Physical Security

Physical Security Policies and Standards

Security policies can be vital to providing a defined structure for control. Simple and repeatable they reoccur in nearly every aspect of security and with good reason, they provide established best practice specific to our organisations. For Physical security our staff tend to need clearly defined boundaries and rules on who can go where, when, to do what and the why/how its restricted. Having this clearly documented in a policy allows our staff to see our controls, understand them and most importantly buy in to their criticality.

Any good security policy should, at a high-level cover facility design, location, access control, and any industry and region-specific issues such as regulations or export control.

Export Control

Security architects, policy maker, third party managers and other professionals need to work with national, regional, and international laws and requirements when it comes to transferring technology, or information, to other countries around the world. Some of the very same laws that cover nuclear arms imports also cover assets we may be transporting day to day, from encryption tools to software designs we need to understand the limits of what we can and cannot distribute. Security policies can help document these restrictions as each organisation will have different needs and the policies, guidelines or other documentation should make sure that these restrictions are clearly described, understandable and accessible for relevant staff and that there is a point of contact for clarifications. While the exports policy will deal with transfers it will have important links to other security requirements, for example if we allow anybody to come into our offices and look at our information without restriction, we could be conducting a deemed information export to these people who could be sanctioned. Having a sign in sheet for visitors, ID badges, escorting, pre-employment screening and more can all protect us from these breaching these restrictions. But what are these controls? Let’s go through the USA, some international bodies, and Japan.

United States of America

Export control especially can be a key issue we need to either understand or have access to the expertise who do. Why are export controls important and what do they entail? This depends on the region of the world you are in with the USA having strict and defined standards that, in part, are leftovers from the Cold War. The USA prohibits the unlicensed export of commodities or information for various reasons such as.

  • The exported item has potential military applications, such as with Cryptography.
  • The exported item that are covered under protectionist economic policies.
  • Governmental controls around the destination such as sanctions on the destination country, organisation, or individuals.
  • Concerns around the declared or suspected use of the export. This can be seen where an item being exported has both civilian and military uses.

That can cover many things in security, especially when we consider the use of standard IT and security tools by Advanced Persistent Threats and in cyber-espionage many things can be considered an “export” but the reasoning behind them being controlled are very reasonable and they include the prevention of terrorism, cyber-crime, the promotion of national security, sanctions, regional stability, and restrictions on the export of high-performance computers. How exports can take place can very as well, you can “export” information by disclosing it to a foreign national, including by physical access and distribution.

A brief summary of the EAR

The criteria for what is controlled, what is not and what requires a governmental issued licence within the USA is quite detailed and is covered in the EAR website. Categories 4 and 5 are what we should be most concerned about. They are quite detailed in their contents, and it’s not required to rote learn them for the exam you should be aware, at a high level of what you can and cannot export from the US and other Jurisdictions.

Where you are looking to get a license for a Dual Use/Commercial Technologies there are 3 categories of countries considered.

  • State sponsors of terrorism.
  • Countries of concern, such as China and the former USSR.
  • Friendly countries such as the EU member states.

In addition to the EAR’s restrictions the Department of State’s International Traffic in Arms Regulations has its own list to cover military items and services which can be reviewed here.  Besides the expected guns and ammo, the list restricts plans, diagrams, photos, and other documentation that can be used to build military gear. Access to physical materials or technical data related to defence and military technologies is restricted to US citizens only.

A brief summary of ITAR

Who falls under ITAR?

  • Wholesalers
  • Distributors
  • Computer Software/ Hardware vendors
  • Third-party suppliers
  • Contractors

The way ITAR Licensing works is you are denied if you are from a State Sponsor of Terrorism, a nation under Arms Embargo, or another specifically barred nation. Where a denial is based on the Item being exported or the end user this list extends to Afghanistan, the Congo, Iraq, and Rwanda.

Tired yet? There is more! The USA Treasury Department’s Office of Foreign Assets Controls enforce economic and trade sanctions against specific countries and covers.

