Free Essay

Logical and Physical Security

In: Business and Management

Submitted By merital
Words 1624
Pages 7
CONVERGENCE OF LOGICAL AND PHYSICAL SECURITY SYSTEMS
INTRODUCTION
Up to now, majority of organizations have their physical and logical access systems operating as independent structures, with each being run by a totally separate department. The information technology security system, which controls access to information technology infrastructure including mail servers, the internet, database applications and web servers was managed by the department of information technology. The physical security system, which incorporates door access into buildings, systems of life support such as CCTV and Fire, and the badging process of employees, was run by the department of facilities (Mehdizadeh, Y, 2003).
Currently, security operations involve the guarding of buildings and equipment in addition to protection of networks, taking care of issues of privacy, and risk management. The interrelation between the aspects of the security initiatives necessitates consolidation of the two security systems. Such a convergence of the IT and physical security functions is important in achieving an efficient security system (Mehdizadeh, Y, 2003). However, such an operation is also lined up with disadvantages.
This paper looks at the pros and cons of combining the IT and physical security functions in a medium to large-size firm with complex IT system requirements and a global footprint. It also analyzes the fundamental components of an IT security system and explains how their integration supports and enhances the overall security profile of the organization.
PROS AND CONS OF COMBINING INFORMATION TECHNOLOGY AND PHYSICAL SECURITY FUNCTIONS.
Combining logical and physical security systems has several benefits. One of the benefits of the convergence is improved efficiency. Management of an employee’s entire credentials enables the enterprise to control the time he/she was badged, the facilities and systems they can access and the events that take place when the employee is transferred, terminated or leaves (Slater, D, 2005). The use of one data repository enables data that enters the system once to be reproduced throughout the entire organization. This enables common administration for users, credentials and privileges across both the physical and the IT fields; hence less effort and reduced possibilities of omissions or oversights when an employee leaves, is contracted or gets some change of access permission(Eugene, E.E, 2007, p.83). Another advantage of this convergence is the reduction of cost. A combined security system abolishes the necessity of local security guards; rather, guards can monitor the security system throughout using a central location. From the same central location, burglar alarms are monitored, thus obviating the need for outside contracts made with other third parties (Slater, D, 2009). Video recording is also done on server disks rather than on digital video recorders, which are far much more expensive. Elimination of the guards and moving the systems used to monitor security and burglary in-house saves a lot of money (Slater, D, 2009).
The system’s audit trail is yet another important benefit of the convergence. This audit trail can be greatly helpful in forensic investigations. For instance, in a security event, a detailed security log shows the computer that was used, the password and username, and the person who had access to the building. Moreover, a centralized data repository is helpful for real time systems monitoring (Mehdizadeh, Y, 2003).
Another benefit of this consolidation is the development of the corporate badge, which is a form of common identity used in corporate mergers. This badge provides “global roaming” in which one card enables access to all facilities worldwide in accordance to the granted authorization (Mehdizadeh, Y, 2003).
The convergence also gives the organization a much more versatile staff. This is because the system enables cross-training of the agents in an organization, thus making them aware of fields that were not in their job categories before. Employees who are assigned to certain projects become cross-trained while doing the job. This improves security and response time and enables the staff to cover each other, lowering staffing costs and giving the team members higher career opportunities (Slater, D, 2009). The convergence of IT and physical security systems also comes with disadvantages. One such disadvantage is that the security system requires knowledge which is beyond the domain of security. Most of the elements necessary for integration of logical security systems have complex setup and configuration steps which have to be carried out by a knowledgeable individual. Security departments must therefore rely on IT departments for assistance with several security project aspects. However, there exists a big communication gap since the personnel of each of the departments lacks knowledge of the other department’s domain. Solving this problem is difficult due to existence of the fear of possible loss of control or power to the other department (Eugene Schultz, E.E, 2007, p.84).
