"A risk assessment of the Piql Services" by FFI

to be tested. If its functionality is proven, however, the Piql partner can, as we say, kill two birds with one stone.

We now move on to recommendations to alleviate the effects of radiation, both nuclear and electromagnetic, as well as ultraviolet. The effects of nuclear radiation on the piqlBox and piqlFilm were, as we saw in chapter 9, not very severe. Additionally, the likelihood of this issue becoming a reality for the Piql Preservation Services, both as a consequence of an accident at a nuclear plant or a nuclear detonation, is too low to make radical changes to the safety and security measures surrounding the Piql Preservation Services. Hence, we make no specific recommendations on the subject. The same applies to the issue of electromagnetic radiation. If weaponised and directed specifically at the Piql Preservation Services, the electronics in the system will be negatively affected for a time. However, we have seen that the piqlBox and -Film are not affected, i.e. no harm is done to the confidentiality or integrity of the information stored, just possibly its integrity. No specific recommendations are therefore made, except to advise the Piql partners to prepare for the possibility of failing electronics, as we are sure is done regardless of the risk of electromagnetic pulses. The dangers of ultraviolet radiation, on the other hand, are something that must be taken into account. This can affect the integrity of the information on the piqlFilm quite severely, and our recommendation is therefore never to leave the piqlFilm exposed to sunlight and to use appropriate lighting inside, as specified by Piql AS. When it comes to physical theft and physical sabotage, the best ways to mitigate these threats is to ensure a sophisticated security regime is in place in and around the piqlVault and the production site. As both types of risk presuppose the physical presence of a threat actor, the best mitigation is to make sure they are unable to enter the facilities, and if they do, put enough obstacles in their way to thwart their mission that way. The security regime as stipulated by Piql AS and a strategy for its implementation by FFI is described in section 5.5.2 of this report. Apart from following our recommendations with regards to mitigate the risk of the insider – in this case an insider either performing the acts of sabotage or theft themselves, or enabling others to do so – we advise the Piql partners to consider the following reinforcements of the security regime as well. To start with, it is possible to implement better perimeter control than what is stipulated by Piql AS, in the form of fences or walls around the facility, gate monitored by security personnel for admittance and turnstiles or other forms of sluices which are controlled through ID verification solutions and camera surveillance. Besides this addition, the camera surveillance scheme proposed by Piql AS is sound, as is that addressing alarm systems. With regards to security personnel FFI would add a recommendation of employing a guard during office hours as well, and adding an additional guard outside of office hours as well, both for enhanced protection but also to mitigate against the inside threat.

11.3 Recommendations for Computer Security

The recommendations we make with regards to computer security is to mitigate the threat of both logical theft and sabotage, as well as logical espionage.

94

FFI-RAPPORT 16/00707