SlideShare a Scribd company logo

Physical Security - Why Your Business Needs It

Download as PPTX, PDF
Terra Verde
Terra Verde

This document discusses the importance of physical security (PhySec) programs. It defines PhySec as measures that protect people, property, and assets from harm, unauthorized access, and theft. Effective PhySec deters crimes through deterrence, active monitoring, delaying intruders, responding to incidents, and quick recovery. Sound PhySec programs incorporate many elements like access controls, surveillance, alarms, and response plans. To implement PhySec properly, an organization must understand its threats, vulnerabilities, assets, costs, and business needs. Both overt and covert security measures working together provide the best protection.

Technology
1 of 25
PHYSICAL SECURITY A Primer and Story of Why it’s Necessary
What Is PhySec? • Physical Security consists of physical, logical and design measures which protect people, physical property and other assets from harm, unauthorized access, usage, tampering, and theft. 1
Why Is PhySec Needed? • Physical Security is put in place to help prevent – more accurately, to deter – crimes of opportunity as well as safeguard life. • PhySec can also complement mitigating business liability by applying controls to known areas of possible physical risk. 2
Characteristics of a Sound PhySec Program • Physical Security can consist of many different elements which directly or indirectly address areas of perceived risk. • Common elements of Physical Security Programs include: • Deterrence • Active detection and monitoring • Delay progress of criminal or other unwanted behavior • Incident response to alarms, alerts or attacks • Recover business or operational status as quickly as possible following an incident 3
Characteristics of PhySec • Deterrence • PhySec controls build in deterrence as preventative measure. Deterrence is the initial attempt to thwart unwanted behaviors to include criminal activities through out the facility(s) being safeguarded. • Active detection and monitoring • Active detection and monitoring can be viewed as overt, or intended to be seen, and covert or concealed. Monitoring is designed to provide early warning of possible security events, evidentiary value used for criminal or civil proceedings. 4
Characteristics of PhySec • Delay • Delaying controls help limit or slow the progress of a breach, compromise, attack or other unwanted behavior. • Incident response • Recover business or operational status as quickly as possible following an incident. • Recovery • Recover business or operational status as quickly as possible following an incident. 5
Security Requirements • To ensure the PhySec program is adequate; initial requirements should be outlined in order to better understand where to prioritize resources, budget and time. 6
Security Requirements 1.) Determine applicable threats or risks. • Identify applicable threats and risks associated with the organization to include proximity to the organization. • Ensure risk assessments take into account: o Surrounding businesses o Local infrastructures o Geographic areas of interest o Local environmental conditions o Geopolitical climate 7
Security Requirements 2.) Assess vulnerabilities which could allow threats or risks to affect personnel or operations. • Once threats and risks have been identified; investigate and understand how those threats and risks, if capitalized on, would affect the organization. • Ensure PhySec controls are appropriate for the identified vulnerabilities. 8
Security Requirements 3.) Compile a list of assets with associated value • List should indicate value, the value of the asset will be used in determining resources available. Life is of utmost value and inherently priceless. Protection of life is THE top priority. • Value is not always a monetary figure. Value can include the organizations commitment to availability and critical services provided by the organization. 9
Security Requirements 4.) What if scenarios - Examine and plan for failures in the PhySec plan. • Determine what the impact will be when PhySec controls fail. 10
Security Requirements 5.) Determine cost of security vs. actual cost of asset to be safeguarded • Cost of PhySec controls aren’t always black and white. • Cost of equipment • Cost of installation • Cost of training • Cost of liability for not having or having enough PhySec in place 11
Security Requirements 6.) Ensure installation and maintenance considerations are taken into account. • Installation of PhySec controls can itself introduce security gaps. • Reliance on temporary PhySec equipment vs. long term equipment may save money initially but may incur extra expenditures to maintain for long periods of time. • Evaluate short term vs. long term needs and plan accordingly appropriate installation and support contracts. 12
Security Requirements 7.) Ensure PhySec implementations are complementary to business operations. • PhySec systems must adapt to the organization. Different times or shifts may have different PhySec requirements. • PhySec should meet the organizations requirements while minimizing the impact on daily business. • PhySec which is too overly cumbersome will not be utilized to the fullest by the organization. 13
Security Requirements 8.) Security should include seen and unseen measures which provide overall PhySec safeguards. • PhySec which is seen provides an initial deterrent. • • Some deterrents are meant to be seen as to provide misdirection or obfuscate covert PhySec controls. • Overt PhySec controls often times provide organizational employees with a sense of security. • Covert PhySec controls should work in a complementary manner with overt controls. 14
Security Requirements 9.) Simplify PhySec controls in order to lesson human error. • Ensure that staff and security personnel have sufficient training in order to safely and efficiently operate the organizations security apparatus. 15
Security Requirements 10.) PhySec controls are a long-term commitment; ensure PhySec takes into account future growth. • Take into account physical changes or additions to the organizations structure. • Licensing considerations for PhySec software controls. 16
Changing The Mindset • PhySec is the implementation of an organization's active response to areas of assessed risk. • PhySec should not be a hurdle or roadblock, rather it should be used to help shape and modify behaviors. 17
Changing The Mindset • Often times Information Security and Physical Security officers are seen as the office of “NO”. Implementation of appropriate PhySec controls which support the business and its customers is a critical balancing act. • Too little PhySec exposes the business to elevated risks. • Too much PhySec creates business obstacles which can impact productivity and profitability. 18
Incidents PhySec Should Address • Incidents PhySec programs should address through logical, physical and design controls: • Policy / Procedure violations • Natural disasters • Rogue or trusted insider risks • Workplace violence • Unauthorized entry / Trespassers • Criminal acts internal / external • Industrial disasters • Civil disturbances • Terrorism 19
Case Study – Large National Bank • This stuff happens to the big guys as well… • Services provided around the country • National branch and service location footprint • Retail and commercial services • Mortgage services • Merchant services • E-banking • Growth primarily through acquisition
Case Study – Large National Bank • “Great Candy” for attackers… • Hard outer shell…Great Perimeter network security • Banner replacements for open ports • Outsourced web services to well known, SSAE16 backed companies • Proxy server in place for staff to utilize when connecting out
Case Study – Large National Bank • “Great Candy” for attackers… • Soft, chewy center…Terrible internal and physical security • Open network between lines of business • Complete lack of physical security controls • Mortgage service centers in particular • Examples to follow
Case Study – Large National Bank • Physical controls were leveraged against the bank’s information • To “great” results for the attacker • We infiltrated EVERY physical location without breaking a sweat • Branches included • We were able to gather client and employee data right from the desks of the information owners • Offered lunch in one facility • Terrible results for the bank…
THANK YOU! Questions? edward.vasko@tvrms.com Office: 480-840-1744 info@TVRMS.com http://www.TVRMS.com

