326
A Practical Guide to Security Assessments
and high-level roles and responsibilities, which can be translated into specif-
ic physical security procedures. The roles and responsibilities can include
those of individuals such as facilities personnel, whose job is physical se-
curity, as well as regular personnel, who might have some level of respon-
sibility as it relates to physical security — e.g., personnel must ensure that
their desks are clean when they leave at the end of the day. The policy
should be updated to reflect changing business requirements and enforced
via regular audits.
Risk:
Without a physical security policy, there are no formal requirements
for what is to be done to physically secure the company. As a result, per-
sonnel will not necessarily know what to do from a physical security per-
spective, and it will difficult to enforce good physical security practices at
the company.
Client Response:
2. Is someone or some group responsible for physical security of the facil-
ities, e.g., a facilities group?
Guidance:
Someone should own the responsibility of physical security to
ensure that accountability exists. Responsibility for physical security can
vary and can include:
• Separate department with dedicated personnel
•Part of information technology (IT) security
•Part of facilities management
These groups’ responsibilities should be formally documented in the
physical security policy. In some cases, such as when the facility is in an
office park or building setting, physical security might be handled by a
third party that handles security for all companies in the facility. In these
cases, someone from the company should be responsible for the relation-
ship with the party providing physical security services. The company
will still be responsible for some elements of physical security (e.g., inside
offices, file cabinets). Whether internally or externally performed, respon-
sibility for physical security should be clearly defined.
Risk:
Without a clearly defined owner of physical security, there is a lack
of accountability and a potential that physical security measures will not
be implemented as intended by management.
Client Response:
AU1706_book.fm Page 326 Tuesday, August 17, 2004 11:02 AM