  • Regulation of the transfer of items/services of value to embargoed nations.
  • Imposing trade sanctions and trade embargo to control terrorism, drug trafficking and other illegal activities.
  • Prevent payments to nationals of sanctioned countries.
  • Prohibit travel with embargoed countries, even when EAR/ITAR exclusions apply.

Outside of exclusions export licenses are needed for exporting controlled items and acquiring this license can take several months, assuming it is granted. Even when approved these licenses can require restrictions. The exclusions that are available allow us to avoid the process of acquiring an export licences and exclusions are generally in place for all Dual-Use (or commercial) items. Export licenses tend to be required for dual use items where certain conditions are met which are set out in lists published by the EAR or ITAR.

  • Denied Persons List – contains a list of US persons who have been denied export privileges.
  • Unverified List – contains parties where the Bureau of Industry and Security have not been to identify the end-user in prior transactions and can indicate sanction circumvention.
  • Entity List – contains parties where their involvement in a deal could require a license under the EAR as they represent a risk of using dual-use technologies for Weapons of Mass Destruction or missiles, or they engaged in sanctioned activities before.
  • Specially Designated Nationals List – A list of prohibited parties maintained by the USA Treasury Department OFAC.
  • Debarred List – Contains people barred by the ITAR and maintained by the USA State Department.
International groups

After all that the USA’s national restrictions should be covered but there are international controls on the exportation of dual use technologies, many of which the USA is a member of, including the below

Nuclear Suppliers Group – Which implements guidelines to control nuclear and nuclear related exports.

Zangger Committee – Harmonises the implementation of the Nuclear Non-Proliferation Treaty for safeguarding nuclear exports.

Missile Technology Control Regime (MTCR) – Applies a common export policy for controlled equipment used in missile development, production, and operation.

Australia Group – Aims to prevent Chemical or Bioweapons from getting into the hands of states or terror groups by maintaining an AG Control List of items that could allow the acquisition of these weapons.

Wassenaar Arrangement – specifically targets arms accumulation and certain dual use technology that could contribute to military capabilities and to allow for cross boarded information sharing between the adherents.


Now that we have covered the US and some international groups, we will look at how Japan controls exports.

METI intro to Export

Japan has its own set of controls over sensitive goods and technologies that, like the US controls, cover both military and Dual-Use technologies. Exports in Japan are controlled by the Foreign Exchange and Foreign Trade Act (1949) (amended 1998) with the following important sections.

  • Article 48-(1) of the Act stipulates that any person intending to export specific goods must obtain permission from the Ministry of Economy, Trade, and Industry (METI)
  • Article 25-1-(1) says that those intending to transfer specific technology to a foreign person or to a foreign country must obtain permission from the ministry.

METI administers export controls under the Trade Control department covers Security Export Controls using the following divisions:

  • The Security Export Control Policy Division.
    • Responsible for setting, legislating, and administrating the Export Control Policy and working with all the previously mentioned International Export Control regimes.
  • The Security Export Licensing Division.
    • Reviews and approves license applications.
  • The Security Export Inspection Office
    • Enforcement activities
    • Awareness and promotion to prevent illegal exports.

Physical Security Risks

A lot of times when we think of all the requirements in information security and cybersecurity in general, we think of firewalls, hardened systems, malware and Pentesting, but while those are important all those controls are useless if we leave our windows open and doors unlocked. A solid security program should be well rounded and consider any physical security risks for the businesses premise. These can range from having your Business Continuity Management in place to reduce the impact of global pandemics, or just localised flooding, or having employees aware of basic good practice to prevent tailgating. While we spoke about physical security briefly in our ISO 27001 blog we are going to dive into the details in this section.

Unauthorized Access

An organisation can spend millions of euros on best-in-class technical controls, from Tripwire to CyberArk, Digital Guardian to Qualys, have full teams of experts manning their SOC and maintaining those controls but if we don’t secure the buildings that house our hardware and software our investment is useless. Without guards, physical access control systems, manned receptions CCTV and other physical controls an adversary can just walk in and compromise our information.

