Security: Physical Security & Awareness - Paiet/Tech-Journal-for-Everything GitHub Wiki

  • Security policy training and procedures
  • Role-based training
    • Training based on job roles and organizational responsibilities.
    • Usually in addition to general training for basic security principles and policies.
  • Personally identifiable information
    • Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
  • Information classification
    • High
    • Medium
    • Low
    • Confidential
    • Private
    • Public
  • Data labeling, handling and disposal
  • Compliance with laws, best practices and standards
  • User habits
    • Security is most commonly breached at the end-user level.
    • Users need to be made aware of their specific security responsibilities and habits.
      • Password behaviors
      • Data handling
      • Clean desk policies
      • Prevent tailgating
      • Personally owned devices
  • New threats and new security trends/alerts
    • New viruses
    • Phishing attacks
    • Zero-day exploits
    • http://www.oracle.com/technetwork/topics/security/whatsnew/index.html
    • http://www.securityfocus.com/
    • http://www.snopes.com/
    • http://hoaxbusters.org/
    • http://vmyths.com/
  • Use of social networking and peer-to-peer (P2P)
    • Employees must be made aware of the potential threats and attacks that target social networking and P2P applications and websites.
    • Security policies should include guidelines and restrictions for users of any social networking application or website.
  • Follow up and gather training metrics to validate compliance and security posture
    • Organizations need to validate the effectiveness of their security awareness and training programs, and identify which components of those programs that will have the most impact on overall security.
    • http://www.securingthehuman.org/resources/metrics
    • http://www.nist.gov/ Compare and contrast physical security and environmental controls
  • Environmental controls
    • HVAC
    • Fire suppression
    • EMI shielding
    • Hot and cold aisles
    • Environmental monitoring
    • Temperature and humidity controls
  • Physical security
    • Hardware locks
    • Mantraps
    • Video surveillance
    • Fencing
    • Proximity readers
    • Access list
    • Proper lighting
    • Signs
    • Guards
    • Barricades
    • Biometrics
    • Protected distribution (cabling)
    • Alarms
    • Motion detection
  • Control types
    • Deterrent
      • Discourage attackers from attacking in the first place
    • Preventive
      • stop an attack before it can cause damage
    • Detective
      • Identify attacks in progress
    • Compensation
      • suport other physical controls
    • Technical
      • Hardware or software that aid in protecting physical assets
    • Administrative
      • Leverage security policies and are used to train personnel