Another disadvantage of consolidating the security systems is the complex issues brought about by the fact that they offer several benefits which are non-security. The systems of such newly introduced benefits throughout an organization necessitate the extension of the elements of information technology and physical security systems infrastructure for purposes which are non-security. This brings about complicated issues for procurement, budgeting, deployment as well as the systems’ ongoing use. This also greatly expands privacy issues (Eugene Schultz, E.E, 2007, p.84).
The high cost of combining the two security systems is also a significant setback of the operation. Many organizations may lack adequate capital to carry out the necessary steps in consolidating IT and physical access systems, and an effort to achieve the same may result in retarded performance on other sectors of the organization due to financial constraint.
FUNDAMENTAL COMPONENTS OF AN INFORMATION TECHNOLOGY SECURITY SYSTEM
A logical security system is made of the following key elements:
User IDs- these are also known as user names, logins or accounts. They are distinctive personal identifiers used by a computer program’s agents where the program can be accessed by two or more users. The identifiers are created on brief sequences of numeric and alphabetic characters, and they are either chosen or assigned by the computer’s users (Kovari, P, 2005).
Authentication- this is the procedure employed by the program or network of a computer to check a user’s identity. Blind credentials lack identity but can still access the system. Identity confirmation is important to access control, a concept that grants access to authorized users and denies it to unauthorized users (Kovari, P, 2005).
Biometrics authentication is measurement of behavioral or physiological features of users for confirmation of their identity. The physiological aspects used are hand measurements, facial patterns, fingerprints, voice patterns, irises and eye retina scans. As an agent registers, some characteristics are taken and developed by a numerical process. This digit enters a database and features of users who attempts matching the stored characteristics has to match them to some given minimum error rate. The aspects of behavior used are speaker recognition, typing pattern recognition, signature recognition and gait recognition (Mehdizadeh, Y, 2003). When one registers into a system, some of their physiological features are taken and developed by a statistical algorithm. This digit is then placed in a database, such that anyone who tries matching the stored characteristics has to match them up to some minimum accepted error rate (Korari, P, 2005).
Physical keys- this refers to objects that are used to verify the identity of the person holding them. These include metallic keys used for unlocking computers, hardware devices plugged into computers so that they carry out certain programs, and smart cards having fixed microprocessor or memory (Korari, P, 2005).
When these components are integrated into the security system, they work together with the services granting access to company IT resources for example database permission, connectivity to the internet, access to the web, and e-mail. Authentication is then used for granting access of the resources depending on directories and the policies of access control for determining who can access what resources (Mehdizadeh, Y, 2003). The IT and physical security systems interact using infrastructure services installed by the department of information technology. This for instance enables a door reader to become connected to a fire protection system which is in turn tied to a CCTV system that is controlled by the physical security system. While physical security operations focus on protection of people, assets and structure as well as monitoring movement of assets and individuals throughout the buildings, logical access system controls access methods, monitors tenancy and perimeter intrusions, and enables the security personnel to easily monitor the entire security system as a single entity (Mehdizadeh, Y, 2003). The integration of IT components into the security system of an organization thus greatly supports and enhances the overall security profile of an organization.
CONCLUSION
The convergence of physical and IT security systems is beneficial to organizations, with some of the benefits including increased efficiency, reduced cost and provision of a more versatile staff. The convergence also has disadvantages, which include high costs of consolidating the systems as well as the system’s requirement of knowledge which is beyond the domain of security. Apart from the comparison between the pros and cons of the convergence of physical and IT security systems, the components of an IT security system have also been analyzed in this paper, and an explanation given on how their integration supports security operations in an organization; leading to the conclusion that integration of IT components into the security system greatly enhances the overall security profile of an organization.

