You will provide security recommendations by designing three physical control diagrams. These diagrams should reflect what you think are optimal levels of security. As a member of the information security team, your role is that of a risk advisor, not a decision maker. The budgeting portion of the project will be completed later, and the budget is not your focus.
Learning Resources
Review these resources to learn more about physical control planning for your assignment:
·
Security Controls
·
Physical Security Planning
·
Security Considerations for Hospitals
Download Instructions
Download the
Physical Security Plan Maps
and save it as
FirstName_LastName_Physical_Security_Plan.
The file, containing three maps of the hospital, should download as a Microsoft PowerPoint. You may have to click the “Enable Editing” button.
For each map, click the icons in the map key and drag them to the place on the map you believe they should be located. If you want to place an icon multiple times, you can copy the icon by right-clicking or selecting it and pressing Ctrl+C, and then pressing Ctrl+V as needed.
The
Physical Security Plan Template
contains follow-up questions related to the maps. You will submit the template and the maps next week for the Physical Security Plan assignment.
Physical Security Plan Template
Exterior
· Why did you propose the lighting where you did?
· When placing the parking lots, what factors did you consider?
· Why did you place cameras where you did?
Lobby
· What kind of windows are required? What kind of access control security are you providing for the visitor, employee, and patient?
· What kind of information would you collect from all nonemployees to enter the hospital for security reasons?
· What kind of security would you have at the door? (physical, ID badges, cameras)
Maternity Unit
· From a security perspective, why is the placement of the nurses’ station important?
· For security reasons, why do you encourage visitors to stay in designated areas or tell them where to go? (for example, signs, maps, paths, etc.)
· How do you secure the newborns from potential abduction and accidental switching?
· Would different secondary ID badges for maternity ward employees be recommended and why?
Security Training
· What kind of security training would you offer to employee staff, and how often would it take place? Why?
· Would the training be different for each group? How?
1
2
Exterior
Icons can be moved or copied to the desired location on the maps.
Fences can be drawn using the shapes/lines/freeform tool
Exterior Instructions including visitor parking garage, staff parking lot, and the hospitals emergency entrance, stairs, ramps for wheelchair, and staff entrance.
Icons can be moved or copied to the desired location on the map.
Fences can be drawn using the shapes / lines / freeform tool.
1
Lobby
Lobby Instructions including entrance door, vending area, front desk, administrative suite, registration admitting / waiting area, gift shop, restrooms,
stairs, elevator, and hallway to the East wing.
Icons can be moved or copied to the desired location on the map.
2
Maternity Unit
Maternity Unit Instructions including waiting room, reception counter, elevators, stairs, vending area, public rest rooms, storage, nursing office, meeting room,
training room, C-section surgical suite, labor and delivery suite, supply closets, patient rooms, nursery with doorway requiring card entry, snack/water station,
utility room, and hallway/staff entrance. Icons can be moved or copied to the desired location on the map.
3
image12
image13
image6
image14
image15
image9
image10
image2
image3
image4
image5
image7
image8
image11
image1
Learning Topic
Security Controls
The goal of IT security is to protect the people, property, and data assets of the organization. Organizations use security controls to minimize risks to those assets. Security controls can be classified by type: physical, technical, or administrative. All three are necessary for robust security (Walkowski, 2019).
Physical Controls
Physical controls involve security measures that safeguard and protect physical assets against unauthorized access, damage, loss, or theft from natural and man-made events. Examples of physical controls include fences, gates, security guards, lighting, closed-circuit surveillance, motion sensors, access control systems (biometrics, access cards), and locked and dead-bolted steel doors
Among physical controls, the use of personnel can be effective, but it is also the most expensive countermeasure to reduce physical security risks. Ouyang (2012) states that security guards can be used to:
· check credentials at entry points
· ensure company property does not leave facility
· monitor intrusion detection systems
· verify doors and windows are locked
· watch for suspicious activity
Technical Controls
Technical controls, also called logical controls, use technology to restrict the access and usage of sensitive data. Examples of some of the hardware and software used for technical controls includes include authentication solutions, firewalls, antivirus software, encryption, and intrusion detection and protection systems.
Administrative Controls
Administrative or procedural security controls involve the procedures and policies that define and guide employees and users when dealing with the organization’s assets. This includes employee training and awareness programs, hiring and termination policies, data classification, equipment and internet usage guidelines, separation of duties, and disaster preparedness and recovery plans (Walkowski, 2019).
Compensating Controls
There is an additional category of controls called compensating or alternative controls. These are physical, technical and/or administrative controls employed by an organization in lieu of a recommended security control. These security measures are used to prevent a gap in IT compliance when the security requirements are too difficult or impractical to implement due to legitimate technological or business constraints (Bisson, 2016).
