Introduction
Information asset protection is a very critical aspect of business management process for the successful operations and continuity of any business. Any form of threat to the security of the electronic or computerized information and its process is a definite threat to the quality of business end result (Boran, 1999). These threats can be minimized or eliminated to an acceptable level either logically or physically or a combination of both, depending on the company’s security arrangements (Cliff, July 2001). Physical protection of information entails physical limitation of access to the information resource places (computers) by putting a limitation to such areas like the building, and specific rooms that have these equipments (12). But as has been observed, protecting the places or areas physically is never sufficient enough to provide maximum confidentiality of the information. This is why it is important to put in place logical and adequate information protection system that would ensure maximum secure control of information to enforce confidentiality of the sensitive company information. It is therefore upon the systems administration team to ensure that all the physical and logical aspects of information security are in place accordingly as per the minimum standard required by the company.
The foremost requirement for adequate logical and physical information protection is for the company to identify, in order of priority, the most important information that needs protection (Cliff, 2001). This can be done by critical analysis of possible threats and impacts they are likely to create to the running of the information system. Subsequent calculation of different risks will ensure that all security detail issues are noted and prioritized (Granger, 2002). However, according to Gallegos (2005), it is important to take note of some critical security issues that the system management teams have to put in mind when dealing with information protection;
- One should just keep it simple especially if the issue seems complicated since such scenarios are not likely to have serious effect and are very expensive.
- It is important to set minimum and coherent security management system with a complicated system that does not heavily rely on external factors since this may make it lose privacy.
- Use some of the tested methods of protection for easy evaluation (41).
Physical Access and Threat
Any business that relies on computers to store information is prone to all types of physical threats, and that protection of information in computers takes more than just password and installation of antivirus software as some people may be made to believe. An intruder can get access to any computer or computer system and cause physical damage to its functionality by altering or replacing a computer part, plant some damaging programs like Trojan horse, or change the settings of the machine and get specific security numbers that may be detrimental to the general security of the information system (Granger, 2002). Granger advises that some very critical links for communications such as switches (routers) are supposed to be protected at all costs. It is thus logical to reason that physical protection is the first and most critical aspect of protection that every company should observe. Physical location, layout, design, and setting up of the facility would determine the level of access and ease of monitoring (16).
Other than attacks from intruders and hackers, and errors from the employees themselves, physical threat to information system has revolved around other concerns such as natural disasters e.g. water, fire, electricity failures, and many other environmental mishaps. Many information security experts believe that most of the information security risks like fraud, sabotage, and theft are as a result of internal arrangements by the companies’ own employees (Micki & Harold, 1997). However, according to the survey conducted by the SearchSecurity.com (2002), many of the problems are accidentally caused by human error or just mistakes from unauthorized users in most cases. The survey, carried out in 2001 indicated that many respondents gave human error as the most probable security risk challenge, and more worrying is the fact that they ranked it the most difficult aspect of information security to enforce. As the report says, “some sees the typical computer criminal a non-technical authorized user of the system who has been around long enough to locate the control deficiencies and use them to cut corners, or it may be a plain accidental errors or people not affiliated to the company or intruders trying to exploit deficiencies in the security system to commit harm against the business” (29). It may be complicated when the company physically restricts their employees to such locations. So how can a company reinforce such a policy without jeopardizing the general operations of the company?
Natural disasters, as mentioned earlier are another physical threat to the information security. As illustrated by ISACA (2001), fire, electricity, lightning, water, earthquake, and other environmental disasters are some of the common natural disasters that pose a challenge to the information security management. Fire, depending on its intensity, can cause different level of damages to the system or even to the whole building. Water, mists, gases, and smoke can be disastrous to the operations of the computer systems (6). Electric faults can result from frequent power interruptions that may interfere with general operations of the business and at worse cause fire leading to unexpectedly big catastrophe (11).
Control of physical access
Physical protection of information involve the physical restrictions to the access of the resources to prevent accidental or intentional damages to the computer systems, storage devices, microcomputers, computer terminals, and other communication equipments (Singleton, 2006). The first procedure here is to asses the conditions of the present security structure of the company. Such details will include: the entire building, office doors, desks and cabinets; computer and telecommunication rooms; how the company control the access to information and whether that is secure; how the information access is monitored by the company; and finally how the general information protection is carried out (Singleton, 2008). This is to give guidance and the basic understanding of the general information security in the company that will offer an overall benchmark for any improvement proposed (19). The evaluation will need the analysis of the possible risks and threats against the cost of mitigation and control (21).