References
Eugene Schultz, E. E. (2007). Risks due to convergence of physical security systems and information technology environments. Information Security Technical Report, 12(2), 80-84
Kovari, P. (2005). Red Paper: WebSphere Security Fundamentals.
Mehdizadeh, Y. (2003). SANS Institute: Convergence of Logical and Physical Security.
Slater, D. (2009). Physical and IT Security Convergence: The Basics. CSO, 1-4.

Similar Documents

Premium Essay

Team E Final Unix-Linux Paper

...Enterprise Security Plan University Of Phoenix CMGT 430 Carol Eichling March 26, 2014 Enterprise Security Plan Huffman trucking company is a national transportation company. The company’s 1,400 employee’s work in its logical hubs located in Los Angeles, California, St. Louis, Missouri, and Bayonne, New Jersey; its central maintenance facility is in Cleveland, Ohio; and as drivers of its 800 road tractors. (University of Phoenix, 2005) Team A has been consulted to create an enterprise security plan that will identify the information security challenges within Huffman trucking company network and establish mitigation plans to offset those challenges. The enterprise security plan will address some of the top vulnerabilities and risks that Huffman trucking company has the potential of experiencing. The plan will also include a list of physical and logical vulnerabilities within the company, and a specific list of remediation or mitigation steps for those vulnerabilities or threat pairs. “Enterprise security planning (ESP) is the aligning of information security policies and practices and applicable security technologies with the business rules and the evolving information models and technical architectures being used by a government or business”. (Erutal, L., Braithwaite, T., Bellman, B., 2012 pg. 144) As we started our examination of Huffman trucking vulnerabilities and risk, we took a strategic look at their assets and the possible vulnerabilities that could have......

Words: 1665 - Pages: 7

Premium Essay

Project Deliverables

...Infrastructure and Security Yan Li CIS590: Information Systems Capstone Professor Amir Afzal 31 May 2013   Table of Contents Figure 1: Current physical layout 5 2 Figure 2: Current logical layout 5 2 Figure 3: Planned physical layout 6 2 Figure 4: Planned Logical layout 6 2 1. Infrastructure and Security 3 2. Network 5 2.1 Current Network 5 2.2 Planned network 6 3. Security Policy 7 3.1 Process Policy 7 3.2 Employee Policy 8 Table of Figures Figure 1: Current physical layout 5 Figure 2: Current logical layout 5 Figure 3: Planned physical layout 6 Figure 4: Planned Logical layout 6   1. Infrastructure and Security The network infrastructure is critical to the success of business. Day in and day out, users rely on the network to do their jobs well. Network uptime is crucial to the company’s operation and is becoming even more important as technology advances. Network infrastructure refers to the grouping of physical hardware and logical components which are needed to provide a number of features for the network, such as connectivity, routing and switching capabilities, network security, and access control. The physical infrastructure of the network refers to the physical design of the network together with the hardware components. The logical infrastructure of the network consists of all the software components required to enable connectivity between devices, and to provide network security. The network's logical......

Words: 1515 - Pages: 7

Premium Essay

Cis 341 Technical Paper

...Project Paper: Information Systems Security Due Week 10 and worth 110 points You are the Information Security Officer for a small pharmacy that has recently been opened in the local shopping mall. The daily operation of a pharmacy is a unique business that requires a combination of both physical and logical access controls to protect medication and funds maintained located on the premises and personally identifiable information and protected health information of your customers. Your supervisor has tasked you with identifying inherent risks associated with this pharmacy and establishing physical and logical access control methods that will mitigate the risks identified. 1. Firewall (1)   2. Windows 2008 Active Directory Domain  Controllers (DC) (1)  3. File Server (1)  4. Desktop computers (4) 5. Dedicated T1 Connection (1)     Write a ten to fifteen (10-15) page paper in which you: 6. Identify and analyze any potential physical vulnerabilities and threats that require consideration. 7. Identify and analyze any potential logical vulnerabilities and threats that require consideration. 8. Illustrate in writing the potential impact of all identified physical vulnerabilities and threats to the network and the pharmacy. 9. Identify all potential vulnerabilities that may exist in the documented network. 10. Illustrate in writing the potential impact of all identified logical vulnerabilities to the network......

Words: 520 - Pages: 3

Premium Essay

Multi-Layered Security Plan

...NT2580 Introduction to information security | 7 Domain of IT Infrastructure Security Plan | Project Part 1 | | | [Pick the date] | As described by Tipton and Henry, information security management establishes the foundation for a comprehensive security program to ensure the protection of an organization's information assets. Security management encompasses the administrative, technical, and physical controls necessary to adequately protect the confidentiality, integrity, and availability of the information assets in the IT Infrastructure. Each one of the domain of the typical IT Infrastructure needs a proper security controls to ensure the confidentiality, integrity, and availability (CIA Triad). The following are the overview of the seven Domains: User Domain This is the domain of users that access systems, application, and data. It is the information asset of the organization that will be available to a rightful user by authenticating the user by the acceptable use policy (AUP). It is also define that the user is the weakest link in an IT infrastructure, but by educating user of the sensitivity of the IT infrastructure in the security awareness, security control shall be enforced. Security control to this domain can also be enforced by defining and implement the user policy of the IT infrastructure. Workstation Domain This is the domain where users first connect to the IT infrastructure. Because of numerous threats, it is necessary to......

