Chapter-9-Physical-Security.md

Chapter 9. Physical Security

Is often a feature of regulatory compliance regimes and vendor assessment questionnaires, as well as materially impacting the security of the systems and data that you are tasked with protecting

Table of contents

• Chapter 9. Physical Security
  • Table of contents
  • Physical
    • Restrict Access
    • Video Surveillance
    • Authentication Maintenance
    • Secure Media
    • Datacenters
  • Operational
    • Identify Visitors and Contractors
    • Visitor Actions
    • Contractor Actions
    • Badges
    • Include Physical Security Training

Physical

Restrict Access

• Restricting access to the premises or portions of the premises
• Badge systems prevent unauthorized personnel from gaining access to secure areas where they might be able to steal, interfere with, disable, or otherwise harm systems and data

Video Surveillance

• Cameras would typically be located at major ingress and egress points, such as a lobby area as well as, or particularly sensitive areas such as server rooms
• Surveillance or CCTV (closed-circuit television) cameras should be placed pointing at entrance doors to the building, areas of high importance or sensitivity,wherever else a high risk has been identified

Authentication Maintenance

Maintenance also includes changes in staff. In the event that a member of staff ceases to be a member of staff, should surrender badge, along with any keys

Secure Media

• Prevent unauthorized persons from gaining access to sensitive data on any type of media
• Media may be lost or stolen if sent via a nontrackable method, such as regular mail

Datacenters

• Use rackable equipment so that locking server racks can be utilized
• Office routers, switches, and maybe a read-only domain controller are not extremely important, but they are still a potential vector of attack

Operational

Identify Visitors and Contractors

Quickly determine an approximate level of trust that they can place on a person with whom they are not already familiar

Visitor Actions

• Sign-in/Sign-out procedure should be required
• Any action involving technology, equipment, or potential information gathering should require an employee verification of intent

Contractor Actions

Proper policy and guidelines should be set on who the contractor works through for identification and access

Badges

Visitor badges should be restricted to only the duration of the visitor’s stay and surrendered when they sign out, automatically void after a certain time limit

Include Physical Security Training

Some scenarios and types of potential malicious activities

• Tailgating
• Badge cloning
• Malicious media
• Restricted access
• Pretexts