Classification of Access Controls
Experts have classified physical access controls as preventive and detective controls (Singleton, 2008). The preventive control generally helps to avoid events that are unwanted, while detective controls are meant to identify unwanted events after they have occurred (United States General Accounting Office, 2002). Some of the commonly used physical security control systems include: manual doors/ cipher key-locks, magnetic door locks with electronic keycards, biometric authentication, security guards, photo ID’s, Entry logs perimeter fences, computer terminal locks among many other methods (43). On the other hand, detective security controls entails: smoke and fire detectors, motion detectors, visual and electronic surveillance systems, intrusion alarms erected at the perimeter fence (45). So which way to go, preventive or detective access control? Well, just to begin with, Micki & Harold (1997) explains the difference between the two methods in terms of their functionality. He says that detective method, being “invisible”; never affect the everyday working life of the employees. It only comes to action when there is a security breach and the need to investigation for example the response of the alarm, which by any sense means that there is already a problem caused (66). On the other hand, preventive control (e.g. door locks and security guards) limits the employees and other people’s movement that is, restricting their movements to some particular areas and limiting the type of information they are supposed to use (68). It is therefore imperative to suggest that preventive controls are more effective than detective controls since in the first place they prevent the problem from occurring. However, it may be a very challenging process if the employees fail to cooperate with the security team. Experts therefore advise that all employees should be given enough information about such arrangements so as to enhance understanding (Gallegos, 2005). But it would be more effective if both methods are used to enhance both detective and preventive measures since they tend to complement each other (89). When controlling access to restricted zones, areas defined as sensitive (like computer labs) should be monitored so as to ensure that only a limited number of people get access to the area with authorization from the designated people. National Institute of Standards and Technology, (2001) proposes the following methods of controlling access to restricted zones:
- Use of electronic access controls, combination of mechanical locksets, or deadbolts
- Restricting the number of points for entry as required by the safety regulations
- Monitoring through personnel e.g. receptionist or guard situated at the entry points to ensure only approved persons allowed in especially during working hours and all the entries should be video-recorded for references in case of security breach.
In addition, it is necessary to maintain a list of specific persons who are authorized to access such sensitive information areas that houses IT-assets. This is backed by the recording all the detailed information of the visits of such areas like time and date of entry, reason for entry, and exit time (31)
Backup information
In any information storage system, it is important to create a backup for the information stored to act as “insurance compensation” in case of any loss of the primary information (Micki & Harold 1997). Losing information about the business can sometimes be a frustrating encounter that can disorganize all the operations. The backup media is therefore stored in rooms or safes, at a reasonable distance away from the origin of the primary information to avoid losing all the data due to same calamity. As described by Granger (2002), “Backups of sensitive information should have the same level of protection as the active files of same information”.
Maintenance of work place
To prevent any unauthorized person accessing any sensitive information about the organization, every employee should leave his or her desk clean and organized (Royal Canadian Mounted Police, 1997). All IT equipments that handle confidential information should be positioned such that no one can have access to the information other than the authorized person. Such measures include positioning of the monitor, fax, and printers in a secure place such that no unauthorized person gets access to them (98). A practical method of preventing any potential overview of the information on the monitor screen is to put the screen away from the window or away from the vicinity of the visitors, and the printers meant for confidential information should be placed in restricted zones (99)
Contingency plan
IT experts advise that businesses should have contingency plans just in case of some extraordinary events (ISACA, 2001). The plan should be able to cover all the eventualities like power failures or surge, information theft, flood, fire, etc. The contingency document plan should provide essential services in case of losses (9). It should also take care of both on-site and off-site recovery process like the recovery of information due to system failure, and critical support system loss (11)
Controlling access location
Whatis.com. (2002) proposes a number of preventive measures that should be taken to ensure proper safety of the information considering the location of such facilities. Some threats like flood can be minimized by proper selection of a facility location that would not be prone to flood like near the rivers that flood nearly annually. The area should also be free of fire threats, mist or high humidity, or electromagnetic interference that may be detrimental to the efficient operations of the information system (Granger, 2002).
