Free Essay

Logical and Physical Security

In: Business and Management

Submitted By merital
Words 1624
Pages 7
CONVERGENCE OF LOGICAL AND PHYSICAL SECURITY SYSTEMS
INTRODUCTION
Up to now, majority of organizations have their physical and logical access systems operating as independent structures, with each being run by a totally separate department. The information technology security system, which controls access to information technology infrastructure including mail servers, the internet, database applications and web servers was managed by the department of information technology. The physical security system, which incorporates door access into buildings, systems of life support such as CCTV and Fire, and the badging process of employees, was run by the department of facilities (Mehdizadeh, Y, 2003).
Currently, security operations involve the guarding of buildings and equipment in addition to protection of networks, taking care of issues of privacy, and risk management. The interrelation between the aspects of the security initiatives necessitates consolidation of the two security systems. Such a convergence of the IT and physical security functions is important in achieving an efficient security system (Mehdizadeh, Y, 2003). However, such an operation is also lined up with disadvantages.
This paper looks at the pros and cons of combining the IT and physical security functions in a medium to large-size firm with complex IT system requirements and a global footprint. It also analyzes the fundamental components of an IT security system and explains how their integration supports and enhances the overall security profile of the organization.
PROS AND CONS OF COMBINING INFORMATION TECHNOLOGY AND PHYSICAL SECURITY FUNCTIONS.
Combining logical and physical security systems has several benefits. One of the benefits of the convergence is improved efficiency. Management of an employee’s entire credentials enables the enterprise to control the time he/she was badged, the facilities and systems they can access and the events that take place when the employee is transferred, terminated or leaves (Slater, D, 2005). The use of one data repository enables data that enters the system once to be reproduced throughout the entire organization. This enables common administration for users, credentials and privileges across both the physical and the IT fields; hence less effort and reduced possibilities of omissions or oversights when an employee leaves, is contracted or gets some change of access permission(Eugene, E.E, 2007, p.83). Another advantage of this convergence is the reduction of cost. A combined security system abolishes the necessity of local security guards; rather, guards can monitor the security system throughout using a central location. From the same central location, burglar alarms are monitored, thus obviating the need for outside contracts made with other third parties (Slater, D, 2009). Video recording is also done on server disks rather than on digital video recorders, which are far much more expensive. Elimination of the guards and moving the systems used to monitor security and burglary in-house saves a lot of money (Slater, D, 2009).
The system’s audit trail is yet another important benefit of the convergence. This audit trail can be greatly helpful in forensic investigations. For instance, in a security event, a detailed security log shows the computer that was used, the password and username, and the person who had access to the building. Moreover, a centralized data repository is helpful for real time systems monitoring (Mehdizadeh, Y, 2003).
Another benefit of this consolidation is the development of the corporate badge, which is a form of common identity used in corporate mergers. This badge provides “global roaming” in which one card enables access to all facilities worldwide in accordance to the granted authorization (Mehdizadeh, Y, 2003).
The convergence also gives the organization a much more versatile staff. This is because the system enables cross-training of the agents in an organization, thus making them aware of fields that were not in their job categories before. Employees who are assigned to certain projects become cross-trained while doing the job. This improves security and response time and enables the staff to cover each other, lowering staffing costs and giving the team members higher career opportunities (Slater, D, 2009). The convergence of IT and physical security systems also comes with disadvantages. One such disadvantage is that the security system requires knowledge which is beyond the domain of security. Most of the elements necessary for integration of logical security systems have complex setup and configuration steps which have to be carried out by a knowledgeable individual. Security departments must therefore rely on IT departments for assistance with several security project aspects. However, there exists a big communication gap since the personnel of each of the departments lacks knowledge of the other department’s domain. Solving this problem is difficult due to existence of the fear of possible loss of control or power to the other department (Eugene Schultz, E.E, 2007, p.84).
Another disadvantage of consolidating the security systems is the complex issues brought about by the fact that they offer several benefits which are non-security. The systems of such newly introduced benefits throughout an organization necessitate the extension of the elements of information technology and physical security systems infrastructure for purposes which are non-security. This brings about complicated issues for procurement, budgeting, deployment as well as the systems’ ongoing use. This also greatly expands privacy issues (Eugene Schultz, E.E, 2007, p.84).
The high cost of combining the two security systems is also a significant setback of the operation. Many organizations may lack adequate capital to carry out the necessary steps in consolidating IT and physical access systems, and an effort to achieve the same may result in retarded performance on other sectors of the organization due to financial constraint.
FUNDAMENTAL COMPONENTS OF AN INFORMATION TECHNOLOGY SECURITY SYSTEM
A logical security system is made of the following key elements:
User IDs- these are also known as user names, logins or accounts. They are distinctive personal identifiers used by a computer program’s agents where the program can be accessed by two or more users. The identifiers are created on brief sequences of numeric and alphabetic characters, and they are either chosen or assigned by the computer’s users (Kovari, P, 2005).
Authentication- this is the procedure employed by the program or network of a computer to check a user’s identity. Blind credentials lack identity but can still access the system. Identity confirmation is important to access control, a concept that grants access to authorized users and denies it to unauthorized users (Kovari, P, 2005).
Biometrics authentication is measurement of behavioral or physiological features of users for confirmation of their identity. The physiological aspects used are hand measurements, facial patterns, fingerprints, voice patterns, irises and eye retina scans. As an agent registers, some characteristics are taken and developed by a numerical process. This digit enters a database and features of users who attempts matching the stored characteristics has to match them to some given minimum error rate. The aspects of behavior used are speaker recognition, typing pattern recognition, signature recognition and gait recognition (Mehdizadeh, Y, 2003). When one registers into a system, some of their physiological features are taken and developed by a statistical algorithm. This digit is then placed in a database, such that anyone who tries matching the stored characteristics has to match them up to some minimum accepted error rate (Korari, P, 2005).
Physical keys- this refers to objects that are used to verify the identity of the person holding them. These include metallic keys used for unlocking computers, hardware devices plugged into computers so that they carry out certain programs, and smart cards having fixed microprocessor or memory (Korari, P, 2005).
When these components are integrated into the security system, they work together with the services granting access to company IT resources for example database permission, connectivity to the internet, access to the web, and e-mail. Authentication is then used for granting access of the resources depending on directories and the policies of access control for determining who can access what resources (Mehdizadeh, Y, 2003). The IT and physical security systems interact using infrastructure services installed by the department of information technology. This for instance enables a door reader to become connected to a fire protection system which is in turn tied to a CCTV system that is controlled by the physical security system. While physical security operations focus on protection of people, assets and structure as well as monitoring movement of assets and individuals throughout the buildings, logical access system controls access methods, monitors tenancy and perimeter intrusions, and enables the security personnel to easily monitor the entire security system as a single entity (Mehdizadeh, Y, 2003). The integration of IT components into the security system of an organization thus greatly supports and enhances the overall security profile of an organization.
CONCLUSION
The convergence of physical and IT security systems is beneficial to organizations, with some of the benefits including increased efficiency, reduced cost and provision of a more versatile staff. The convergence also has disadvantages, which include high costs of consolidating the systems as well as the system’s requirement of knowledge which is beyond the domain of security. Apart from the comparison between the pros and cons of the convergence of physical and IT security systems, the components of an IT security system have also been analyzed in this paper, and an explanation given on how their integration supports security operations in an organization; leading to the conclusion that integration of IT components into the security system greatly enhances the overall security profile of an organization.

