Physical Access

Previous page
Table of content
Next page

Physical security supports confidentiality, integrity, and availability by ensuring that the organization is protected from unauthorized persons accessing the physical facility. The type of physical security controls depends on the risk associated with the asset.

In auditing a facility, the IS auditor should ensure that there are physical access restrictions governing employees, visitors, partners/vendors, and unauthorized persons (intruders). All facilities associated with the organization, including off-site computing and storage facilities, should be reviewed. An organization's facilities are similar to those of a city, in that there are different physical access controls based on the assets being protected. In a city, the physical access controls for a corner store, for instance, might include a lock and key, whereas a bank might employ physical security guards, lock and key, and additional stronger internal controls, such as a vault. This type of layered security can include administrative controls such as access policies, visitor logging, and controlled visitor access.

  • Access policies Individuals internal and external to the organization are identified, along with the areas of the facility to which they are allowed access.

  • Visitor logging Visitors provide identification and are signed into the facility; they indicate the purpose of their visit, their name, and their company.

  • Controlled visitor access Individuals must be escorted by an employee while in the facility.


Personally escorting visitors is a preferred form of physical access control for guests.


In addition to administrative controls, the facility might employ biometric access controls, physical intrusion detection (alarms, motion sensors, glass break alarms, and so on), and electronic surveillance (cameras, electronic logging, and so on). Technical controls often provide the capability to create audit logs that show access attempts into the facility. Audit logs should include the point of entry, date and time of access, ID use during access, and both successful and unsuccessful attempts to access. These logs should be reviewed periodically to ensure that only authorized persons are gaining access to the facility and should take note of any modifications of access rights.

Similar to the review of the organization's network, the IS auditor should review facilities to determine paths of physical entry and should evaluate those paths for the proper level of security. Access paths include external doors, glass windows, suspended ceilings (plenum space), and maintenance access panels and ventilation systems.

Physical Security Practices

The previous section discussed authentication methods that are used in gaining access to IT systems. Authentication can be in the form of something you know (passwords), something you have (smart card), something you are, or unique personal characteristics (fingerprints, retina patterns, iris patterns, hand geometry, and palm patterns). The "what you are" of authentication is referred to as biometrics. This involves authenticating an individual's identity by a unique personal attribute. When implementing biometric systems, the individuals provide a sample of a personal attribute (known as enrollment), such as a fingerprint, which will be used for comparison when access is requested. Although biometrics provides only single-factor authentication, many consider it to be an excellent method for user authentication and an excellent physical access control.

A biometric system by itself is advanced and very sensitive. This sensitivity can make biometrics prone to error. These errors fall into two categories:

  • False Rejection Rate (FRR) Type I error The biometric system rejects an individual who is authorized to access the system.

  • False Acceptance Rate (FAR) Type II error The biometric system accepts unauthorized individuals who should be rejected.

Most biometric systems have sensitivity levels associated with them. When the sensitivity level is increased, the rate of rejection errors increases (authorized users are rejected). When the sensitivity level is decreased, the rate of acceptance (unauthorized users are accepted) increases. Biometric devices use a comparison metric called the Equal Error Rate (EER), which is the rate at which the FAR and FRR are equal or cross over. In general, the lower the EER is, the more accurate and reliable the biometric device is. Organizations with a higher need for confidentiality are more concerned with a biometric access control False Acceptance Rate (FAR) than its False Rejection Rate (FRR) or Equal Error Rate (EER).


When evaluating biometric access controls, a low Equal Error Rate (EER) is preferred because Equal Error Rates (EERs) are used as the best overall measure of a biometric system's effectiveness.



Previous page
Table of content
Next page
Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146
BUY ON AMAZON
MySQL Stored Procedure Programming
Java for RPG Programmers, 2nd Edition
Developing Tablet PC Applications (Charles River Media Programming)
Java Concurrency in Practice
Comparing, Designing, and Deploying VPNs
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy