Mon Nov 24 05:38:54 PST 2014

Zones: Physical separation: How are zones and subzones physically separated and controlled?


Options:

Basis:
Option A: The design basis threat.
Option B:The operating environment.
Option C: Duties to protect.
Option D: Revisit design basis threat as it changes over time.
Option E: Follow applicable elements of applicable standards and requirements.
Option F: Due diligence requirements.

Deter:
Option Q: Use proper signage to warn against inappropriate actions.
Option R: Provide periodic (at rate) training and suitable education relating to physical security requirements.
Option S: Provide obvious presence of (or don't seek to conceal) some security measures and response forces.

Prevent:
Option 1: Physically separate {zones / subzones / components} by adequate {distance / shielding / insulation / isolation}.
Option 2: Use different {colors / markings / connector types / media types / cable runs / wire closets / physical spaces / frequency ranges / signaling methods / routing and switching hardware} for different {zones / subzones}.
Option 3: {Associate / label / mark} unique {serial numbers and/or device codes} to each physical item and map them to their respective {zone / subzone / location / connection point}.
Option 4: Map each connector to a specific receptacle and number and label them as a readily apparent matched set.
Option 5: Limit interfaces so that none are unused.
Option 6: Physically secure, label, and seal each connection.
Option 7: Use only point to point (dedicated end-to-end) connections.
Option 8: Use active countermeasures to identified weaknesses.

Detect, react, and adapt:
Option V: Place physical {tamper / access / presence} {alarms / detectors} on {devices / connections / cables / spaces / entries and exits}.
Option W: Surveil physical {access / presence / emanations} to/from {devices / connections / cables / spaces / entries and exits}.
Option X: Perform regular physical inspections for detection and verification of implementation of protective measures with frequency based on the design basis threat.
Option Y: Implement response regimens and actions to event sequences per a systems analysis based on the design-basis threat.
Option Z: Follow incidents up with investigative and adaptation processes to identify and mitigate root causes of incidents and improve performance.


Decision:

Typical controls for different risk levels are identified here:

For high consequence situations:

Basis:
    Base all specifics on the design basis threat, duties to protect, and the environment.
    Revisit design basis threat as it changes over time.
    Follow applicable elements of applicable standards and requirements.
Deter:
    Use proper signage to warn against inappropriate actions.
    Provide periodic (4 times per year) training and suitable education relating to physical security requirements.
    Provide obvious presence of some security measures and response forces.
Prevent:
    Physically separate {zones / subzones / components} by adequate {distance / shielding / insulation / isolation}.
    Use different {colors / markings / connector types / media types / cable runs / wire closets / physical spaces / frequency ranges / signaling methods / routing and switching hardware} for different {zones / subzones}.
    {Associate / label / mark} unique {serial numbers and/or device codes} to each physical item and map them to their respective {zone / subzone / location / connection point}.
    Map each connector to a specific receptacle and number and label them as a readily apparent matched set.
    Limit interfaces so that none are unused.
    Physically secure, label, and seal each connection.
    Use only point to point (dedicated end-to-end) connections.
    Use active countermeasures to identified weaknesses.
Detect, react, and adapt:
    Place physical {tamper / access / presence} {alarms / detectors} on {devices / connections / cables / spaces / entries and exits}.
    Surveil physical {access / presence / emanations } to/from {devices / connections / cables / spaces / entries and exits}.
    Perform regular physical inspections for detection and verification of implementation of protective measures with frequency based on the design basis threat.
    Implement response regimens and actions to event sequences per a systems analysis based on the design-basis threat.
    Follow incidents up with investigative and adaptation processes to identify and mitigate root causes of incidents and improve performance.
Physical separation requirements for high consequence zone and subzones

For medium consequence situations:

Basis:
    Base all specifics on applicable standards and defined duties to protect.
Deter:
    Use proper signage to warn against inappropriate actions.
    Provide periodic (at least annual) training and suitable education relating to physical security requirements.
    Don't conceal presence of some security measures and response forces.
Prevent:
    Use different {colors / markings} for different {zones / subzones}.
    Map each connector to a specific receptacle and number and label them as a readily apparent matched set.
    {Associate / label / mark} unique {serial numbers and/or device codes} to each physical item and map them to their respective {zone / subzone / location / connection point}.
Detect, react, and adapt:
    Place physical {tamper / access / presence} {alarms / detectors} on high-valued {devices / spaces / entries and exits}.
    Surveil physical {access / presence} to {spaces / entries and exits}.
    Perform regular physical inspections for detection and verification of implementation of protective measures with frequency based on health and safety and property protection needs.
    Implement response regimens and actions to event sequences.
    Follow incidents up with investigative and adaptation processes to improve performance.
Physical separation requirements for medium consequence zone and subzones

For low consequence situations:

Basis:
    Base all specifics on due diligence requirements.
Deter:
    Use proper signage to warn against inappropriate actions.
    Provide periodic (annual) training and suitable education relating to physical security requirements.
Prevent:
    Use different {colors / marking} for different {zones}.
Detect, react, and adapt:
    Perform regular physical inspections with frequency based on health and safety needs.
    Follow incidents up with adaptation to reduce costs of future incidents.
Physical separation requirements for low consequence zone and subzones

Basis:

Basis: Deter: Prevent: Detect, react, and adapt:
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved