary & Krag

* You need only invest £45 at CRC Press, or $63 at Amazon to buy the book and a few hours to read it!