4

This is a question to learn more about security management and physical security.

I'm running a small serverroom in the basement at home, mainly as testbed for attacks I dont want to try on live hosts and for development. I'm more of a learning by doing person, so I want to maximise the security of my basement room and if possible certify it.

Whats already there:

  • Keypad/Security door
  • CCTV
  • Strong Firewall

Now I'd like to document this and implement some recurring checks. Where can I find some documents/helpers to read on security policies and physical security that are flexible enough to be applied to this situation?

EDIT: To clarify a bit, this is about HOW and what to document concerning the security policy. And in a second step I want my documentation to adhere to some standard, so I could possibly get someone to certify it (in theory). I know how to lock a door already ;-)

Peter Meyer
  • 181
  • 4
  • 1
    I think this is pretty sketchy.. =p – cutrightjm Mar 19 '12 at 17:01
  • possible duplicate of [How to apply IT Security knowledge to Home Security?](http://security.stackexchange.com/questions/11488/how-to-apply-it-security-knowledge-to-home-security) – Jeff Ferland Mar 19 '12 at 17:25
  • No, this is not a duplicate, as I'm more interested in the Certification and Documentation aspect and **not** the What-to-Buy aspect. – Peter Meyer Mar 19 '12 at 17:32
  • To fit this in a comment: documentation means write what you did, certification means grab an auditor and pay some money. If you want to be certified, it involves paying somebody else. There are no universally applicable physical security plans that fit a home with undefined purpose or threat. – Jeff Ferland Mar 19 '12 at 18:16
  • Im asking for Standards on how to document what I did. Possibly wide known standards for which certification via external auditors is possible. Im a novice in this regard, so I want to learn them by doing it. Didnt you understand that or was I asking a question with a too broad answer set? – Peter Meyer Mar 19 '12 at 19:49
  • 1
    @PeterMeyer As an external auditor when I visit a company and review their security, they give me a piece of paper saying what they do. It's functionally no different from notes on an index card. You tell me what you've done then I tour the facility and verify that you've done it, it makes sense, and there isn't an obvious glaring exception (like two doors to a room from the same hallway with only one locked). There is no magic, and there's no standard for documenting. Just knock out a bullet point list and maybe a map. – Jeff Ferland Mar 20 '12 at 20:32

2 Answers2

2

If it was me I would create a spreadsheet with 2 columns in it with the first one defining the piece of security Ex. •Keypad/Security door •CCTV •Strong Firewall and in the second column back up why the items listed in the first column are considered secure. For example CCTV | The CCTV system records footage locally and also sends real time alerts to X number of email addresses and one of those is on my personal smartphone so I would be notified immediately. Secondly if power was cut to the device it is powered by a battery backup device that will suport up to XX:XX of recording time on battery only power. Third the system has two different connections to the internet through two seperate networks one hardwired and the second one through a seperate 4G or Neighbors WiFi (with permission).

The possibilities are endless but when I try to sell a solution to a client it's very easy to organize a 2 column spreadsheet outlining the benefits.(Think Cause and Effect) Item A provides this solution, item B provides that benefit, etc. As for certification, I don't know where to point you to, however there is a loophole to this. Certification just means that a third party of some sort states that your configuration is what you claim it is. You could find and or create an entity that would do this and create some type of certificate to show off to your friends or clients. You may want to consider consulting with an attorney if this is the path that you want to take. If you have prepaid legal / Legal Shield you can call them for free consultation under title 1 of your benefits and they would be able to tell you the legality of the "certification" process.

Brad
  • 849
  • 4
  • 7
  • I already have the spreadsheet in the form of a document outlining the mechanism, its benefit and its current status. A friend from military informaton technology will come over and have a look at my physical security setup so maybe I can add something there too. I guess I will just ask him for their requirements. Also ISO27001 looks interesting. Are there lowcost Auditors? – Peter Meyer Mar 20 '12 at 08:53
  • Define low cost. I am not an auditor but I bill $100-250/hr onsite depending one the task(s). I know I'm not the cheapest but I'm also not the most expensive either. Also what city, state are you in? – Brad Mar 20 '12 at 17:49
  • I'm from Germany, Northrine-Westfalia to be precise. This is more about playing around, so I guess two to three hours of worktime would be something I could spare for the fun of it. – Peter Meyer Mar 21 '12 at 16:04
  • I'll send an email to someone I know in Austria, they might be of some assistance. – Brad Mar 21 '12 at 16:16
2

I think the first thing you should document, in your case, is your threat model.
That is, what threats are you defending against, what risks are you worried about, what your security profile is, etc.

Since you don't need big Corporate Documentation, this way would be a lot easier, to then document the mapping between the threats/risks, and the mitigation that you implement.
Once you're documenting the countermeasures (as mapped to the threats and risks), you should go into only the amount of relevant detail, that is the details that are important to the mitigation and level of expected security.

As @Jeff said in a comment, unless we're missing something, there really is no need to get external certification.
Just write the bad stuff, and how you're preventing that.

AviD
  • 72,708
  • 22
  • 137
  • 218
  • I'll first try to get ahold of military it security standard 54/100 and then try to work my way down the list. Without external auditors besides my itsec friend from the "navy". Thank you, all :) – Peter Meyer Mar 21 '12 at 16:06
  • @PeterMeyer as I said, unless you're practicing pointless corporate overdocumentation, I think it is pointless to aimlessly wander down a checklist that was designed for a *very* different risk environment from your home. Take into account, that milstandard was most probably the end result of the risk analysis I suggested - you're only seeing the output, and not the process. Thus the standard is based on a risk analysis that does not apply to you, and therefore neither does the standard. Unless, of course, you're looking for the overkill, just for kicks and giggles... – AviD Mar 21 '12 at 16:27