Security guards

Humans are essential components to our security program and, especially with surveillance devices like CCTV we need people to monitor and respond as necessary. Acting as deterrent the dissuade near-do-wells from attempting to enter these guards can aid legitimate employees, carry out patrols, escort visitors and make sure other controls such as preventing employees from holding the door open for friends and co-workers. Key responsibilities can include.

  • Guarding and patrolling areas.
  • Preventing contraband from being brought into restricted areas.
  • Controlling access through checking employee badges or signing in visitors.
  • Respond to fire, security, or medical emergencies
  • Draft reports on any incidents.
  • Observe for maintenance issues such as lights, toilet issues, or trip hazards
Access Control System
The importance of looking after the physical

Physical access control systems are seen as standard with most companies to make sure only employees and authorised persons can enter the premise. Advanced access control can cover more than just people too, like in airports where there are security screenings of bags to detect for contraband. The type of access control used in each location should be tailored to the specific risks identified for that location, or for the value of the assets stored within it. The type of controls can include.

  • Fences/walls/Barriers
  • Manned receptions
  • Separated and secured loading bays
  • Card controls doors and elevators.
  • Multi factor card controls
  • Mantraps
  • Turnstiles
  • Alarms
  • Monitoring systems (CCTV etc)

There are other controls, but the goal is the limit the chance of a risk being realised by reducing the physical access of threats to the premise. By preventing this we keep our paper documents safe, our physical equipment secures and reduce the risks of clear desk, clear screen policies not being followed. The Evil Cleaner attack is renowned because once a threat has access to the physical, all logical controls can be bypassed.

There are other controls, but the goal is the limit the chance of a risk being realised by reducing the physical access of threats to the premise. By preventing this we keep our paper documents safe, our physical equipment secures and reduce the risks of clear desk, clear screen policies not being followed. The Evil Cleaner attack is renowned because once a threat has access to the physical, all logical controls can be bypassed.

Access Cards

To facilitate Access control systems employees are provided with cards or badges as part of employee onboarding and offboarding so they can be easily identified by other employees and the system. The types of cards are listed below but they allow finer control of employee movements. The Access control system would read in the data from the card and look up its database. If an entry is found the systems returns an allow and logs the event.

Cards are not perfect, they can be lost, stolen, or lent to unauthorised people, while guards and more comprehensive Employee Badges can help reduce this risk there are times where physical guards are not practical. When this is the case multifactor authentication at access points can come to our rescue. This is where the card itself is useless without a second factor being known or used, such as fingerprint reads or a pin code. This is the same to how chip and pin bank cards work.

Magnetic Stripe cards use magnetic stripes on plastic cards, like credit cards, that is read when it’s swiped through a reader. It’s an older technology that can be easily damaged with strong magnets and can be duplicated easily.

Cloning magnetic stripes

Proximity Cards use antenna wires that connects to a chip which can be seen if you split the card in half. The chip has the identification number for the card and the Atenas allow it to be read on a reader. These are more difficult than magnetic stripe to duplicate.

Inside of a proximity card, the chip is bottom right and the copper antenna surrounds the card.

Smart Cards are credentialed cards. They have microchips but unlike the proximity cards which only store a card identification number, smart cards can store substantially more information including the individual’s user access rights in detail, qualifications, confidentiality level, biometric information and usage statistics. The wealth of information allows it to be used not only on a door but also a computer for authentication. Obviously, this is the most difficult to clone.

Badge Equipment

As discussed, access cards are useful, but they are not safe from exploit with employees losing them, having them stolen and lending them to others. Employee badges allow us to a reduce this risk by being useful not just for access control but also identification. These badges still need to be accounted for but allow security personal to encode identification information into them. They can be magnetic, proximity or smart cards with attributes encoded and possibly with a photograph printed on the card. While more useful than access cards they do require additional equipment to implement and maintain.

  • Camera’s for capturing photographs
  • Special Badge software
  • Badge printer for printing the relevant information on the card, and for encoding the card with the relevant information.
  • Server for retention and maintaining the badge credential database which connects to the Access Control Systems.

While badges are standard there are alternatives, for example the United States government has begun using a central provisioning model for all its various agencies as part of the US Access programme ( ). This program was established by the HSPD-12 Managed Service Office requires all employees and contractors have a common, interoperable PIV Credential. It ensures Credential Production, Issuance, Activation and Management are handled to high standards, ensuring uniformity and security by.

  • Centralising where access requests are processed and cards produced into a central, secured facility.
  • Ensuring that verification is carried out with the employee once they receive their badge. This is done first by verifying the employee through biometrics, followed by encoding the credential with additional biometric information, fingerprint templates, a pin and loading relevant digital certificates.
  • Suspension, reprint, and revocation of the credentials may be carried out by authorised role holders and an operational level.
  • Some Agencies can use light activation stations on-site for employees to activate their badges or carry out maintenance activities (updates, or amendments) on the badges.

Of course, badges can be a risk if lost, or misused and as such anytime they are in use we must ensure staff receive appropriate awareness training to ensure they are handled responsibly.


Access Control Head End – Remove once understood

The application software housed in the CPU is the physical intelligent controller where all access control systems are activity monitored, recorded into history, commanded, and controlled by the operator. Current access systems allow each local security panel to hold the system logic for its associated devices. The CPU retains the system-specific programming to allow entry (access) for authorized personnel and deny access to unauthorized personnel.

Communications failure between the CPU and the local access control panel could result in new users not being permitted entry; however, the system is set so that the panel will recognize personnel already installed and will grant access to an authorized badge holder.

These systems can integrate with CCTV and provide instant visual recognition along with visual alarm activation to provide the security console operator visual information before dispatching a security response team.

Another feature of an access control system is it can provide event tracking/event logs, which are lists or logs of security events recorded by the access control system that indicate the actions performed by employees as they enter or attempt to enter a controlled area. Each event log entry contains the time, date, and any other information specific to the event. This is useful when identifying who has access to a specific area and verifying with management if that employee still needs access.

Physical Security Needs and Organization Drivers

Taking a risk-focus approach to planning our physical security includes looking at the organisation’s goals, and drivers. While some drivers might be specific to an organisation many are common among all organisations and allow us to identify and prioritise the security structure. Some of these common drivers include.

  • Governance and compliance with regulatory requirements.
  • Asset Protection.
  • Protection of Personnel.
  • Cost Control.
  • Productivity.
  • Business growth.

While more niche and organisational specific drivers may impact our program such as if the site is a military base or there is a specific certificate or audit standard targeted, we need to meet the security needs of the business without hindering business processes. This allows a flexible approach that can keep up with and adapt to the business as it evolves.

Facility Risk

Faculty risks are the physical risks to the facility building itself. When trying to identify these risks we do a vulnerability assessment and look at the layout of the building and location of key assets are located, where information is stored and used, and where our controls ours. We look at how our physical controls are layered and try to identify gaps in our defence in depth strategy. If carried out correctly these assessments can help us identify and eliminate risks, including future potential risks that may emerge. Types of threats we might look at will be flooding of data centres, criminal theft, fire damage, protests, and other forms of civil unrest. At the end of the risk assessments, we should know what threats face our critical assets, what are vulnerabilities are and what combination of controls are the best counter measures for these.

As is standard we look at the CIA framework of Confidentiality, Availability, and Integrity and how to protect these attributes for information and assets in our physical premises. Threat matrix can help us easily identify the assets we think would be targeted or critical, they can be people, information, equipment, or even gold bullions. Once we know our critical assets, we can identify the likelihood and impact of the threats to calculate each assets risk rating.


