Task 1.4: Reviewing a Physical-Security Checklist
The value of physical security cannot be overstated. Physical security is also the oldest aspect of security. Even in ancient times, physical security was a primary concern of those who had assets to protect. Just consider the entire concept of castles, walls, and moats. While primitive, these controls were clearly designed to delay attackers. Physical security is a vital component of any overall security program. Without physical security you can have no security at all. Any time someone can touch an asset, there is a good chance they can control it. Usually, when you think of physical security, items such as locks, doors, and guards come to mind, but physical security is also about employees. What can they bring to work—iPods, USB thumb drives, camera phones? Even these items can pose a threat to security. One good way to start building effective physical security is by creating a checklist of items employees are allowed (or not allowed) to bring with them to work.
Scenario
Your organization may soon be subject to a security audit. Your manager would like to get ahead of this process and have you investigate the current physical-security practices.
Scope of Task
Duration
This task should take about 20 minutes.
Setup
In real life security audits don’t happen in a void. They occur with the support and under the direction of senior management. End users may or may not be informed ahead of time. Either way, you would most likely have a memo or letter of authorization authorizing you to perform such activities.
Caveat
Physical security is sometimes overlooked in the mostly logical world of IT. That practice can have catastrophic consequences.
Procedure
In this task, you will learn how to go through a physical-security checklist.
Equipment Used
For this task, you must have:
- A pen or pencil
Details
This task will step you through a physical-security checklist. It will highlight the value of physical security. Physical security is different from the security controls focused on hackers and crackers. Logical security addresses controls designed to prevent disclosure, denial, or alteration of information. Both are important and, when combined, a holistic view of security can be adopted.
Reviewing a Physical-Security Checklist
One of the best ways to check the physical security of your network infrastructure is to conduct a physical-security review.
Use Table 1.11 to measure your company’s level of security. For each item that is present, note a score of 1. If the control is not present, rate that item a 0.
TABLE 1.11 Physical-Security Checklist
| Item | Score (Yes = 1, No = 0) |
| Is there perimeter security? | |
| Is a security fence present? | |
| Is exterior lighting used to deter intruders? | |
| Is CCTV being used? | |
| Are exterior doors secured? | |
| Is access control in use at building entries? | |
| Are dumpsters in an area the public can access? | |
| Are sensitive items shredded or destroyed before being discarded? | |
| Do interior areas have access control? | |
| Are the servers in a secure location? | |
| Does the server room have protection on all six sides? | |
| Is access to the server room controlled? | |
| Are network cables and the telecommunication lines protected from tapping, cutting, or damage from digging? | |
| Are there “deadman” doors at each of the entrances to prevent piggybacking? | |
| Is old media degaussed, shredded, and destroyed? | |
| Are confidential documents marked? | |
| Is visitor access controlled? | |
| Are uninterrupted power supplies, surge protectors, and generators used? | |
| Are visitor badges different from regular employee badges? | |
| Are end users allowed uncontrolled access to USB ports or CD/DVD burners? | |
| TOTAL SCORE |
After filling in Table 1.11, add up the score and compute the total:
- A score of 18 or higher is good.
- A score of 16 or 17 is fair.
- A score of 15 or below is poor.
In real life, physical security takes much more work. This rating system doesn’t take into account the issue of reliability or assurance, but should give you an idea of the types of items you will want to examine.
Criteria for Completion
You have completed this task when you have reviewed a physical-security checklist.