Good security goes beyond your staff and servers. Protecting your physical environment is vital. This can most easily be visualized as a high tech data center with guards, walls, mantraps, CCTV and a plethora of other controls to monitor and limit access, but even for small offices taking steps is important, from locking your doors to having your office in a low crime area.
Security category – 11.1. Physical and environmental security
11.1.1. Physical security perimeter.
Security concerns the physical domain as well as digital. Data, whether it is stored in paper or electronic form needs to be protected and the physical security of your organization should play a factor in your security planning. This can be looked at on various levels, such as not having your office in high risk environments like a high crime area, a hurricane prone region or like more grounded concerns like not having your datacentre and server rooms on the ground floor just off reception. Security guards, badges, door locks, filing cabinets and more all can come into play in a good, multi-layered security environment and an assessment of secure your physical perimeter is always a good starting point.
11.1.2. Physical entry controls.
Having access controls within your office environment to prevent unauthorised persons from entering is very important. Nobody should be able to just walk in off the street and into your server room. Visitor sign-in should be required for anyone visiting. Providing your staff with physical ID badges and requiring them to keep the badges visible when in the office will allow unauthorized persons to be more quickly identified. More advanced physical controls can include multifactor authentication door locks that are restricted to certain individuals, identified by biometrics and their RFID ID card; or even turnstiles and man traps to better control the flow of people through key areas.
11.1.3. Securing offices, rooms and facilities
Depending on what is being protected we can better protect our valuable data. Not identifying individual offices with signs designating their purpose like “printing room”, ensuring the more important data processing offices in our organization are protected and behind several layers of physical security controls such as doors, ID checks and similar. While leaving less important processing rooms closer to public areas we can better protect our sensitive data from unauthorized access. Other concerns for rooms would be ensuring the walls segment the floor and ceiling crawl spaces.
11.1.4. Protecting against external and environmental
As discussed part of good physical security practice flows into deciding where to place your office, avoiding areas that suffer from natural disasters can be a good way to avoid risks that could potential cost your company disruptions in availability and resources should a disaster occur. It is important to ensure there are adequate CCTV, Motion Detectors, Smoke/flame/heat detectors and other controls in place. While these and other technologies can form a great help one often overlooked requirement that can prove vital during physical incidents is ensuring staff are aware of what to do during an emergency.
11.1.5. Working in secure areas.
Areas of your building where sensitive data is stored should have additional requirements and procedures for access. Areas should be locked when not in use with periodic monitoring. Secure areas should be treated in a similar way to data classification with access to and knowledge of the areas restricted on a security clearance and need to know basis. Having people work in teams and banning the use of person photo and video recording devices can both act to prevent misuse of the access granted to staff.
11.1.6. Delivery and loading areas.
Many of the ways to implement this control have already been discussed such as mantraps, turnstiles, CCTV, guards, visitor sign ins and doors requiring authentication to open can protect areas that would traditionally have outside persons present, such as delivery drivers. Implementing these, and similar, controls limit the risk of intruders gaining greater access to your premise than required. Controls that are more specific to loading areas can include checking the incoming packages for unlawful or dangerous material, keeping records of what is brought in and shipped out and segmenting the delivery area by inbound and outbound shipping.
Adams In-Security 