Welcome » IT Booklets » Information Security » Security Controls Implementation » Physical And Environmental Protection » Physical Security in Distributed IT Environments
Hardware and software located in a user department are often
less secure than that located in a computer room. Distributed
hardware and software environments (e.g., local area networks or
LANs) that offer a full range of applications for small financial
institutions as well as larger organizations are commonly housed
throughout the organization, without special environmental controls
or raised flooring. In such situations, physical security
precautions are often less sophisticated than those found in large
data centers, and overall building security becomes more important.
Internal control procedures are necessary for all hardware and
software deployed in distributed, and less secure, environments.
The level of security surrounding any hardware and software should
depend on the sensitivity of the data that can be accessed, the
significance of applications processed, the cost of the equipment,
and the availability of backup equipment.
Because of their portability and location in distributed
environments, personal computers (PCs) often are prime targets for
theft and misuse. The location of PCs and the sensitivity of the
data and systems they access determine the extent of physical
security required. For PCs in unrestricted areas such as a branch
lobby, a counter or divider may provide the only barrier to public
access. In these cases, institutions should consider securing PCs
to workstations, locking or removing disk drives and unnecessary
physical ports, and using screensaver passwords or automatic
timeouts. Employees also should have only the access to PCs and
data they need to perform their job. The sensitivity of the data
processed or accessed by the computer usually dictates the level of
control required. The effectiveness of security measures depends on
employee awareness and enforcement of these controls.
An advantage of PCs is that they can operate in an office
environment, providing flexible and informal operations. However,
as with larger systems, PCs are sensitive to environ mental factors
such as smoke, dust, heat, humidity, food particles, and liquids.
Because they are not usually located within a secure area, policies
should be adapted to provide protection from ordinary
Other environmental problems to guard against include electrical
power surges and static electricity. The electrical power supply in
an office environment is sufficient for a PC's requirements.
However, periodic fluctuations in power (surges) can cause
equipment damage or loss of data. PCs in environments that generate
static electricity are susceptible to static electrical discharges
that can cause damage to PC components or memory.
Physical security for distributed IT, particularly LANs that are
usually PC-based, is slightly different than for mainframe
platforms. With a network there is often no centralized computer
room. In addition, a network often extends beyond the local
premises. There are certain components that need physical security.
These include the hardware devices and the software and data that
may be stored on the file servers, PCs, or removable media (tapes
and disks). As with more secure IT environments, physical network
security should prevent unauthorized personnel from accessing LAN
devices or the transmission of data. In the case of wire-transfer
clients, more extensive physical security is required.
Physical protection for networks as well as PCs includes power
protection, physical locks, and secure work areas enforced by
security guards and authentication technologies such as magnetic
badge readers. Physical access to the network components (i.e.,
files, applications, communications, etc.) should be limited to
those who require access to perform their jobs. Network
workstations or PCs should be password protected and monitored for
Network wiring requires some form of protection since it does
not have to be physically penetrated for the data it carries to be
revealed or contaminated. Examples of controls include using a
conduit to encase the wiring, avoiding routing through publicly
accessible areas, and avoiding routing networking cables in close
proximity to power cables. The type of wiring can also provide a
degree of protection; signals over fiber, for instance, are less
susceptible to interception than signals over copper cable.
Network security also can be compromised through the capture of
radio frequency emissions. Frequency emissions are of two types,
intentional and unintentional. Intentional emissions are those
broadcast, for instance, by a wireless network. Unintentional
emissions are the normally occurring radiation from monitors,
keyboards, disk drives, and other devices. Shielding is a primary
control over emissions. The goal of shielding is to confine a
signal to a defined area. An example of shielding is the use of
foil-backed wallboard and window treatments. Once a signal is
confined to a defined area, additional controls can be implemented
in that area to further minimize the risk that the signal will be
intercepted or changed.