The best way to come up with a facilities threat matrix, and to just identify critical assets and to understand the effectiveness of countermeasures is not just to do a site visit with trained security personnel. While that can be useful in a greenfield site it only provides part of the picture. We should also look at the people that work on the site. Auditors will already know this but the best way to identify what is critical to a business unit, and even how to break or attack that asset is through talking with and interviewing with the operational staff. This can also help attain buy in if changes are needed. Using the change management process for the facility we can ensure changes are implemented smoothly. Questions we should ask during any facility risk assessment is:

  • What are our critical assets?
  • Who are our threat actors?
  • What are the vulnerabilities for our assets?
  • What is the impact of the risk being realised?
  • How much protection do we want to achieve/what is our appetite for residual risk?
  • What types of mitigating controls are appropriate?
  • What could prevent controls being implemented.
  • What are the specific security design constraints?
  • How do the people process, and technologies of the facility carry out incident response?

Once our risk assessments, interviews, threat matrices, have answers to our questions we can start planning the physical protection for the facility.

Site Planning

One of the main outcomes of physical security is controlling access to the facility. By layering controls, we can have a security programme that has ever increasing levels of security that become more difficult to circumvent as a threat actor gets closer to our critical assets and protected areas. This multi-layered approach allows us to protect our assets even if some of our controls fail. With this layering an attacker would have to penetrate multiple controls of different types of defences to access the targeted assets. The most critical asset in any organisation is the employees and the protection of their lives should be a primary goal. This needs to be considered when identifying what controls to use and how they should be implemented.

The first step in planning is to look at the building layout, where the assets are located and then thinking of what controls are needed where for optimal security. Making sure security personnel are readily available to respond to incidents. The placement, type and frequency of these controls must be carefully planned to ensure that employees are able to carry out their duties in as a free and convenient a way as possible, that keeps assets protected. The level of control that is needed and the level of openness required varies by department and function and it is important to involve key stakeholders in the planning stage to get this balance right. Security should always come before convenience, but expediency should be present if possible. While security controls entrance and exit from a building it should also provide for evacuation routes should the worst happen.

Greenfield sites are always easier to work with then trying to adapt existing buildings and processes. Not only can we ensure the walls are in the right places in a greenfield site we can also ensure that they are in the right geographic area. For example, if we are choosing, we multitalented we can select who our neighbours will be. Of the long-term correct site selection, building placement, building layout, number of entry points and distribution of functions can reduce the security operating costs in the long run. Established sites can bring an array of problems such as requiring employee buy in for process changes and to work with the existing change management to reduce any changes impact. Regardless of the site chosen a holistic view should be taken to make sure security and business needs are balanced, and that risks prioritised, and resources allocated accordingly.

Depending on the function of the building specific requirements may be needed, such as for datacentres which should be able to withstand 200km per hour windows, rain and snow, fire resistance and have few, if any windows. In addition, it should be designed for optimal cooling such as having 20foot high ceiling for airflow.

Restricted Work Area
Sensitive Compartmental Information Facilities (SCIF)

SCIFs are US governmental highly restricted areas where there are requirements for additional security measures and stricter access controls. The stricter controls extend from just physical restrictions to noise insulation, blocking off any windows or visible areas, and air gapping them from the network. When practical, entrance doors should incorporate a vestibule to preclude visual observation and enhance acoustic protection.

SCIF standard areas should have;

Primary entrance doors shall be equipped with the following:

  1. A GSA-approved pedestrian door deadbolt meeting Federal Specification FFL- 2890.
  2. A combination lock meeting Federal Specification FF-L 2740.
  3. An approved access-control device (see Chapter 8).
  4. May be equipped with a high security keyway for use in the event of an access control system failure. All Access control must be controlled from within the SCIF.
  5. All perimeter SCIF doors shall be equipped with an automatic, non-hold door-closer which shall be installed internal to the SCIF.
  6. All perimeter doors shall be alarmed.
  7. Perimeter doors shall comply with applicable building, safety, and accessibility codes and requirements.
  8. White noise or sound-masking devices need to be placed over doors.


  • Few if any windows should be present.
  • Windows should not be openable.
  • Windows should be alarmed if within 18 feet of the ground.
  • Windows should be protected from visual or acoustic detection.
  • Windows should provide RF protection.

