The last component of the human element of security we will cover is physical security. It can be stated with a high degree of confidence that the most important facet of security is physical security; there is no security if access to systems is not limited or controlled. Another way to look at this is, if the system can be physically removed from the data center with nothing to prevent the action, then network access controls provide no benefit; therefore all other security is irrelevant. A scenario covered in the Social engineering section was the attacker attempting physical access to enterprise systems in order to gain access to enterprise data. This section will briefly cover the need for physical security controls, primarily the human interaction control.

In order for enterprise associates to protect the enterprise from well-trained social engineers who show up in person, they must know what to look for in behaviors and know how to react according to policy and training. This can only occur if the scenarios are practiced and rehearsed continuously. In my opinion, this is one of the areas that require the most time and attention, especially for retailers, and organizations with several remote locations.

Each of the controls implemented must be working together much like network-based security controls. An example may be where a suspicious individual enters the corporate office. A compelling story is told that requests access to computer systems for an unscheduled repair, however, the paperwork seems legitimate and the person looks like they could really work for the company they claim to. Is this person supposed to be in this location? Well, truthfully it could be hard to determine if all controls were monitored individually and the whole picture missing. In this scenario, let's say the individual possessed no identification; maybe it was left at home or lost. How else can the associates determine if this person should really be on-site and accessing enterprise computer systems? Scenarios should be used to educate associates on the many methods to enforce controls, while being OK with turning the suspicious person away.

Common physical access controls include:

Requiring a company badge and a chaperone for visitors reduces fraudulent access attempts when these controls are effectively implemented and monitored. Access to data centers must require authorization from a higher-level individual than the person requesting access as this additional scrutiny not only increases security, but may also enforce formal change control processes. Constant monitoring with cameras not only aids in post-event investigation, but if used properly can help identify suspicious behaviors of would-be attackers. The presence of guards is more of a mental message to would-be attackers that someone is watching and may take forceful action to stop you.

The physical aspects of security should be an integral component of the security awareness training program to ensure threats are identified and stopped before entering the physical enterprise perimeter.