Answer to Tutorial 11 Information Security

1. What is physical security? Answer: Physical security addresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization. This means the physical protection of the people, hardware, and the supporting system elements and resources associated with the management of information in all its states: transmission, storage, and processing. 2. How do the roles of IT, security, and general management dier with regard to physical security? Answer: Physical security is designed and implemented in several layers. Each community of interest in the organization is responsible for components within these layers. General management: Responsible for the security of the facility in which the organization is housed and the policies and standards for secure operation. This includes exterior security, building access, as well as other controls. IT management and professionals: Responsible for environmental and access security in technology equipment locations and for the policies and standards of secure equipment operation. This includes access to server rooms, server room temperature and humidity controls. Information security management and professionals: Perform risk assessments and implementation reviews for the physical security controls implemented by the other two groups. 3. How does physical access control dier from logical access control? Answer: Physical access control refers to the countermeasures aiming at protecting the physical resources of an organization (people, hardware, supporting system elements, and resources associated with the management of information in all its states). Logical access control refers to the countermeasures aiming at protecting the critical information that, a potential attacker, could steal without having to physically access the devices storing that kind of information. Logical access controls are mainly technology-based controls (rewalls, intrusion detection systems, and monitoring software).

4. Dene a secure facility. What is the primary objective of designing such a facility? Answer: A secure facility is a physical location that has been engineered with controls designed to minimize the risk of attacks from physical threats. The primary objective of designing such a facility is to ensure physical security in that facility in order to protect the physical resources of the organization. 5. Why are guards considered the most eective control for situations that require human reasoning? When should dogs be used for physical security? Answer: They are the only control discussed where human intellect is online to be applied to the problems being faced. Dogs are useful when keen senses are needed within a controlled setting. 6. What are the two possible modes that locks use when they fail? What implications does this have for human safety? In which situation is each preferred? Answer: Fail-safe and fail-secure. Fail-secure locks will be unable to be opened in the event of failure and human safety could be compromised in the event of a life-safety emergency. Whenever humans can be trapped inside, fail-safe locks are required. 7. What is the most common form of alarm? What does it detect? What types of sensors are commonly used in this type of alarm system? Answer: The most common form of alarm is the burglar alarm. Burglar alarms detect an intrusion. 2

The types of sensors they use are motion, glass breakage, weight and contact sensors. 8. Describe a physical rewall that is used in buildings. List the reasons you can think of for why an organization might need a rewall for physical security controls. Answer: A rewall is an interior wall constructed of non-combustible materials that extends to the ceiling height to prevent the spread of re. Computer rooms and wiring closets should be compartmentalized between rewalls to prevent re damage and intrusion. Firewalls help to prevent intrusion because they do block areas in the plenum that are not blocked by normal walls. 9. What is considered the most serious threat within the realm of physical security? Why is it valid to consider this threat the most serious? Answer: Fire. More losses come from this threat than all others combined. 10. List and describe the four classes of re described in the text. Does the class of the re dictate how to control the re? Answer:

(i) Class A Fires that involve ordinary combustible fuels such as wood, paper, textiles, rubber, cloth, and trash. Class A res are extinguished by agents that interrupt the ability of the fuel to be ignited. Water and multipurpose dry chemical re extinguishers are ideal for these types of res. (ii) Class B res fueled by combustible liquids or gases, such as solvents, gasoline, paint, lacquer, and oil. Class B res are extinguished by agents that remove oxygen from the re. Carbon dioxide, multipurpose dry chemical re extinguishers, and halon re extinguishers are ideal for these types of res. (iii) Class C Fires with energized electrical equipment or appliances. Class C res are extinguished with agents that must be non-conducting. Carbon dioxide, multipurpose dry chemical re extinguishers, and halon re extinguishers are ideal for these types of res.

(iv) Class D Fires fueled by combustible metals, such as magnesium, lithium, and sodium. Fires of this type require specials extinguishing agents and techniques. 11. List and describe the four primary types of UPS (Uninterruptible Power Supplies) systems. Answer: For basic congurations of UPS are: (i) A standby or oine UPS, which is an oine batter backup that detects the interruption of power to the power equipment; (ii) A ferroresonant standby UPS, which is also an oine UPS that provides power through electrical service and uses the UPS as a battery backup; (iii) The line-interactive UPS, which also uses a battery backup as source of power but generates power through inverters and converters inside the model; and (iv) The true online UPS, which works in the opposite fashion to a standby UPS since the primary power source is the battery. 12. List and describe the three fundamental ways that data can be intercepted. Answer: Three methods of data interception are: (i) Direct observation, which requires close enough distance between an individual and the information to breach condentiality; (ii) interception of data transmission, which can be done in several ways such as through snier software or tapping into a LAN; and (iii) electromagnetic interception, which occurs when an individual eavesdrop on electromagnetic signals that move through cables.