Control of Logical Access and Exposure
This is the most common recognized information access controls that involve a combination use of computer hardware and software to restrict or detect access by unauthorized persons (Micki & Harold, 1997). For example, most of the specific areas or sites will require the user to have some personal identification numbers, or passwords that will allow access to the areas. IT professionals emphasize that logical controls should be designed in away that would limit the authorized user to a particular systems, programs and files that they may need and absolutely deny others who may be hackers from accessing the system (67).
Well used, logical security controls would be able to support the company in an effort to protect information assets even if individuals get access to the computer hardware. It thus helps businesses to:
- Identify or recognize specific individual users, particular computers authorized to get access to computer networks, and other resources like data,
- Limit or restrict the specific data or information access
- Easily produce as well as analyze the trails of user activities and audit the system,
- Take defensive actions against the intruders, and sometimes requiring more information to prove the legality of the access. For example employees who may not have authority to access specific information may try to access the information without the express authority of the person in charge. With accurate and well planned logical control system, they cannot gain access to such information (Granger, 2002).
Some of the commonly used logical controls are: antivirus software, access control software, passwords, encryption, smart cards, dial-up access control and callback systems, audit trails, and intrusion detection programs (Royal Canadian Mounted Police, 1997).
Access Control programs
There are a number of proven and tested methods to detect unauthorized access to information assets in a computer system namely:
- Access control software; this software is installed purposefully to offer protection to the information resources considered important and confidential by the company (Cliff, 2001). Its ability to control and monitor the access to the computer system information is vital for the company’s information safety (109). It limits the access by making sure that only particular registered member or users have the express access to the computer information or some very specific data, requiring them to insert their unique user ID accompanied by a password. A good example is the Computer Associates eTrust CA-ACF2 Security for mainframes (114).
- Passwords; it is a computer encrypted characters that is protected and meant to authenticate the person accessing the computer system. It is normally a second identification method after the user has entered the username or ID (Singleton, 2008). According to ISACA (2001), “password is the first line of defense against outside attacks” and that weak passwords are easy to break especially by password breaker tools such as L0phtCrack. Strong password will therefore make it difficult for such tools work or it may make the process long and boring for the intruder. Depending on the access control system, password guideline set up criteria differs. However, there are some general minimum criteria for setting up a secure password as illustrated by the NIST (2001); A fairly secure password should have character length of between 5-8 characters, able to accept a combination of numerical numbers, alpha, both lower and upper case, and most important some special characters, that is not identifiable with the user details like date of birth or name, the system must not allow passwords previously used and changed after 5-10 generations to be reused, it is necessary to periodically change the passwords (between 60-90 days) as long as that will assure the security of the data, they should never be displayed when entered, immediate replacement after implementation is necessary if it is a vendor-supplied one, and finally it is advised that all passwords should be personal and should never be shared at all levels if the information it safeguards is very vital. It is thus important to establish a proper password policy that would guide the usage.
- Antivirus software; viruses have proved to be one of the most frustrating disruptions to the computer network information safety. According to ISACA, (2001), viruses are code segments that have the ability to replicate, acting remotely and sometimes proving difficult for some of the known antivirus. They are malicious programs that are able to bring down the whole system or completely damage the existing user files. Once replicated, they attach themselves to the existing executables, and that “the new copy of the virus is executed when a user executes the new host program (United States General Accounting Office, 2002). Its primary sources have been from the internet, through downloaded files and local computer networks. There are numerous types of viruses that have caused havoc to the business operations in the past years (NIST, 2001); one like W32.SirCam caused a considerable damage to companies’ files and information. The most effective and proven way to control the virus in the computer system is to install antivirus software (23). Antivirus is able to detect, prevent attacks from the virus, and sometimes remove or repair the infected files. Some of the known antiviruses are AVG, Kerspersky, NOD32, NVC, among many available ones (48). Other than antivirus installation, a company should be in a position to establish clear and relevant antivirus policy that guides its usage. To be effective, the policy should be part of a contingency plan, guide the usage procedure outlining who, when, and how is it should be used (52).
- Smart cards; this is an intelligent chipped device, size of credit card that is used to authenticate the user (Granger, 2002). It requires the user to illustrate that he or she is the real owner of the card by requiring entry of some unique personal identity codes (77). One enters his or her PIN once the card is inserted into the system to allow access. It is a sure way of authenticating the identity of the user as it requires the person to own the card and at the same time have and remember the PIN (81). Smart cards have been used at the doors of sensitive computer/data rooms, and IT experts project that smart card use will definitely increase in the future considering the expected increase in technological advancement (83). Probably this is why the PC/SC Working group companies like Microsoft, Intel, and Toshiba have defined certain standards for the interface between programming and PC hardware in a smart card (PC/SC Working Group, 2002).
- Encryption; this is a technique used to protect texts through the use of codes to hide the data for any other reader other than the informed. It is commonly used to protect data on transit or stored data from any intrusion or interception by unintended person (Boran, 1999). However, encrypted data is still prone to loss and again the encryption programs can easily be compromised (54). It is therefore advisable to use it as just part of the security details for a company and must be accompanied by other more reliable information asset security efforts.
Dial-up access control and callback systems
In some cases the users of computer system may attempt to remotely connect to the computer systems from home or any other location other than the business enterprise via a dial-up line. It is advisable to restrict such uses through a dial-up access control. This method prevents any attempt by such people to get access to the secured information (Singleton, 2006). It’s also able to authenticate the remote user other than affecting a call-back system. When on action, the link for telecommunication lines that are established by a dial back into a computer remotely is interrupted so that “the computer would dial back to the caller” (Boran, 1999). The security catch here is that the caller can only be permitted if the number is valid and recognized. Boran (1999) advises that the phone numbers should be regularly changed to ensure maximum safety and warns that if the company’s business is not adequately secured by dial-up access controls, the information stored are vulnerably exposed to war dialers e.g. Toneloc that can sweep the company’s extensions, with an intention to get access to an open modem to answer the call (Singleton, 2006).
Audit trails; the other useful information security tool is the audit trail. It is used to trace back any illegal input of information from some other source to the original user (Boran, 1999). Any improper attempt by an employee for example to access restricted information database is automatically reported back to the original source. This is useful in areas where specific employees are allowed some specific areas access but not all the database (97). If they attempt to access the unauthorized data, it can be reported back to the central location.
Conclusion
It has emerged that there are numerous risks that information assets can be exposed to, both natural and man-made risks. It is therefore upon the organization to have a proper analysis of the potential risks and take precautions to avoid any disastrous loss of data or information. It is important to manage and maintain both logical and physical security in an equal measure to adequately protect the organization’s information. The actual challenge for any organization would be to get the right security, both physical and logical, in place that would correctly fit the particular organization’s needs.
References
Boran, S., (1999), “The IT SecurityCookbook”.
Cliff, A., (2001) “IDS Terminology, Part Two: H-Z”. Web.
Granger, S., (2002) “The Simplest Security: A Guide to Better Password Practices”. Web.
Gallegos, F. (2005), Computer Forensics: An Overview CISA, CDE, CGFM Volume 6.
Micki K., Harold T. F., (1997). “Handbook of Information Security Management”. Web.
Singleton, T. W. (2008), What Every IT Auditor Should Know About Access Controls CISA, CITP, CMA, CPA, Volume 4.
Singleton, T. W (2006), What Every IT Auditor Should Know About Cyber forensics CISA, CMA, CPA, CITP Volume 3.
Royal Canadian Mounted Police (1997), Technical Security Standard for Information, Technology (TSSIT).
Information Systems Audit and Control Association (ISACA) (2001), CISA Review, Technical Information Manuals. Rolling Meadows: ISACA, Inc.
National Institute of Standards and Technology, (2001) “An Introduction to Computer Security: The NIST Handbook” – Special Publication 800-12.
SearchSecurity.com, (2002), a TechTarget site for Security professionals- A search for the definition of “Intrusion detection”. Web.
Whatis.com. (2002), A search for the definition of “Intrusion detection”. Web.
PC/SC Working Group. Web Page. Web.
United States General Accounting Office (2002). “Federal Information Systems Control Audit Manual – Volume 1: Financial statements audit”, GAO/AIMD-12.19. Web.