Words: 889 - Pages: 4

Free Essay

Cis175 It Consult

...requirements, and also appropriate security services. DesignIT has decided to upgrade from a temporary workplace to a permanent office space. The new space measures 56’ x 36’ giving DesigntIT over 2000 square feet of dedicated space. This new space contains four cubicles, one executive office, one server room, one reception desk, and one conference room and allows DesignIT to hire two full time designers and a receptionist. As stated in the Request for Proposal (RFP) issued by DesignIT, the design must incorporate the following considerations: * Relocation of three servers configured as follows: * One (1) Web Server – Microsoft IIS Server * One (1) File Server- Microsoft Server 2008 * One (1) Server – Server 2008 Small Business Server Furthermore, DesignIT has stated the design must also include the following deliverables: * High speed internet access * Firewall * Antiviurs/Malware protection * Six (6) computers * Three (3) color laser printers * Wireless access for portable devices A critical first step in designing a network to meet DesignIT’s requirements is designating the network topology. A network topology is both the logical and physical layouts of the network. Physical topology is related to the physical aspects of the office space and the requirement to provide network distribution to the various offices, reception area, server room, and conference room. Related to the physical topology is the...

Words: 731 - Pages: 3

Premium Essay

Internal Control and Risk Evaluation

...may need When evaluating Kudlers accounting information systems and the integration of the automation we found that Kudlers focus should be on payroll, accounts payable, accounts receivable, and inventory processes. Theses processes have risk involved. This brief will focus on Kudlers internal and external controls, which include polices and procedures, HR compliance/code of conduct and computer information access. Kudler must maintain a policy and procedures system documenting in detail how each procedure should be completed. The code of conduct will show employees the importance of the controls put in place to maintain the philosophies of the organization. Who has access to each system and or server is important to the security of Kudler; if security is broken down the customers will lose confidence in Kudler. Policies and procedures It is important for Kudler to maintain policies...

Words: 828 - Pages: 4

Premium Essay

Student

...software that manages and controls access to the database. * Application program; is simply a program that interacts with the database at some point in its execution. * Data independence; which means that upper levels are unaffected by changes to lower levels. There are two kinds of data independence: logical and physical. * Database catalog; * meta-data; * transaction-processing application; * canned transaction; * End user; The end-users are the ‘clients’ for the database, which has been designed and implemented, and is being maintained to serve their information needs. * Views; with this functionality, the DBMS is an extremely powerful and useful tool. However, as the end-users are not too interested in how complex or easy a task is for the system, it could be argued that the DBMS has made things more complex because they now see more data than they actually need or want. 3. Describe the main characteristics of the database approach. * Control of data redundancy * Data consistency * More information from the same amount of data * Sharing of data * Improved data integrity * Improved security * Economy of scale * Improved data accessibility and responsiveness * Increased productivity * Improved maintenance through data independence * Increased concurrency * Improved backup and recovery...

Words: 1209 - Pages: 5

Free Essay

Enterprise Security Plan

...Enterprise Security Plan Enterprise Security Plan Smith Systems Consulting (SSC) is a major regional consulting company. Headquartered in Houston, Texas, the firm’s 350 employees provide information technology and business systems consulting to its clients in a wide variety of industries including manufacturing, transportation, retail, financial services and education. Smith Systems Consulting (SSC) is a service provider. It provides IT services for other companies. Security is essential for SSC because it not only requires security for itself, but SSC also has many customers depending on it to provide top level IT services, which also includes security. Enterprise risks are a part of all business and how we address these risks determines how successful we are in the business world. Risks can be defined by “any exposure to the chance of injury or loss.” (Cheryl l. Dunn, 2005) Risks can be internal or they can come to us from outside sources in the form of external risks. Both types of risks pose a threat to the overall security of the enterprise. An Enterprise Security Plan (ESP) outlines possible risks by identifying the vulnerabilities within the business process and ranks the vulnerabilities for ease in developing a mitigation plan. The ESP also identifies technologies and policies that will help in the development of an operational plan that protects the business process and intellectual property of your corporation. Within this ESP we have developed 3......

