Checklist for Physical Security Risk Assessments

What are the most overlooked areas for physical security?

Ken Stasiak, president of Secure State, an Ohio-based information security firm that performs penetration testing, says physical security as a whole is overlooked.

"A handful of our clients say they don't need to test it because they know that their physical security is poor," Stasiak says.

Before conducting a physical security risk assessment, