WEBVTT

00:00:00.990 --> 00:00:03.740
Let's continue looking at facilities security.

00:00:04.160 --> 00:00:07.860
We start at the outside with external physical access

00:00:07.860 --> 00:00:12.800
controls. We put in place fences, good lighting. For example,

00:00:12.800 --> 00:00:13.840
in parking areas,

00:00:13.840 --> 00:00:16.790
we'll often have flood lighting so it's safe for our

00:00:16.790 --> 00:00:18.630
people to get out to their vehicles,

00:00:18.710 --> 00:00:22.720
whereas against the building will often have just a low‑level

00:00:22.720 --> 00:00:27.040
lighting that shines down the wall of the building so our cameras

00:00:27.040 --> 00:00:30.030
could pick up if somebody was there, that sort of thing.

00:00:30.900 --> 00:00:32.330
We have guards.

00:00:32.670 --> 00:00:36.090
Now the idea of a guard is that a guard is there to watch,

00:00:36.090 --> 00:00:37.330
and if something happens,

00:00:37.630 --> 00:00:41.380
they can try to determine whether or not this is good or bad.

00:00:41.660 --> 00:00:45.100
So in other words, it's what we call discriminating judgment.

00:00:45.810 --> 00:00:47.810
You take, for example,

00:00:47.810 --> 00:00:54.140
a smoke detector as a good example of a device which is a very good alert,

00:00:54.140 --> 00:00:55.780
very important to have,

00:00:55.830 --> 00:00:59.510
but doesn't have much discernment because a smoke

00:00:59.510 --> 00:01:03.350
detector could be telling you there is a fire or it could

00:01:03.350 --> 00:01:05.450
be that there is excess humidity.

00:01:05.580 --> 00:01:09.340
We often see that smoke detectors close to a bathroom will

00:01:09.340 --> 00:01:11.660
trigger if a person has a very hot shower,

00:01:11.950 --> 00:01:16.040
or a smoke detector may just be telling us that the toast is burnt.

00:01:16.630 --> 00:01:21.830
So the problem with that type of a device is that it doesn't tell us the

00:01:21.830 --> 00:01:26.520
scope or should we say whether or not it's a serious problem.

00:01:27.000 --> 00:01:29.980
A guard can help us to make that determination.

00:01:30.110 --> 00:01:32.040
Is this something that is serious?

00:01:32.140 --> 00:01:34.840
What should be the correct response be?

00:01:36.060 --> 00:01:38.140
We also use a lot of alarms.

00:01:38.270 --> 00:01:41.920
These are very good to indicate if there is some type of a problem,

00:01:41.920 --> 00:01:45.970
an intruder for example, a door open alarm,

00:01:45.980 --> 00:01:48.050
these are all very important, as well as,

00:01:48.050 --> 00:01:48.620
of course,

00:01:48.950 --> 00:01:53.810
the basics such as fire alarms or even a duress alarm where if an

00:01:53.810 --> 00:01:57.550
employee is under some type of duress or being threatened,

00:01:57.880 --> 00:02:01.300
they can trigger alarm that would silently call,

00:02:01.300 --> 00:02:03.320
for example, security or the police.

00:02:04.820 --> 00:02:09.310
It is important that we try to control entry to our facilities.

00:02:09.320 --> 00:02:13.010
Maybe we put up bollards or things to block people

00:02:13.010 --> 00:02:17.690
from going in areas they shouldn't, driving into should we say,

00:02:17.700 --> 00:02:21.980
employee parking area, there is barriers there to prevent that.

00:02:22.890 --> 00:02:27.230
We should have a designated visitor parking area which

00:02:27.240 --> 00:02:30.160
allows us then to watch who's coming in,

00:02:30.460 --> 00:02:34.870
and of course, separate that out from the employee area.

00:02:36.010 --> 00:02:38.170
When you look at physical access controls,

00:02:38.170 --> 00:02:41.000
a person coming into the building should have a badge.

00:02:41.470 --> 00:02:47.190
That badge very often will have their picture and name on it and an expiry date,

00:02:47.190 --> 00:02:51.450
and those are important so that nobody could use somebody

00:02:51.450 --> 00:02:54.960
else's badge so that if the badge is expired,

00:02:55.170 --> 00:02:58.820
then it should trigger and not be able to be used.

00:02:59.040 --> 00:03:01.640
And a lot of the badges, of course,

00:03:01.640 --> 00:03:05.720
also work together with a smartcard so that you can use them to

00:03:05.730 --> 00:03:09.570
open up a turnstile or use it to open up a door,

00:03:09.570 --> 00:03:10.600
that sort of thing.

00:03:10.780 --> 00:03:12.930
Many people, of course,

00:03:12.930 --> 00:03:16.910
use these even on a reader on their desktop so that their

00:03:16.910 --> 00:03:19.840
badge has to be plugged into that desktop reader for them

00:03:19.840 --> 00:03:21.460
to log in to the desktop.

00:03:22.520 --> 00:03:24.590
We're all familiar with turnstiles,

00:03:24.600 --> 00:03:27.200
even if we're not familiar with the term itself,

00:03:27.210 --> 00:03:31.210
but that turnstile is that little gate that as we walk through it a

00:03:31.210 --> 00:03:37.050
couple of arms turn and we put this in front of many buildings so that

00:03:37.050 --> 00:03:43.070
when you come in the front door you tap your card on a little reader and

00:03:43.070 --> 00:03:46.610
the gate will open and let you in, for example.

00:03:47.680 --> 00:03:49.200
We also have mantraps.

00:03:49.210 --> 00:03:53.800
This is like a type of double door facility.

00:03:53.810 --> 00:03:57.600
You come in through one door, it closes behind you,

00:03:57.610 --> 00:04:01.750
you then are identified maybe using your badge reader,

00:04:01.760 --> 00:04:05.510
and the second door will open and you can continue into the building,

00:04:05.530 --> 00:04:07.990
but you're actually trapped in there until you

00:04:07.990 --> 00:04:10.180
provide the correct identification.

00:04:11.540 --> 00:04:15.610
When it comes to visitors, obviously, we want that everyone in

00:04:15.610 --> 00:04:20.269
the secure facility is wearing an ID badge that clearly

00:04:20.269 --> 00:04:22.510
displays what their access should be.

00:04:22.630 --> 00:04:25.910
Are they allowed to just wander anywhere in the building?

00:04:26.160 --> 00:04:31.010
Their ID badge should quickly indicate if they are a foreign national

00:04:31.020 --> 00:04:34.680
or if they are only allowed in one area or another.

00:04:34.980 --> 00:04:39.870
And, of course, a lot of these badges today will automatically expire.

00:04:39.880 --> 00:04:43.310
They couldn't use them again just the next day, for example.

00:04:44.040 --> 00:04:48.350
And it's important that when a person is issued a temporary badge,

00:04:48.350 --> 00:04:53.120
we have a record of who that person is, we check,

00:04:53.120 --> 00:04:53.810
for example,

00:04:53.810 --> 00:04:57.690
some type of identifier and put it into a log that a

00:04:57.690 --> 00:05:00.270
temporary badge was issued to this person.

00:05:01.030 --> 00:05:03.990
It's, just as a point,

00:05:04.000 --> 00:05:08.960
it's good for us to actually write it in a log because it

00:05:08.960 --> 00:05:10.810
could well be that if we say to a person,

00:05:10.810 --> 00:05:12.700
I'll give you a temporary badge,

00:05:12.700 --> 00:05:16.090
just please put your name in the log here and they could sign in,

00:05:16.090 --> 00:05:19.800
for example, as a cartoon character, and if nobody checks,

00:05:19.800 --> 00:05:23.770
then we actually have no record of who it was that we gave that badge to.

00:05:25.080 --> 00:05:28.160
It can well be in a number of situations that if a

00:05:28.160 --> 00:05:30.370
person is going to walk through an area,

00:05:30.380 --> 00:05:31.590
they must be escorted.

00:05:31.590 --> 00:05:35.270
There must be a person who goes with them to make sure that they do

00:05:35.270 --> 00:05:37.730
not go to some place they're not allowed to go.

00:05:39.190 --> 00:05:43.440
One of the most important physical access controls we have are cameras

00:05:43.440 --> 00:05:47.680
and cameras are essential because they allow us to one,

00:05:47.680 --> 00:05:49.670
identify the type of incident,

00:05:50.280 --> 00:05:54.320
the size or magnitude of the incident so that we can

00:05:54.320 --> 00:05:56.780
then launch the correct response.

00:05:57.230 --> 00:06:02.170
They also record so that we have a record we can go back and look at later.

00:06:02.530 --> 00:06:07.390
So a lot of value in cameras, but it comes down to again,

00:06:07.400 --> 00:06:09.670
is it a good quality image?

00:06:09.930 --> 00:06:13.870
There has been many cases with the images so poor quality,

00:06:13.870 --> 00:06:16.840
you can't even make out facial features of a person.

00:06:17.220 --> 00:06:19.400
That's something we should certainly watch for,

00:06:19.400 --> 00:06:22.590
that we have good quality equipment with good lighting.

00:06:24.560 --> 00:06:29.550
Then we store those, should we say, images for a time period.

00:06:29.560 --> 00:06:33.780
Now one of the things we should do is control who has access to the storage.

00:06:33.970 --> 00:06:37.960
We don't want a person going through it who doesn't have a need to know.

00:06:37.960 --> 00:06:40.590
There is no reason they should be looking at camera footage.

00:06:40.770 --> 00:06:45.620
We protect those stored images in case we have to do some type of incident,

00:06:46.230 --> 00:06:51.000
and we have a clear policy on how long we would retain or how

00:06:51.000 --> 00:06:53.830
long we would keep those images as well.

00:06:54.880 --> 00:06:58.670
We also should, of course, monitor large areas,

00:06:58.680 --> 00:06:59.520
and for this,

00:06:59.520 --> 00:07:02.570
we could have a number of different types of cameras that

00:07:02.570 --> 00:07:06.200
operate in different types of lighting scenarios.

00:07:07.590 --> 00:07:13.830
Maybe it's a zoom‑in camera or it's one that can pan across from side‑to‑side,

00:07:13.830 --> 00:07:15.070
tilt up and down.

00:07:15.880 --> 00:07:18.230
But the camera should be installed in a way that they

00:07:18.230 --> 00:07:19.990
work together with the lighting,

00:07:20.270 --> 00:07:25.160
not that the camera is blinded by lights then that make it

00:07:25.160 --> 00:07:27.410
so the camera can't see certain areas.

00:07:27.920 --> 00:07:32.490
The cameras should be set up so that we have full coverage of the area.

00:07:33.220 --> 00:07:36.990
Now cameras capture personal information,

00:07:36.990 --> 00:07:42.770
so it's important that we are legally compliant with any types of

00:07:42.770 --> 00:07:46.990
rules about whether or not we can have a camera and how we use it

00:07:47.190 --> 00:07:49.000
and that sort of thing as well.

00:07:51.060 --> 00:07:55.140
An important thing is we have signs, and we disclose the fact that

00:07:55.140 --> 00:07:57.760
we have a camera so these people are aware of it.

00:07:59.190 --> 00:08:02.040
There are also a number of internal threats.

00:08:02.050 --> 00:08:04.610
Someone could steal equipment,

00:08:04.840 --> 00:08:10.230
they could trip over a power cord and disconnect power to a server.

00:08:10.240 --> 00:08:12.660
You take cleaning staff, for example,

00:08:12.660 --> 00:08:17.790
one of the more famous examples of this is where every day a

00:08:17.790 --> 00:08:20.220
system went down at a company in the evening,

00:08:20.220 --> 00:08:22.910
they didn't know why and what it was that the cleaning

00:08:22.910 --> 00:08:29.090
staff came in unplugged that power bar that ran that

00:08:29.090 --> 00:08:31.820
system and plugged in their vacuum,

00:08:31.820 --> 00:08:34.840
did their cleaning and then plugged it in again at the end,

00:08:35.150 --> 00:08:37.730
and so the system would come back up,

00:08:37.740 --> 00:08:41.020
but they didn't know why it was failing every single day.

00:08:41.900 --> 00:08:43.750
The other thing, of course,

00:08:43.750 --> 00:08:46.400
is we can have a lot of interruptions because

00:08:46.400 --> 00:08:48.260
somebody is doing some construction,

00:08:48.260 --> 00:08:51.470
some work in the area, they cut network cables,

00:08:51.470 --> 00:08:55.250
they cut power, and it can disrupt operations.

00:08:55.900 --> 00:08:57.870
When it comes to damage to wiring,

00:08:57.870 --> 00:09:01.280
this is where often we use things like conduit, we'll,

00:09:01.280 --> 00:09:04.000
and if we have wire that goes in an exposed area,

00:09:04.000 --> 00:09:08.400
we'll put it into either a plastic or metal tube to

00:09:08.400 --> 00:09:10.330
try and protect it from damage.

00:09:10.630 --> 00:09:12.780
We also want to protect our equipment.

00:09:13.120 --> 00:09:18.050
Maybe we even use some type of screens on the equipment if

00:09:18.050 --> 00:09:21.230
it's a high dust area or a lot of moisture.

00:09:21.610 --> 00:09:26.510
We should use screen filters so that people can't just see what's on our screen,

00:09:26.910 --> 00:09:31.850
all good things to try and protect from improper disclosure

00:09:31.850 --> 00:09:34.510
or should we say damage to equipment.

00:09:36.070 --> 00:09:39.480
When it comes to protecting the building itself,

00:09:39.480 --> 00:09:40.480
the facilities,

00:09:41.110 --> 00:09:46.040
we have to look after our employees and customers and have emergency exits.

00:09:46.260 --> 00:09:48.020
They should never be blocked.

00:09:48.140 --> 00:09:53.540
It should always be easy for a person to see where those exits are,

00:09:53.740 --> 00:09:57.500
so with what we call egress lighting as well that will light their way

00:09:57.500 --> 00:10:04.200
even if there is a power failure to the exit and show the location of

00:10:04.200 --> 00:10:09.710
the exit and that emergency lighting should allow at least enough light

00:10:09.710 --> 00:10:13.980
that if there was a power failure, people can safely get out of the building.

00:10:15.150 --> 00:10:20.120
We use the term fail safe, and you see this in a number of buildings.

00:10:20.740 --> 00:10:24.890
We have a main entrance and people can come in and go

00:10:24.890 --> 00:10:26.350
out through that main entrance,

00:10:26.370 --> 00:10:31.420
but we also have other doors along the side of the building where there

00:10:31.420 --> 00:10:36.110
is no door handle, and those are fail safe doors.

00:10:36.310 --> 00:10:39.680
So if there's a problem, people can go out through that door,

00:10:39.730 --> 00:10:41.970
but since there is no handle on the outside,

00:10:41.970 --> 00:10:44.210
they can't come back in through that door,

00:10:44.510 --> 00:10:47.940
so it fails in a safe manner to preserve life.

00:10:49.450 --> 00:10:51.400
If I have a shared facility,

00:10:51.410 --> 00:10:54.290
there are several companies working in the same building,

00:10:55.010 --> 00:10:59.350
this is where we need to make sure we secure work areas that people

00:10:59.350 --> 00:11:02.610
from another company can't get into our work area,

00:11:03.180 --> 00:11:06.690
but we have a higher risk now of interception of traffic.

00:11:07.020 --> 00:11:08.760
If we have a wireless in there,

00:11:08.770 --> 00:11:11.970
undoubtedly our neighbors are going to be able to see that.

00:11:12.670 --> 00:11:16.610
And we quite often will have shared wiring closets.

00:11:16.840 --> 00:11:20.990
The wires that run in the building with everything from power to

00:11:20.990 --> 00:11:26.730
communications are running in the risers as we often call them and wiring

00:11:26.730 --> 00:11:31.270
closets that should be secured so people can't get in there and tap into our

00:11:31.270 --> 00:11:34.890
lines or we can say here intercept our traffic.

00:11:34.950 --> 00:11:40.020
And so the challenge with this is that obviously other

00:11:40.020 --> 00:11:41.770
people can get in there as well.

00:11:42.360 --> 00:11:47.020
We use conduit to protect our cables so people can't tap into

00:11:47.020 --> 00:11:51.540
it and certainly our equipment cabinet should be locked so

00:11:51.540 --> 00:11:53.850
that no one can get in and steal, for example,

00:11:53.850 --> 00:11:56.460
some of our, the IT equipment.

00:11:58.000 --> 00:11:59.420
The key points review.

00:11:59.430 --> 00:12:01.380
When we talk about physical security,

00:12:01.380 --> 00:12:06.440
it's more important than most IT people recognize because a physical

00:12:06.440 --> 00:12:11.200
breach can circumvent almost any technical control.