Words: 1749 - Pages: 7

Premium Essay

Database

...1997 ' & ' & Purpose of Database Systems $  $  Database management systems were developed to handle the following difficulties of typical file-processing systems supported by conventional operating systems. • Data redundancy and inconsistency • Difficulty in accessing data • Data isolation – multiple files and formats • Integrity problems • Atomicity of updates • Concurrent access by multiple users • Security problems Database Systems Concepts 1.3 Silberschatz, Korth and Sudarshan c 1997 View of Data An architecture for a database system view level view 1 view 2 … view n logical level physical level Database Systems Concepts 1.4 Silberschatz, Korth and Sudarshan c 1997 ' & ' & Levels of Abstraction $  $  • Physical level: describes how a record (e.g., customer) is stored. • Logical level: describes data stored in database, and the relationships among the data. type customer = record name : string; street : string; city : integer; end; • View level: application programs hide details of data types. Views can also hide information (e.g. salary) for security purposes. 1.5 Silberschatz, Korth and Sudarshan c 1997 Database Systems Concepts Instances and Schemas • Similar to types and variables in...

Words: 1023 - Pages: 5

Premium Essay

Technical Controls Paper

...throughout a physical structure and over a network. Technical controls are far-reaching in scope and encompass such technologies as: * Encryption * Smart cards * Network authentication * Access control lists (ACLs) * File integrity auditing software Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls. An important logical control that is frequently overlooked is the principle of least privilege. The principle of least privilege requires that an individual, program or system process is not granted any more access privileges than are necessary to perform the task. A blatant example of the failure to adhere to the principle of least privilege is logging into Windows as user Administrator to read Email and surf the Web. Violations of this principle can also occur when an individual collects additional access privileges over time. This happens when employees' job duties change, or they are promoted to a new position, or they transfer to another department. The access privileges required by their new duties are frequently added onto their already existing access privileges which may no longer be necessary or appropriate. How could Administrative, Technical, and Physical Controls introduce a false sense of......

Words: 905 - Pages: 4

Free Essay

Is3440 - Unit 1 Lab Assessment Sheet

...Assessment Worksheet Installing a Core Linux Operating System on a Server IS3440 - Linux Security Course Name and Number: _____________________________________________________ Student Name: ________________________________________________________________ Instructor Name: ______________________________________________________________ Lab Due Date: ________________________________________________________________ Overview The foundation of host-based security starts with the installation of the operating system (OS). Contrary to popular opinion, there is no such thing as a secure operating system, but in this lab, you learned how to install the Linux CentOS operating system in a secure manner. You created a new virtual machine, partitioned the hard drive, and installed the Linux operating system. You also created a non-root user account and verified that key services were (or were not) running. Lab Assessment Questions & Answers 1. During the Minimal install, NTP (Network Time Protocol) server was not installed. From a security perspective, why is it important for a system to keep accurate time? To keep the system in sync and up to date for logging purposes such as any incidents that occur. Otherwise a time may not be correct when checking logs for an incident. 2. During the install, you set a password for the root user. What is the root user, and when is it appropriate to use this account? The root user is the system administrator. It is only......

