Photo from security.honeywell.com

Photo from security.honeywell.com

Physical Security audits are designed to ensure that data and information technology infrastructure are protected from malicious and/or unintentional acts of harm. That includes preventing hackers from plugging directly into your machines to steal data or preventing a clumsy co-worker from spilling coffee on a server rack.

Physical Security audits are most common for data centers and co-location providers, but might be considered valuable to any company that stores their own data or performs a critical process on site. That may include hard copy data as well.

For example, a few of my previous clients were in the industry of printing and bulk mailing customized mass mail (think bank statements or government notifications). Their print floor housed millions of envelopes full of social security numbers, telephone numbers, account numbers, and mailing addresses. It was basically a hard copy version of a large customer database. Even though they didn’t host their own data – a physical security audit was still important to demonstrate the commitment to protect customer data.

Here are a few controls you might want to consider for your next physical security audit:

1 The Company maintains up-to-data Physical Security policies and procedures governing required physical security practices for all employees.
2 Physical access to the data center, servers, and premises is restricted to appropriate employees using a key card and a biometric system.
3 Physical access to the network, telecommunications, and power rooms is further restricted to appropriate individuals using a key card system.
4 Administrative access to the key-card management and biometric scanner applications is restricted to appropriate individuals based on job function.
5 User access to the key-card management and biometric scanner applications is reviewed on a quarterly basis, and access changes requested as a result of the review are applied.
6 New employee and new customer physical access is documented and approved for activation in the key card and biometric scanner applications prior to gaining access to the facility.
7 Employee access to the key-card management and biometric scanner applications is removed upon termination.
8 Access to server cages and cabinets is secured by locking mechanisms to prevent unauthorized access. In case of an emergency, the Company’s management maintains a master key to access the server cages.
9 Visitors must be escorted by a valid badge holder (employee or customer) while onsite.
10 Background checks are performed and the results are evaluated for new employees prior to employment.
11 Video surveillance equipment is placed in key areas throughout the facility (including all access points to the data center). All video is retained for a minimum period of 30 days.
12 Access doors to the data center are configured to activate alarms if a door is held open for more than 60 seconds.
13 Sensitive data is shredded and stored in locked trash bins for disposal.
14 Trash bins which house sensitive documents are removed from the facility for disposal by an authorized third party contracted for the secure removal of waste.
15 A security guard(s) is on site at the facility at all times to monitor building access and potential security events.

Let us know if you think of any we are missing. Next week we’ll outline common environmental security controls.