Recommended

Code of practice for physical security systems in banks
Code of practice for physical security systems in banksCode of practice for physical security systems in banks
Code of practice for physical security systems in banks
Samer Al Basha
 
Practical Application of Physical Security Criteria
Practical Application of Physical Security CriteriaPractical Application of Physical Security Criteria
Practical Application of Physical Security Criteria
Scott L Weiland PE
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical Security
Alfred Ouyang
 
Corporate security pdf
Corporate security pdfCorporate security pdf
Corporate security pdf
G3 intelligence Ltd
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
madunix
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations Security
Alfred Ouyang
 
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinCorporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
Steve Phelps
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
Jonathan Coleman
 

Recommended

Code of practice for physical security systems in banks
Code of practice for physical security systems in banksCode of practice for physical security systems in banks
Code of practice for physical security systems in banks
Samer Al Basha
 
Practical Application of Physical Security Criteria
Practical Application of Physical Security CriteriaPractical Application of Physical Security Criteria
Practical Application of Physical Security Criteria
Scott L Weiland PE
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical Security
Alfred Ouyang
 
Corporate security pdf
Corporate security pdfCorporate security pdf
Corporate security pdf
G3 intelligence Ltd
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
madunix
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations Security
Alfred Ouyang
 
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinCorporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
Steve Phelps
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
Jonathan Coleman
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt
Alfred Ouyang
 
12 security policies
12 security policies12 security policies
12 security policies
Saqib Raza
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
jemtallon
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
Ashley Deuble
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
Faheem Ul Hasan
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
Thomas Christopher Ty
 
Skill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCSkill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOC
Fuad Khan
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and Training
Priyank Hada
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development Security
Alfred Ouyang
 
Physical security
Physical securityPhysical security
Physical security
Dhani Ahmad
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
Dr. Lasantha Ranwala
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
Resilient Systems
 
Health information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityHealth information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information security
Dr. Lasantha Ranwala
 
Security audit
Security auditSecurity audit
Security audit
Rahul Bhargava
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
3 Telecom+Network Part1
3 Telecom+Network Part13 Telecom+Network Part1
3 Telecom+Network Part1
Alfred Ouyang
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 
Introduction to biometric systems security
Introduction to biometric systems securityIntroduction to biometric systems security
Introduction to biometric systems security
Self
 
Security training for sis
Security training for sisSecurity training for sis
Security training for sis
chiranjib mukherjee
 

More Related Content

What's hot

CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
jemtallon
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
Skill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCSkill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOC
Fuad Khan
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and Training
Priyank Hada
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
Resilient Systems
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 

What's hot (20)

1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt
 
12 security policies
12 security policies12 security policies
12 security policies
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
Skill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCSkill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOC
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and Training
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development Security
 
Physical security
Physical securityPhysical security
Physical security
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
 
Health information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityHealth information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information security
 
Security audit
Security auditSecurity audit
Security audit
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
3 Telecom+Network Part1
3 Telecom+Network Part13 Telecom+Network Part1
3 Telecom+Network Part1
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 

Viewers also liked

Module 10 Physical Security
Module 10 Physical SecurityModule 10 Physical Security
Module 10 Physical Security
leminhvuong
 
Security training module
Security training moduleSecurity training module
Security training module
pagare_c
 

Viewers also liked (18)

Introduction to biometric systems security
Introduction to biometric systems securityIntroduction to biometric systems security
Introduction to biometric systems security
 
Security training for sis
Security training for sisSecurity training for sis
Security training for sis
 
Sop for security
Sop for securitySop for security
Sop for security
 
SOP of Security supervisor
SOP of Security supervisorSOP of Security supervisor
SOP of Security supervisor
 
New Product Development - [Net Technologies]
New Product Development - [Net Technologies]New Product Development - [Net Technologies]
New Product Development - [Net Technologies]
 
Network ESC - Presentation Slide Show 2016
Network ESC - Presentation Slide Show 2016Network ESC - Presentation Slide Show 2016
Network ESC - Presentation Slide Show 2016
 
France cyber security
France cyber securityFrance cyber security
France cyber security
 
TAC by Schneider Electric Corporate Presentation
TAC by Schneider Electric Corporate PresentationTAC by Schneider Electric Corporate Presentation
TAC by Schneider Electric Corporate Presentation
 
Selling Solutions Using a Compelling Value Proposition
Selling Solutions Using a Compelling Value PropositionSelling Solutions Using a Compelling Value Proposition
Selling Solutions Using a Compelling Value Proposition
 
Cisco Security Architecture
Cisco Security ArchitectureCisco Security Architecture
Cisco Security Architecture
 
2015 Year to Date Security Trends
2015 Year to Date Security Trends2015 Year to Date Security Trends
2015 Year to Date Security Trends
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business Experience
 
Module 10 Physical Security
Module 10 Physical SecurityModule 10 Physical Security
Module 10 Physical Security
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 
Security Consulting Services
Security Consulting ServicesSecurity Consulting Services
Security Consulting Services
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Security training module
Security training moduleSecurity training module
Security training module
 
