Guidelines and procedures to implement and maintain physical controls and processes
Control methods –
- Administrative controls:
- Policies and procedures
- Policies and procedures are decided by the senior management what role exactly the security features has to play. The management is responsible for security policies.
- personnel controls
- Employees have to interact with various security mechanisms. These controls specify the action to be taken when employee is hired, terminated etc.
- supervisory controls
- In this approach each employee will be under a supervisor who monitors the actions of the employees under him/her. If an employee doing fraud then both the employee and his/her supervisor gets punishment.
- security-awareness training
- Proper training has to be given to the employees in the company, about the security standards the company is maintain, and how to abide to the security laws and follow them.
- Most of the company security issues depend on the technology and the people using it. It is up to the employees to use it properly to reduce the risk of any incident related to security (Neves, Soares, Sargento, Pires & Fontes, 2011).
- testing
- The main objective of testing is to see that all the security controls, mechanism and procedures which are used to run security techniques are checked on regular basis to see if they are working properly or not.
- Policies and procedures
- Physical controls
- control zone
- The company is divided into zones and for each zone different level of security is assigned. For example front office there can be low level of security, but where as in Research & Development department could be considered as top level security (Ojobor & Omosigho, 2016).
- perimeter security
- Employees are entered into the company by pass through authorized security guard who checks employee ID cards before permitting them to enter into the company.
- Another level of perimeter security can be bio-metric scan of employee thumb/finger before entering into the department.
- CCTV surveillance at parking area or at work place.
- computer control
- Physical controls configured and installed to protect the thwart of the confidential data.
- work area separation
- Separate work area for different employees in the company respective of their designation.
- For example, a clerk cannot enter into research area to disrupt the test data.
- data backups
- Servers have to be maintained to backup data so that if there is any loss in the data due to security breaches, backed up data will help in to recover the data.
- network segregation
- A large network can be segregated into smaller network.
- Each sub network is protected with various security levels which can be accessed by only authorized persons (Pathari & Sonar, 2012).
- control zone
- Technical Controls
- system access
- Depending upon the architecture of an organization, different types of controls and security can be used.
- network access
- Only authorized personals can access certain logical controls like routers, switches, firewalls.
- Encryption and protocols
- These are the technical controls which are used to protect data as it passes through the network
- Auditing
- These are technical controls which are used to track the activity within the network, on a specific computer, or on a system.
- system access
Real world example of an organization which uses above mentioned Access control methods is NASA.
Control Models:
There are seven different access control models are given below:
- Deterrent
- This access control mechanism is used to obstruct potential attacker
- Preventive
- To protect from an unwanted incident from occurring
- Corrective
- To fix systems after an occurrence of an incident
- Recovery
- To get lost data or controls to restore all the systems back to work
- Detective
- Helps in identifying unauthorized incidents
- Compensating
- Alternative controls which are put in place for failed controls
- Directive
- Important controls which have been put in place due to regulations or environmental requirements
Below are the three policy guidelines and procedures –
- When the proper and professional personnel are hired they should be trained on how to detect fraudulent bill and checks so that they are not cashed or taken in and exchanged for money. Hiring armed security guards will give the back added protection and will also give the owner of the bank an extra set of eyes on the personnel of the bank. Without the proper staffing, physical security is useless. If all the proper deterrents are in place then a criminal is less likely to target that particular establishment. If there was a break in and all the cameras, locks, and alarms are working then it will make it easier for law enforcement to apprehend the criminal right away and possibly even prevent the crime from occurring (“Physical and Electronic Access Control Policy | Policies and Procedures”, 2019).
- The bank must show all customers that they are willing to go that extra
mile to protect them and their money when doing business at that bank.
It is very important for the armed security guards, as well as bank personnel, to be very observant to their surroundings so that if anything seems out of the normal they can notify to proper authority and action can be taken. All personnel should be on a constant watch for weak points in the security of the bank and its content (“Physical and Electronic Access Control Policy | Policies and Procedures”, 2019). - If a fire was to happen then certain personnel will be given the responsibility to shut down the computers and make sure that everyone evacuates and that no one enters until the fire department gives the o.k. to reenter (“Physical and Electronic Access Control Policy | Policies and Procedures”, 2019).
References
Neves, P., Soares, J., Sargento, S., Pires, H., & Fontes, F. (2011). Context-aware media independent information server for optimized seamless handover procedures. Computer Networks, 55(7), 1498-1519. doi: 10.1016/j.comnet.2011.01.022
Ojobor, S., & Omosigho, S. (2016). Transient Solution for Single Server Machine Interference Problem with Additional Server for Long Queues under N-Policy Vacations. British Journal Of Mathematics & Computer Science, 17(1), 1-15. doi: 10.9734/bjmcs/2016/24515
Pathari, V., & Sonar, R. (2012). Identifying linkages between statements in information security policy, procedures and controls. Information Management & Computer Security, 20(4), 264-280. doi: 10.1108/09685221211267648
Physical and Electronic Access Control Policy | Policies and Procedures. (2019). Retrieved from https://policy.arizona.edu/facilities-and-safety/physical-and-electronic-access-control-policy