Physical security protects your physical computer and networking facilitiesyour building, your server room, your computers, your backup media, and increasingly, your people. Biometric devices (devices that sample a physical or behavioral traitfor example, a fingerprintand compare it with the traits on file to determine whether you are who you claim to be) provide an important first defense against breakins.
Sound physical security is the basis on which a security policy and its resulting activities must rest. The best computer security activities can easily be negated by careless physical security. The importance of good physical security can be illustrated by referring once again to the two security mnemonics: CIA and IRA. The first refers to the following:
To show how these relate to physical security, consider the following story.
In December 2002, social security numbers and other personal information for a half million military personnel, family members, and retirees were stolen by heisting the system's backup devices. The theft occurred on a Saturday and was detected the following Monday. Medical insurance claims data for active military personnel in the western portion of the United States were involved, and the matter was treated seriously, including posting of a reward, providing periodic updates of the case on a web site, and providing information to those affected about what to do if they suspected their stolen information had been misused. From backups (early news reports stated that the stolen drives were in fact "expensive backup devices"), the facility quickly determined which records were compromised and notified those affected with details of the stolen information, including copies of forms they may have filled out, so that the victims could see what data was at risk. No cases of identity theft or other crime have been attributed to this theft and the facility has since increased both electronic and physical security, and in fact has been awarded a contract for a considerably increased service area.
Upon further investigation, it became clear that the IT processes in place at this organization were reasonable. However, with a break-in on a Saturday being reported on Monday, there may have been a breakdown in physical security. It is clear that problems with physical security can undermine the best of intentions with electronic security.