Bio-metrics Technology
Bio-metrics TechnologyBio-metrics Technology
Bio-metrics Technology
 

Similar to Physical Security - Why Your Business Needs It

The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
Conference Panel
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Empired
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
Anne Starr
 
Cybersecurity-Real World Approach FINAL 2-24-16
Cybersecurity-Real World Approach FINAL 2-24-16Cybersecurity-Real World Approach FINAL 2-24-16
Cybersecurity-Real World Approach FINAL 2-24-16
James Rutt
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
Ram Srivastava
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
AbuHanifah59
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Intergen
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 

Similar to Physical Security - Why Your Business Needs It (20)

Mandatory requirements for physical security 2
Mandatory requirements for physical security 2Mandatory requirements for physical security 2
Mandatory requirements for physical security 2
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
DDHI Board Report.ppsx
DDHI Board Report.ppsxDDHI Board Report.ppsx
DDHI Board Report.ppsx
 
Trofi Security Service Catalogue (1)
Trofi Security Service Catalogue (1)Trofi Security Service Catalogue (1)
Trofi Security Service Catalogue (1)
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
 
Cybersecurity-Real World Approach FINAL 2-24-16
Cybersecurity-Real World Approach FINAL 2-24-16Cybersecurity-Real World Approach FINAL 2-24-16
Cybersecurity-Real World Approach FINAL 2-24-16
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 

Recently uploaded

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 

Physical Security - Why Your Business Needs It

  • 1. PHYSICAL SECURITY A Primer and Story of Why it’s Necessary
  • 2. What Is PhySec? • Physical Security consists of physical, logical and design measures which protect people, physical property and other assets from harm, unauthorized access, usage, tampering, and theft. 1
  • 3. Why Is PhySec Needed? • Physical Security is put in place to help prevent – more accurately, to deter – crimes of opportunity as well as safeguard life. • PhySec can also complement mitigating business liability by applying controls to known areas of possible physical risk. 2
  • 4. Characteristics of a Sound PhySec Program • Physical Security can consist of many different elements which directly or indirectly address areas of perceived risk. • Common elements of Physical Security Programs include: • Deterrence • Active detection and monitoring • Delay progress of criminal or other unwanted behavior • Incident response to alarms, alerts or attacks • Recover business or operational status as quickly as possible following an incident 3
  • 5. Characteristics of PhySec • Deterrence • PhySec controls build in deterrence as preventative measure. Deterrence is the initial attempt to thwart unwanted behaviors to include criminal activities through out the facility(s) being safeguarded. • Active detection and monitoring • Active detection and monitoring can be viewed as overt, or intended to be seen, and covert or concealed. Monitoring is designed to provide early warning of possible security events, evidentiary value used for criminal or civil proceedings. 4
  • 6. Characteristics of PhySec • Delay • Delaying controls help limit or slow the progress of a breach, compromise, attack or other unwanted behavior. • Incident response • Recover business or operational status as quickly as possible following an incident. • Recovery • Recover business or operational status as quickly as possible following an incident. 5
  • 7. Security Requirements • To ensure the PhySec program is adequate; initial requirements should be outlined in order to better understand where to prioritize resources, budget and time. 6
  • 8. Security Requirements 1.) Determine applicable threats or risks. • Identify applicable threats and risks associated with the organization to include proximity to the organization. • Ensure risk assessments take into account: o Surrounding businesses o Local infrastructures o Geographic areas of interest o Local environmental conditions o Geopolitical climate 7
  • 9. Security Requirements 2.) Assess vulnerabilities which could allow threats or risks to affect personnel or operations. • Once threats and risks have been identified; investigate and understand how those threats and risks, if capitalized on, would affect the organization. • Ensure PhySec controls are appropriate for the identified vulnerabilities. 8
  • 10. Security Requirements 3.) Compile a list of assets with associated value • List should indicate value, the value of the asset will be used in determining resources available. Life is of utmost value and inherently priceless. Protection of life is THE top priority. • Value is not always a monetary figure. Value can include the organizations commitment to availability and critical services provided by the organization. 9
  • 11. Security Requirements 4.) What if scenarios - Examine and plan for failures in the PhySec plan. • Determine what the impact will be when PhySec controls fail. 10
  • 12. Security Requirements 5.) Determine cost of security vs. actual cost of asset to be safeguarded • Cost of PhySec controls aren’t always black and white. • Cost of equipment • Cost of installation • Cost of training • Cost of liability for not having or having enough PhySec in place 11
  • 13. Security Requirements 6.) Ensure installation and maintenance considerations are taken into account. • Installation of PhySec controls can itself introduce security gaps. • Reliance on temporary PhySec equipment vs. long term equipment may save money initially but may incur extra expenditures to maintain for long periods of time. • Evaluate short term vs. long term needs and plan accordingly appropriate installation and support contracts. 12
  • 14. Security Requirements 7.) Ensure PhySec implementations are complementary to business operations. • PhySec systems must adapt to the organization. Different times or shifts may have different PhySec requirements. • PhySec should meet the organizations requirements while minimizing the impact on daily business. • PhySec which is too overly cumbersome will not be utilized to the fullest by the organization. 13
  • 15. Security Requirements 8.) Security should include seen and unseen measures which provide overall PhySec safeguards. • PhySec which is seen provides an initial deterrent. • • Some deterrents are meant to be seen as to provide misdirection or obfuscate covert PhySec controls. • Overt PhySec controls often times provide organizational employees with a sense of security. • Covert PhySec controls should work in a complementary manner with overt controls. 14
  • 16. Security Requirements 9.) Simplify PhySec controls in order to lesson human error. • Ensure that staff and security personnel have sufficient training in order to safely and efficiently operate the organizations security apparatus. 15
  • 17. Security Requirements 10.) PhySec controls are a long-term commitment; ensure PhySec takes into account future growth. • Take into account physical changes or additions to the organizations structure. • Licensing considerations for PhySec software controls. 16
  • 18. Changing The Mindset • PhySec is the implementation of an organization's active response to areas of assessed risk. • PhySec should not be a hurdle or roadblock, rather it should be used to help shape and modify behaviors. 17
  • 19. Changing The Mindset • Often times Information Security and Physical Security officers are seen as the office of “NO”. Implementation of appropriate PhySec controls which support the business and its customers is a critical balancing act. • Too little PhySec exposes the business to elevated risks. • Too much PhySec creates business obstacles which can impact productivity and profitability. 18
  • 20. Incidents PhySec Should Address • Incidents PhySec programs should address through logical, physical and design controls: • Policy / Procedure violations • Natural disasters • Rogue or trusted insider risks • Workplace violence • Unauthorized entry / Trespassers • Criminal acts internal / external • Industrial disasters • Civil disturbances • Terrorism 19
  • 21. Case Study – Large National Bank • This stuff happens to the big guys as well… • Services provided around the country • National branch and service location footprint • Retail and commercial services • Mortgage services • Merchant services • E-banking • Growth primarily through acquisition
  • 22. Case Study – Large National Bank • “Great Candy” for attackers… • Hard outer shell…Great Perimeter network security • Banner replacements for open ports • Outsourced web services to well known, SSAE16 backed companies • Proxy server in place for staff to utilize when connecting out
  • 23. Case Study – Large National Bank • “Great Candy” for attackers… • Soft, chewy center…Terrible internal and physical security • Open network between lines of business • Complete lack of physical security controls • Mortgage service centers in particular • Examples to follow
  • 24. Case Study – Large National Bank • Physical controls were leveraged against the bank’s information • To “great” results for the attacker • We infiltrated EVERY physical location without breaking a sweat • Branches included • We were able to gather client and employee data right from the desks of the information owners • Offered lunch in one facility • Terrible results for the bank…