Words: 503 - Pages: 3

Premium Essay

Information Security

...Darrel Smith IT255 11/29/2011 Research Assignment 2 A sound security plan is the first step towards a multi-layer defense. To develop a plan, the company must access its most important assets; identify vulnerabilities as well as the infrastructure and technology most appropriate for mitigating risk, then implement a strategy for putting the plan in action. Emails are prime examples. It has become a critical business communications tool and is also a primary conduit for malicious code. Protecting emails against viruses, worms, spam, Trojan horses, phishing attacks and other threats requires a variety of security technologies. These antivirus and antispyware software, content filtering, and firewalls. Such security technologies must be installed at various levels of the infrastructure-such as the gateway, mail servers and desktop or laptop. This way, threats that may bypass one level are dealt with at another. In addition, layering security helps mitigate the risk of an employee who disables protection on his or her desktop. The gateway serves as an entry and exit point to the company network. By installing a security solution such as antivirus and content filtering at this tier, mass-mailer worms are scanned and deleted and spam is moved to quarantines. Mail servers should also be equipped with security. These systems receive, send, and store email, and an email security solution work together with the email program to provide a greater degree of protection......

Words: 1445 - Pages: 6

Free Essay

It Work Cloud

...must be understand first. When referring to the cloud, that is nothing more than the internet. The internet is a logical place hosted on physical hardware. (Ricadela,2007) Cloud computers are multiple PC’s housed on a single piece of hardware. This allows a company to get the most out of their IT investment. Instead of running one single operating system on a piece of hardware, it gives the ability to run multiple logical PC’s on a single piece of hardware simultaneously. This is important due to the amount of money that can be saved by a business, PCs costs any were from $300 dollars to $2000 dollars. To begin to utilizing cloud computing a business has to purchase a mid to high end server which will house all of the virtual machines. Each virtual machine will only use the designated amount of resources, this gives an administrator the ability to assign resources as needed. Challenges There are many challenges facing a business to adopted the Cloud Computing. One challenge is understanding the way it functions and works, most business owners chose not to get involved in how their computer systems work in the first place. Introducing a new way of functioning could immediately scare them away from adopting this technology. A second challenge cloud computing is facing is the cost of an implantation and migration. When moving to a cloud solution, form physical hardware to the cloud could be very difficult and timely. Migrating and maintaing all of the services and data...

Words: 672 - Pages: 3

Free Essay

Vlan

...for any additional questions you might have. Use of this information will be used to determine a department's VLAN needs. If VLANs are well thought out in advance, the need to readdress devices and modify VLAN configurations more than once will not become an issue. This will save everyone involved a great deal of effort and minimize the amount of changes that will be needed. What is a VLAN? Virtual LANs can be viewed as a group of devices on different LAN segments which can communicate with each other as if they were all on the same physical LAN segment. Switches using VLANs create the same division of the network into separate domains but do not have the latency problems of a router. Switches are also a more cost-effective solution. By now you are probably wondering why someone would go to all this work to end up with what appears to be the same network as the original one. In many instances, LANs have been grouped with physical location being the primary concern. VLANs are built with traffic patterns in mind. Using VLANs, we are able to group these devices into a single domain. This allows us to confine broadcast traffic for this workgroup to just those devices that need to see it, and reduce traffic to the rest of the network. There is an increased connection speed due to the elimination of latency from router connections. An additional...

Words: 791 - Pages: 4

Premium Essay

Comptia a+

...that can damage an asset A threat: Flood, earthquake, severe storms. 2. Laws to protect private financial information * Federal information security management act(FISMA) * Sarbanes Oxley act (SOX) * Gramm leach Bliley act(GLBA) * Health insurance portability and accountability act(HIPAA) * Children’s internet protection (CIPA) * Family educational rights and privacy act (FERPA) 3. Parts of layered security that supports confidentiality * Defining organization wide policies, standard, procedures, and guidelines to protect confidential data. * Adopting a data classification standard that defines how to treat data throughout AT. * Limiting access to systems and application that house confidential data to only those authorized to use it * Using cryptography techniques to hide confidential data to keep it invisible to unauthorized user * Encrypting data that crosses the public internet. * Encrypting data that is stored within databases and storage devices 4. Definition of policy, standard, guide, procedure * Policy: is written statement that the people in charge of an organization have set as a course of action or direction. Come from upper management-apply to whole organize * Standard: detail information for hardware and software, how it use-ensure consistent security controls are used throughout IT system * Procedure: instruction for how to use policies and standards: plan of action, install, test,......

Words: 963 - Pages: 4