References
Eugene Schultz, E. E. (2007). Risks due to convergence of physical security systems and information technology environments. Information Security Technical Report, 12(2), 80-84
Kovari, P. (2005). Red Paper: WebSphere Security Fundamentals.
Mehdizadeh, Y. (2003). SANS Institute: Convergence of Logical and Physical Security.
Slater, D. (2009). Physical and IT Security Convergence: The Basics. CSO, 1-4.

Similar Documents

Premium Essay

Team E Final Unix-Linux Paper

...Enterprise Security Plan University Of Phoenix CMGT 430 Carol Eichling March 26, 2014 Enterprise Security Plan Huffman trucking company is a national transportation company. The company’s 1,400 employee’s work in its logical hubs located in Los Angeles, California, St. Louis, Missouri, and Bayonne, New Jersey; its central maintenance facility is in Cleveland, Ohio; and as drivers of its 800 road tractors. (University of Phoenix, 2005) Team A has been consulted to create an enterprise security plan that will identify the information security challenges within Huffman trucking company network and establish mitigation plans to offset those challenges. The enterprise security plan will address some of the top vulnerabilities and risks that Huffman trucking company has the potential of experiencing. The plan will also include a list of physical and logical vulnerabilities within the company, and a specific list of remediation or mitigation steps for those vulnerabilities or threat pairs. “Enterprise security planning (ESP) is the aligning of information security policies and practices and applicable security technologies with the business rules and the evolving information models and technical architectures being used by a government or business”. (Erutal, L., Braithwaite, T., Bellman, B., 2012 pg. 144) As we started our examination of Huffman trucking vulnerabilities and risk, we took a strategic look at their assets and the possible vulnerabilities that could have an...

Words: 1665 - Pages: 7

Premium Essay

Logical Access

...What is the difference between logical and physical access to the computer? Why is the security of both important? The difference between logical and physical access to a computer can be seen directly in the names. Logical access is when a computer is able to be accessed from a remote location. An individual may not be sitting right at the system when in use. Logical access gives an individual or group of individual access to data or system information from another location through a network. Physical access, on the other hand, is when a person is using the computer directly. He or she would be sitting in front of the computer when using and would be connected to the network directly. Someone who has logical access would have the permissions to complete the same tasks as someone who had physical access to the system such as printing capabilities, saving documents to the company drives, and viewing the needed information. Security for both types of access is important. With logical access, because people are accessing the network from different locations it is important for the company to protect what is shared. There should be strong passwords in place, firewalls, and internet security to ensure that outside threats are protected against. For logical access, only certain information should be shared so that interception of data does not occur. They same type of computer security should be in place for physical access, but when someone is using a computer directly, he or she...

Words: 328 - Pages: 2

Premium Essay

Project Deliverables

...Infrastructure and Security Yan Li CIS590: Information Systems Capstone Professor Amir Afzal 31 May 2013   Table of Contents Figure 1: Current physical layout 5 2 Figure 2: Current logical layout 5 2 Figure 3: Planned physical layout 6 2 Figure 4: Planned Logical layout 6 2 1. Infrastructure and Security 3 2. Network 5 2.1 Current Network 5 2.2 Planned network 6 3. Security Policy 7 3.1 Process Policy 7 3.2 Employee Policy 8 Table of Figures Figure 1: Current physical layout 5 Figure 2: Current logical layout 5 Figure 3: Planned physical layout 6 Figure 4: Planned Logical layout 6   1. Infrastructure and Security The network infrastructure is critical to the success of business. Day in and day out, users rely on the network to do their jobs well. Network uptime is crucial to the company’s operation and is becoming even more important as technology advances. Network infrastructure refers to the grouping of physical hardware and logical components which are needed to provide a number of features for the network, such as connectivity, routing and switching capabilities, network security, and access control. The physical infrastructure of the network refers to the physical design of the network together with the hardware components. The logical infrastructure of the network consists of all the software components required to enable connectivity between devices, and to provide network security. The network's logical infrastructure...

Words: 1515 - Pages: 7

Premium Essay

Final Project

...Technical Project Paper: Information Systems Security Information Systems Security Haseeb Ahmed Khan Mark O’Connell CIS 333 Fundamentals of Information Security March 12, 2012 Abstract In today’s IT world every organization has a responsibility to protect the information and sensitive data they have. Protecting data is not only responsibility of security and IT staff but every individual is involved in protecting the information. The risks to information security are not digital only, but it involves technology, people and process that an organization may have. These threats may represent the problems that are associated to complex and expensive solution, but doing nothing about these risks is not the solution. The case we have been assigned today deals with physical and logical vulnerabilities and protection against the risks and threats by implying the best controls to either mitigate, avoid and transfer the risks. Being an Information Security officer at a newly opened location in a busy mall, I have been asked to identify physical and logical risks to the pharmacy operations and also to suggest remedies to avoid any huge loss to the business. The pharmacy operations involve the unique transactions which involves the critical patients’ data, valuable medication and access to cash. The regulation set by the government obligates a pharmacy to meet certain standards to secure logical and physical access to information systems. The pharmacy is comprised of 4 work...

Words: 2531 - Pages: 11

Premium Essay

Cis 341 Technical Paper

...Project Paper: Information Systems Security Due Week 10 and worth 110 points You are the Information Security Officer for a small pharmacy that has recently been opened in the local shopping mall. The daily operation of a pharmacy is a unique business that requires a combination of both physical and logical access controls to protect medication and funds maintained located on the premises and personally identifiable information and protected health information of your customers. Your supervisor has tasked you with identifying inherent risks associated with this pharmacy and establishing physical and logical access control methods that will mitigate the risks identified. 1. Firewall (1)   2. Windows 2008 Active Directory Domain  Controllers (DC) (1)  3. File Server (1)  4. Desktop computers (4) 5. Dedicated T1 Connection (1)     Write a ten to fifteen (10-15) page paper in which you: 6. Identify and analyze any potential physical vulnerabilities and threats that require consideration. 7. Identify and analyze any potential logical vulnerabilities and threats that require consideration. 8. Illustrate in writing the potential impact of all identified physical vulnerabilities and threats to the network and the pharmacy. 9. Identify all potential vulnerabilities that may exist in the documented network. 10. Illustrate in writing the potential impact of all identified logical vulnerabilities to the network and...

Words: 520 - Pages: 3

Premium Essay

Technical Project Paper: Information Systems Security Due Week 10 and Worth 110 Points

...Information Security in Pharmacies Introduction Information security is vital in many firms especially pharmacies and other sensitive fields. Security officers are, therefore, necessary to ensure both physical and logical safety. The Information Security Officer/Manager (ISO) will have different duties such as managing the information security functions in according to the firm’s established guidelines and provisions/policies, providing reports to the firm’s management at reasonable intervals, establishing and ensuring implementation of information security procedures and standards, according to the state’s provisions regarding risk management policies, consulting and recommending to the pharmacy on issues of security enhancement, conducting information security analysis and assessment programs and many others. Protecting medication, funds and health information According to statistics, many health firms such as pharmacies and hospitals have adopted the electronic health records (EHR) model to store their information. However, these firms still use physical records such as filing to store their information. In adopting the EHR, pharmacies usually aim at improving the coordination with patients, reducing disparities, improving public health and enhancing privacy of information through secure data protection. Medication, funds and also information have to be protected to encourage quality service deliverance to the firms. Access to the pharmacy According to the Joint Commission...

Words: 2989 - Pages: 12

Premium Essay

Frequent Shopper Part 2

...(SSC) provides information technology (IT) services and consulting, which include developmental solutions, IT integration, strengthening, analysis, design, and implementation (Apollo Group, 2004). SSC will submit a proposal to KFF that details the development processes of the FSP project. This paper is a technical article document that lists the project’s logical and physical models, which includes hardware, network, software, database, controls, and other development related tools. Logical and Physical Models Logical and physical models are representations of the key elements and processes of a software development. The logical model describes the processes, especially data, in as much detail as possible, without giving regard to how the system will be physically implemented. Logical data models include entities and relationships among them and how data flows from one process or entity to another. The physical model, on the other hand, delineates the physical implementation of the system, which answers how the logical model will be implemented physically. The physical model is a modified version of the logical model, intended particularly to work with a specific set of...

Words: 2665 - Pages: 11

Free Essay

None

...Title | Week 5: Security Plan Assessment Test | Interaction.4 | So, what is the difference between physical and logical security? [Select all that apply.] | ☐  Physical security deals with things like walls, guards, security cameras, and so on. ☐  They are basically two sides of the same coin, but "logical" deals with computer circuits. ☑  Logical security is about software and access to data and computer systems. | | So, what are a few threats that would fit under physical security? | ☑  Motion detection systems. ☐  Sprinkler systems. ☐  Exterior lighting. | | Oh, I see! Then, what is a logical security system? | ☐  Redundant power systems. ☑  Security badges. ☐  Passwords and user roles. | | Interaction.5 | OK, well first of all, what is a possible external security threat? | ☐  Hackers stealing customer information. ☑  A broken water main in the building causing a flood. ☐  Power surges due to lightning strikes. | | OK, well first of all, what is a possible external security threat? | ☐  Hackers stealing customer information. ☑  A broken water main in the building causing a flood. ☐  Power surges due to lightning strikes. | | So, what kind of control could we use to avert that threat? | There really is that we can do to avoid this kind of threat. | | OK, moving on - what is a possible internal security threat? | ☐  Electrical wiring could overload and cause a fire. ☑  Unauthorized visitors could gain access to...

