CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [14]
One of the first things you must develop as a security administrator is a bit of paranoia. It’s important to remember that you’re dealing with both system vulnerabilities and human vulnerabilities—although they aren’t the same, they both affect the organization significantly. You must assume that you’re under attack right now, even as you read this book.
Information security includes a number of topics of primary focus, each addressing different parts of computer security. An effective computer security plan and process must evaluate the risks and create strategies and methods to address them. The following sections focus on three such areas:
■ Physical security
■ Operational security
■ Management and policies
Each of these areas is vital to ensure security in an organization. You can think of information security as a three-legged stool: If any one of the legs of your stool breaks, you’ll fall down and hurt yourself. You must look at the overall business and address all the issues that business faces concerning computer security. Figure 1.1 shows how these three components of computer security interact to provide a reasonably secure environment.
FIGURE 1.1 The security triad
Part of your job is to make recommendations to management about needs and deficiencies; to take action to minimize the risks and exposure of your information and systems; and to establish, enforce, and maintain the security of the systems with which you work. This is not a small task, and you must do each and every one of these tasks well in order to have a reasonable chance of maintaining security in your organization.
Securing the Physical Environment
Physical security, as the name implies, involves protecting your assets and information from physical access by unauthorized persons. In other words, you’re trying to protect items that can be seen, touched, and stolen. Threats often present themselves as service technicians, janitors, customers, vendors, or even employees. They can steal your equipment, damage it, or take documents from offices, garbage cans, or filing cabinets. Their motivation may be retribution for some perceived misgiving, a desire to steal your trade secrets to sell to a competitor as an act of vengeance, or just greed. They might steal $1,000 worth of hardware that they can sell to a friend for a fraction of that and have no concept of the value of the data stored on the hardware.
Physical security is relatively easy to accomplish. You can secure facilities by controlling access to the office, shredding unneeded documents, installing security systems, and limiting access to sensitive areas of the business. Most office buildings provide perimeter and corridor security during unoccupied hours, and it isn’t difficult to implement commonsense measures during occupied hours as well. Sometimes just having a person present—even if it’s a guard who spends most of their time sleeping—can be all the deterrent needed to prevent petty thefts.
Many office complexes also offer roving security patrols, multiple lock access control methods, and electronic or password access. Typically, the facility managers handle these arrangements. They won’t generally deal with internal security as it relates to your records, computer systems, and papers; that is your responsibility in most situations.
The first component of physical security involves making a physical location less tempting as a target. If the office or building you’re in is open all the time, gaining entry into a business in the building is easy. You must prevent people from seeing your organization as a tempting target. Locking doors and installing surveillance or alarm systems can make a physical location a less desirable target. You can