Secure Working Area:

  • Controlled by guards or with GSA-approved combo locks.
  • Incident response time of 15 minutes.
  • Strong access control.
Data Centers

Outside of SCIFs the most secure place for an organisation is the data centres, which need to be built to withstand a variety of threats which, as well as standard attacks also must contend with the risk of accidental, insider threats. All employees working in data centres should have well defined roles and those roles should be sufficiently segregated to prevent individuals having access to the entire facility. This can be through segmenting the HVAC and UPS equipment away from the networking gear. This, alongside strong access control, visitor controls and guard patrols, also reduce the risk of individuals having free reign to the building. There should be a 24/7 NOC to monitor for attacks, and environmental controls with redundant methods to contact the outside world. In addition, access to server rooms and racks should be restricted to time limited access for a specific purpose only.

If the data centre is just a room in a non-specialised facility it should be clearly marked as such with additional restrictions to the standard office. Regardless of if it’s a comms room or a full data centre, any access by staff such as cleaners or HVAC maintenance should be done in pairs and if the servers’ rooms themselves need to be cleaned the cleaners should be escorted by security.

Protection Plans

While no protection plan is perfect it should incorporate People, Process and Technology. The combination of these factors will require compromise and understanding of the environment. With people being the most important factor of the organisation, it is important that they are prioritised for protection. By understanding the people in the facility, where they congregate and what the usual movement flows are we can best plan our security.

For effective protection plans physical disasters should be discussed in advance and incorporated into the BCP, DRP and emergency response processes, plans and procedures. These should be flexible to allow for the response teams to adapt as the situation evolves and develops. For example, a procedure for a Fire based disaster should be appropriate, at a high level, for all types of fires, and fire locations.

Finally, the protection plan should incorporate any technical security designed into the premise, controls such as CCTV, person-traps, asset tracking technologies and similar can help the security teams ensure that physical threats are detected, contained, and responded to.

Incident Response

Where BCP’s are all about maintaining operations in adverse situations and DRP’s are about recovering operations to a known good state, Incident Response is about having processes to respond in the immediate aftermath of a variety of situations, form operational availability issues do data confidentiality incidents. When architecting the security controls of an organisation we can identify training and review processes to ensure IR is successful, including ensuring wargaming and other testing of controls is implemented and effective. The Incident response process should define an effective methodology, the roles and responsibilities for the team/s involved, a communication plan, and a testing strategy.


The best designed architectures and compliance frameworks can always fall short when put into practice, so it is important to test to ensure the controls are adequately designed and operating effectively.

Penetration Tests

Physical penetration tests can be a great way to test the effectiveness of controls by identifying the weak points and vulnerabilities. Dumpster diving, lock picking, social engineering, physical access compromise, and simulated sabotage can all be assessed, while tabletop key person targeting can help us target remediation efforts on the critical risks. Using an external, and unrecognised person to carry out the assessment can help understand the real responses of staff when facing unknown external people trying to enter the building, but assessments should include trying to leave with information, hardware, or other assets.

Access Control Violation Monitoring

For internal doors that are not monitored by people in the room it is important to ensure access procedures are still enforced, and risky behaviour like tailgating is monitored for and corrected. Proximity buzzers, person-traps, and turnstiles can all assist with enforcing this behaviour.

CCTV and a security control room can also be used to monitor for violations, and to receive alert when a violation occurs. Even without a manned control room an access audit trail should still be kept with the date, time, location of the alarm. There are products that offer this such as:

Non-CBK References

While many of these are in the CBK, there is some that are not, but I found useful, I also found several of the CBK references are no longer current and have updated these. – this one is super old at 2004, so not sure how much wieght to give it, its short but if there is any contradiction to other sources use the more up-to-date source. – There are better resources for the CISSP-ISSAP but this has some interesting practical insights into how the US Government agencies try to instil good practice. – This is another super old reference but being FEMA and still current it is worth a read, however other resources should be considered such as and