Physical security is very often seen as the “forgotten side of security” but it is actually one of the most important elements of any enterprise security strategy.
Because physical security plays such an important role in so many parts of security, risk assessment can be incredibly challenging.
While it may appear simplistic, it is anything but and many enterprises security plans show up some very surprising deficiencies in physical security.
Most assessments tend to take place after a major event has happened, such as s bank robbery for example.
However, there are several things that any enterprise can do to test the robustness of their physical security plan and these should be done on a regular basis, not just after the event, including the following:
- Ensuring that all security cameras and security locks are working at all times
- Reception area staff are aware of security procedures for visitors to the building
- Internal doors should only be accessible by way of a passcode or swipe card. If they are not, precautions should be in place to stop people just walking into the building and going where they want.
- External areas, such as car parks, etc. are well lit at all times
- All staff is aware of who should be in the building and who shouldn’t
- Access to secured areas, like server rooms, is given only to those who need it
- Secure areas should be constantly monitored and maintained
Before a physical security assessment takes place, the following questions should be asked and answered satisfactorily:
- Are all physical security controls documented; if so, where and who has access to them?
- Are all secure areas within the premises controlled? By whom and how?
- Are there regular reviews of access control maintenance? When and by whom?
- Are there any non-standard points of entry in secure areas?
- Are those areas monitored and are they secure?
- Do all visitors to the premises need to be supervised at all times?
- Can they gain access to areas that are secure?
- If our premises are shared with another business, what controls are in place to keep them separate?
- If you do share physical access with another business, is this documented? If so, where?
- Do you have any contracts in place with regards to the shared access?
- Has a physical penetration test ever been carried out? What were the results?
- Are all magnetic media stored as per regulation and as per the standards suggested by the manufacturer?
- Are there guards posted at entrances and exits? Do they carry out random checks on people coming and going, their bags and briefcases?
- Are people allowed to bring their own computer hardware into the building without it being authorized?
- Does the building have fire extinguishers and fire detectors in place? Where are they and are they checked regularly?
- How are sensitive documents disposed of?
- How are media, such as USB or DVDs containing sensitive data disposed of? This includes hard drives and any other form of storage.
- Are the server and data centers under constant surveillance and is there a system in place to only allow authorized personnel to enter the rooms?
- Does access to secure areas of the building prevent others from “tailgating” and gaining access without authorization?
- Are external areas, such as car parks checked regularly and are cars monitored for suspicious activity and/or packages?
Once these questions have been answered satisfactorily and the evidence shown, a physical security test can then be carried out, including a physical penetration test.