For example, organizations ideally should have two or more staff members complete separate parts of certain tasks such as developing and testing a security system. This will prevent fraud and employee error so that no single person has sole accountability for the task.
However, if an organization has a very small staff, it might need to have one employee complete the task. To compensate, the organization may implement a compensating or alternative control such as having that one employee maintain detailed logs and give reports to an audit committee or hiring a third party to monitor the process (Reeds, 2017).
References
Bisson, D. (2016).Compensating controls: An impermanent solution to an IT compliance gap. Tripwire. https://www.tripwire.com/state-of-security/security-data-protection/compensating-controls/
Ouyang, A. (2012). Physical (environmental) security domain [PowerPoint slides]. CISSP Common Body of Knowledge Review. https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=2ahUKEwi4h7mKxoXmAhUE11kKHac2AqgQFjACegQIAxAC&url=http%3A%2F%2Fopensecuritytraining.info%2FCISSP-6-PS_files%2F6-Physical_Security &usg=AOvVaw3RNR5kwdnhG-1tHRQYeH9Z
Reeds, C. (2017). Separation of duties and IT security [Blog post]. https://blogs.dnvgl.com/energy/separation-of-duties-and-it-security
Walkowski, D. (2019). What are security controls? An overview of the types of countermeasures security practitioners use to reduce risk. F5. https://www.f5.com/labs/articles/education/what-are-security-controls
Learning Topic
Physical Security Planning
Jon Feingersh Photography Inc. / DigitalVision / Getty Images
Organizations can implement the best authentication scheme in the world, develop the best access control, and install firewalls and intrusion prevention. However, their security cannot be complete without implementing physical security.
The goal of physical security is to protect the actual hardware and networking components that store and transmit information resources. This involves taking measures to prevent unauthorized access to the organization’s assets. These measures include the following:
·
Locked doors: It may seem obvious, but security is useless if an intruder can simply walk in and physically remove a device. High-value information assets should be secured in a location with limited access.
·
Physical intrusion detection: High-value information assets should be monitored through security cameras and other means to detect unauthorized access to the physical locations.
·
Secured equipment: Devices should be physically locked down. One employee’s hard drive could contain all your customer information.
·
Environmental monitoring: An organization’s servers and other high-value equipment should always be kept in a room that is monitored for temperature, humidity, airflow, and unauthorized access. The risk of a server failure rises when these factors go out of a specified range.
·
Employee awareness and training: Physical security requires educating all employees on organizational policies and best practices related to security, such as upholding visitor policies, workstation locking, device encryption, following policies related to traveling with work devices, and reporting suspicious activity (Kostadinov, 2017).
References
Kostadinov, D. (2017). Tips for managing physical security. Infosec. https://resources.infosecinstitute.com/category/enterprise/securityawareness/managing-physical-security/#gref).
Licenses and Attributions
Chapter 6: Information Systems Security
from
Information Systems for Business and Beyond by David T. Bourgeois is available under a
Creative Commons Attribution 4.0 International
license. © 2014, David T. Bourgeois. UMGC has modified this work and it is available under the original license.
image1
Learning Topic
Physical Security Planning
Jon Feingersh Photography Inc. / DigitalVision / Getty Images
Organizations can implement the best authentication scheme in the world, develop the best access control, and install firewalls and intrusion prevention. However, their security cannot be complete without implementing physical security.
The goal of physical security is to protect the actual hardware and networking components that store and transmit information resources. This involves taking measures to prevent unauthorized access to the organization’s assets. These measures include the following:
·
Locked doors: It may seem obvious, but security is useless if an intruder can simply walk in and physically remove a device. High-value information assets should be secured in a location with limited access.
·
Physical intrusion detection: High-value information assets should be monitored through security cameras and other means to detect unauthorized access to the physical locations.
·
Secured equipment: Devices should be physically locked down. One employee’s hard drive could contain all your customer information.
·
Environmental monitoring: An organization’s servers and other high-value equipment should always be kept in a room that is monitored for temperature, humidity, airflow, and unauthorized access. The risk of a server failure rises when these factors go out of a specified range.
·
Employee awareness and training: Physical security requires educating all employees on organizational policies and best practices related to security, such as upholding visitor policies, workstation locking, device encryption, following policies related to traveling with work devices, and reporting suspicious activity (Kostadinov, 2017).
References
Kostadinov, D. (2017). Tips for managing physical security. Infosec. https://resources.infosecinstitute.com/category/enterprise/securityawareness/managing-physical-security/#gref).
Licenses and Attributions
Chapter 6: Information Systems Security
from
Information Systems for Business and Beyond by David T. Bourgeois is available under a
Creative Commons Attribution 4.0 International
license. © 2014, David T. Bourgeois. UMGC has modified this work and it is available under the original license.
image1
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
