PHYSICAL SECURITY OF REMOTE TERMINALS

Approved For Release X004/03/25: CIA-RDP79M00096 1 Approved For Release 2004/03125 : CIA-RDP79M00096AO00100020011-2 '  Approved, For Release 2004/03/25 CIA-RDP79M00096AU001000200112'; BACKGROUND: Physical security, , i s .certainly not :a term that i s new. to any of us'.'-... in.government., It has, however, with the integration of,-the computer. into our informatioh systems .taken on a, more. complicated and less clearly definable meaning. In fact, 'only in the last few years have commercial. users and industry, with:,a few exceptions, begun to give physical security any' real attention as' they, begin to move away from; displaying' their computer, systems as "showplaces." .Physical security can no longer be merely construed. in terms of putting an approved lock on a'door and ensuring that the walls run slab to slab. :,.Sound physical control features'or structures must be augmented. with new and more practi- cal.innovations G1 ass, walls or partitions may not, afford the protection .of a ' concrete` wall, but. such a concrete wall prohibits visibility of the area from the outside and makes it , possible: for' an intruder to do ;able damage before being detected The luxury fortresses is not available since cost'-I~aCJ"Cors consider of building impenetrable of the new systems:_ orce us o ensure that each organization utilizes'the full potential'of the system. Because of the new considerations allowing for unvarying humidity ranges and immediate response inthe.event of fire, physical security, cannot just protect : the installation, it also'mustnow participate in maintaining the system. It is difficult to make's olund 'determinations. of, the 'need, for. 'security' measures or to .justify not applying them unless',there isa quantitative assessment of: the value of,the data being protected.' Approved For Release 2004/03/25 CIA-RDP79M00096A000100020011-2  Physical ;A,p,pr4ved..F-or.Release 2004/03/25 CIA-RDP79M00096A00010d0.10011~? :1 1 security plays. an integral.part .in protecting the classified, compartmented or otherwise privileged data in an information system against'access?by persons not cleared for and/or not.authorized access to that,data. No information system can beabsolutely'secure, however, every reasonable effort must be taken to ensure that the probability of compromise is severely minimized .',,'Consequently, the'phys,1cal security standards 'appl i ed, to every "l i nk" or access point to the `system itself must be commensurate with the highest level of the information in the system. With the "expansion"'of the computer center to remote'terminals, we have, i!n factsignificantly. increased . the potential threat to subvert the system. The remote terminal cannot be allowed to become the "weak link" in the security -chain' '.Such immediate factors as emanations, intrusion, and physical access control measures must be considered in the overall planning of the physical protection of. each remote terminal While at the same, time,` conscious of electronic'eavesdroppi,ng and that, by observing the terminal:.,i,n operation or by collecting the discarded printouts or ' printing' ribbons, a person could possibly gain the necessary passwords , to' allow hm unauthorized access to the files and programs of all or part of the information system:, lJith out applying the same stringent,physical 'standard's at each terminal 'the relatively elaborate measures taken to protect the entire informat1on sys tem itself becomes sharply , devalued.'! Incidental to these purposes is the need to prevent.damage ~o faculties and equipment at the terminal due to 'accidents ',"disasters , or acts of, sabotage., Approved For Release 2004/03/25 : CIA-RDP79M00096AO00100020011-2  Approved For Release 2004/03/25: CIA-RDP79M00096A00010O620019'-2 PROBLEMS: In the foregoing section this paper, alluded to a number of problems.,'. concerning remote terminals, Some of the more significant areas of concern facing an organization about to implement such ..a system are >The:,actual.'physical location of'the building; that is to sa is the location in:an isolated area, public area? The peripheral security measures that encompass this building; such as fences, hedges,. etc Included in this section. are exterior guard patrol Access control measures implemented in an agency. or building; have a clearly defined this includes internal guards, who must role and ,instructions i n the event) of unauthorized entry or di s rup- . tions Specific location of the remote terminal area, included i n thi his category are again access controls, since this type of area will be. .des,igned a secure; or restricted area because of the direct. link into the computer center (data base). Locking devices ultrasonic, alarms, which type'and.model should be installed and where Disaster control procedures in"cluding,fire,"water; and riot contro Approved For Release 2004/03/25 : CIA-RDP79M00096AO00100020011-2  Approved For Release 2004/03/25.:. CIA-RDP79M00096A00010002001,1-2 .ANSWERS: In this concept of. remote terminals physical; security measures are the initial barrier for the protection of such'devices,.,These?measures are interwoven into ,the overall hardware and software security procedures The following are suggested applications which are generally accepted throughout the intelligence/security. community: Adequate guard force with a concise pass system for employees icentification and the installation itself must 'afford a sig nificant deterrent to the entry of unauthorized persons IDefi.ne security or restricted area, conduct liaison and coor dination.with involved offices to arrive'.at.an approved plan Separate identification for.users.of the remote terminal and strict enforcement of the.,. need to know" doctrine Eliminate all unnecessary traffic throughout remote terminal, area and prominent signs that. identify the' location of.the ' terminal. inviting unnecessary attention Restrict access to the remote terminal to authorized operating personnel and supervisory personnel.. This number should be kept'.' to an absolute minimum and their duties and responsibilities mus be clearly defined. 'Implement remote terminal?access'logs'with employees, including .requirement that they log in. and out. 'Visitors should be given appropriate identification'badges and escort.. Approved For Release 2004/03/25 : CIA-RDP79M00096A00010002001.1-2  Approved For Release.2004/03/25:; CIA-RDP79M0.009.6A0001O002001:1' 2 failure to test security measures can. easily result in a reliance on a While the foregoing may be. the panacea ; for. physical security problems, CONCLUSION: number of things which are ineffective. Reasonably frequent tests of improve the sensitivity of, employees toward security as a continuing pro security measures indicate a continui,ng awareness. and concern, for security and for that reason, are in themselves a security measure in. that they Clearly conceived and normally effective security measures become quite ineffective when people find they can circumvent them without incurring Approved 'For Release 2004/03/25 : CIA-RDP79M00096A000100020011-2