Personnel and Physical Security in Information Assurance

Personnel and Physical Security in Information Assurance

Personnel Security

Process and procedures are needed to protect personnel security as Jacobs (2015) points out. The employee responsibilities need to be defined, and the employee must qualify for the role so that the risk is reduced from theft, fraud, or misuse of assets by the employee. An excellent example of checking personnel security or identities occurs in businesses that do work on behalf of the government. Each employee, visitor, supplier and any others that interact with the organization require having their identities checked and verified. In some cases, foreign personnel are unable to participate in specific meetings or able to conduct business in various parts of the building due to the sensitive nature of the information handled and discussed. Security policies and procedures for the organization identify what personnel can and cannot do including terminations or disciplinary action was taken for any wrongdoing as discussed by Jacobs (2015). Regular training by the organization is required do be sure team members are up to date with regulations and required constraints that need to be followed. At the time of employment as Jacobs (2015) a job description, already in place is provided to the employee, and the terms and conditions of the employment should be provided as defined by the human resources, compliance and legal teams. The job description should include any security roles and responsibilities required by the job candidate. A candidate background check and drug test also should be conducted before taking on a candidate for employment which will identify any past existing issues with the candidate. If the candidate is hired, the employment contract and nondisclosure agreement should be completed before any organizational assets are provided to the new employee.

Physical and Environmental Security

An asset that is owned by the business or organization should be housed in a space that has defined security perimeters and contains suitable security barriers and entry systems to that protect assets from unapproved admittance, destruction, and meddling as described by Jacobs (2015). Physical security is the fundamental aspect of protection as described by Fennelly (2013). The use of physical controls is used to protect a premise, site facility or building. The application of physical security model is the process of using layers of physical protective measures to prevent unauthorized access. Depending on the protection needed for the building the outer layer may be a fence or even a wall at the edge of the property line. This outer layer could be a natural barrier such as a lake or river as Fennelly (2013) points out. Fences and ponds are examples of the first layer of security in the physical security model. The grounds of a building can allow a clear zone or an unobstructed observation area that can be a monitor for disruptions or risks before they get to the building. Roads in the building complex allow employees and customers to arrive but also have a risk of allowing unauthorized personnel access to the facility. Private roads on the facility as described by Fennelly (2013), allow much more control than a public road. Other examples of the outer layer of including the parking area, the type of lighting implemented outside on the grounds along with surveillance tools and alarms. All these make up the physical security model that may be in place when moving into a facility or needs to be planned when working with the architects on a new building. A layer of physical security within the building as discussed by Jacobs (2015) having personnel wear issued badges and require they be swiped on arrival and departure and also for allowing access to approved secure areas. Contractors, visitors and business partners on site should also be required to display corporate badges while at the facility. Physical security should take into account the environmental events. Examples of environmental events are earthquakes, fires, floods or explosions as described by Jacobs (2015). Protection of equipment from physical security is also essential. Examples are electrical, heating and air conditioning and cabling as Jacobs (2015) points out. The organization should protect itself from physical and environmental security so if either occurs the damage is limited.

References

Fennelly, L. J. (2013). Effective physical security (4th ed.). Waltham, MA: Butterworth-Heinemann/Elsevier.

Jacobs, S. (2016). Engineering information security: The application of systems engineering concepts to achieve information assurance (2nd ed.). Hoboken, NJ: Wiley-IEEE Press. Retrieved from https://www.wiley.com/en-us/Engineering+Information+Security%3A+The+Application+of+Systems+Engineering+Concepts+to+Achieve+Information+Assurance%2C+2nd+Edition-p-9781119101604