Words: 329 - Pages: 2

Free Essay

Cis 333 Wk 10 Technical Project Paper

...Project Paper - Information Systems Security Write a ten to fifteen (10-15) page paper in which you: 1. Identify and analyze any potential physical vulnerabilities and threats that require consideration. 2. Identify and analyze any potential logical vulnerabilities and threats that require consideration. 3. Illustrate in writing the potential impact of all identified physical vulnerabilities and threats to the network and the pharmacy. 4. Identify all potential vulnerabilities that may exist in the documented network. 5. Illustrate in writing the potential impact of all identified logical vulnerabilities to the network and the pharmacy. More Details hidden... Activity mode aims to provide quality study notes and tutorials to the students of CIS 333 WK 10 Technical Project Paper in order to ace their studies. CIS 333 WK 10 TECHNICAL PROJECT PAPER To purchase this visit here: http://www.activitymode.com/product/cis-333-wk-10-technical-project-paper/ Contact us at: SUPPORT@ACTIVITYMODE.COM CIS 333 WK 10 TECHNICAL PROJECT PAPER CIS 333 WK 10 Technical Project Paper - Information Systems Security Write a ten to fifteen (10-15) page paper in which you: 1. Identify and analyze any potential physical vulnerabilities and threats that require consideration. 2. Identify and analyze any potential logical vulnerabilities and threats that require consideration. 3. Illustrate in writing the potential impact of all identified physical vulnerabilities and threats to...

Words: 496 - Pages: 2

Premium Essay

Multi-Layered Security Plan

...NT2580 Introduction to information security | 7 Domain of IT Infrastructure Security Plan | Project Part 1 | | | [Pick the date] | As described by Tipton and Henry, information security management establishes the foundation for a comprehensive security program to ensure the protection of an organization's information assets. Security management encompasses the administrative, technical, and physical controls necessary to adequately protect the confidentiality, integrity, and availability of the information assets in the IT Infrastructure. Each one of the domain of the typical IT Infrastructure needs a proper security controls to ensure the confidentiality, integrity, and availability (CIA Triad). The following are the overview of the seven Domains: User Domain This is the domain of users that access systems, application, and data. It is the information asset of the organization that will be available to a rightful user by authenticating the user by the acceptable use policy (AUP). It is also define that the user is the weakest link in an IT infrastructure, but by educating user of the sensitivity of the IT infrastructure in the security awareness, security control shall be enforced. Security control to this domain can also be enforced by defining and implement the user policy of the IT infrastructure. Workstation Domain This is the domain where users first connect to the IT infrastructure. Because of numerous threats, it is necessary to implement...

Words: 889 - Pages: 4

Premium Essay

Name

...Essay 16 Local Area Networks Marshall D. Abrams and Harold J. Podell Local area network (LAN) communications security is addressed in this essay. LANs are introduced as providing: (1) a private communications facility, (2) services over a relatively limited geographic area, (3) a high data rate for computer communications, and (4) common access to a wide range of devices and services. Security issues pertinent to LANs are discussed. For example, LANs share many security problems and approaches for their solutions with point-to-point conventional communications systems. In addition, LANs have some unique problems of their own: (1) universal data availability, (2) passive and active wiretap threats, (3) end-to-end access control, and (4) security group control. Countermeasures include physical protection, and separation by physical, logical, and encryption methods. Trusted Network Interface Units, encryption, and key distribution are also discussed. Examples are discussed to illustrate the different approaches to LAN security. The examples in this essay are a composite of several existing product features, selected to demonstrate the use of encryption for confidentiality, and trusted system technology for a local area network. Local area network technology/topology overview This essay addresses LAN security from the viewpoint of open systems interconnection (OSI). That is, we focus on the seven-layer OSI protocols (illustrated in Figure 1); in fact, we concentrate on...

Words: 7286 - Pages: 30

Free Essay

Cis175 It Consult

...requirements, and also appropriate security services. DesignIT has decided to upgrade from a temporary workplace to a permanent office space. The new space measures 56’ x 36’ giving DesigntIT over 2000 square feet of dedicated space. This new space contains four cubicles, one executive office, one server room, one reception desk, and one conference room and allows DesignIT to hire two full time designers and a receptionist. As stated in the Request for Proposal (RFP) issued by DesignIT, the design must incorporate the following considerations: * Relocation of three servers configured as follows: * One (1) Web Server – Microsoft IIS Server * One (1) File Server- Microsoft Server 2008 * One (1) Server – Server 2008 Small Business Server Furthermore, DesignIT has stated the design must also include the following deliverables: * High speed internet access * Firewall * Antiviurs/Malware protection * Six (6) computers * Three (3) color laser printers * Wireless access for portable devices A critical first step in designing a network to meet DesignIT’s requirements is designating the network topology. A network topology is both the logical and physical layouts of the network. Physical topology is related to the physical aspects of the office space and the requirement to provide network distribution to the various offices, reception area, server room, and conference room. Related to the physical topology is the...

Words: 731 - Pages: 3

Premium Essay

Cool

...ACCESS CONTROL IN SUPPORT OF INFORMATION SYSTEMS SECURITY TECHNICAL IMPLEMENTATION GUIDE Version 2, Release 2 26 DECEMBER 2008 Developed by DISA for the DoD UNCLASSIFIED Access Control in Support of Information Systems STIG, V2R2 26 December 2008 DISA Field Security Operations Developed by DISA for the DoD This page is intentionally blank. ii UNCLASSIFIED Access Control in Support of Information Systems STIG, V2R2 26 December 2008 DISA Field Security Operations Developed by DISA for the DoD TABLE OF CONTENTS Page SUMMARY OF CHANGES...................................................................................................... IX 1. INTRODUCTION................................................................................................................. 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 2. Background ..................................................................................................................... 1 Authority ......................................................................................................................... 2 Scope............................................................................................................................... 3 Writing Conventions....................................................................................................... 3 Vulnerability Severity Code Definitions ........................................................................ 4 STIG Distribution .......

Words: 38488 - Pages: 154

Premium Essay

Security Policies Overcoming Business Challenges

...Unit 1 Assignment 1: Security Policies Overcoming Business Challenges There are a number of Information Technology security controls. The three most common are: physical, technical, and administrative controls; however, many organizations break down administrative controls into two separate categories: procedural and legal controls. "Security controls are the means of enforcing security policies that reflect the organization's business requirements, " (Johnson). Security controls are implemented to guarantee the information security C-I-A triad. Furthermore, security controls fall into three types of control classifications, they are: preventive, detective and corrective. These classifications are used to specify when a security control applies. Physical Controls are exactly what they sound like, physical obstacles used to prevent or deter access to IS resources. Physical controls can be barriers such as locked doors, requiring some sort of authentication/authorization command to enter, like a cipher lock or keycard. Biometric scanners are also excellent controls to identify and allow access to authorized personnel. Video cameras and closed-circuit television are also examples of physical controls. For organizations requiring extreme security measures, perimeter barriers such as walls or electric fences are used; additionally, security guards fall into the physical controls category. Technical Controls are logical and/or software related controls designed to restrict access...

Words: 470 - Pages: 2

Premium Essay

Unit 3. Access Controls

...information, accounting, and inventory. For administrative controls I would administer a password policy. For the logical/technical controls I would have passwords checked and enforced. For the software controls I would make sure that updates are checked regularly. 2. For the advertising company scenario the data would probably consist of customer contact information, accounting, and inventory. For administrative controls I would administer a password policy. For the logical/technical controls I would have passwords checked and enforced. For the software controls I would make sure that updates are checked regularly. 3. For NetSecIT, I would implement all access controls on this organization because of the size of the company and the remote access. For administrative controls I would administer a password policy. For the logical/technical controls I would have passwords checked and enforced. For the software controls I would make sure that updates are checked regularly. For the hardware controls I would utilize MAC filtering and smart card use. For the physical I would utilize security guards and ID badges. 4. For Backordered Parts, I would implement all access controls for this organization because it is a defense contractor that builds communications parts for the military. For administrative controls I would administer a password policy. For the logical/technical controls I would have passwords checked and enforced. For the software controls I would make sure that...

Words: 362 - Pages: 2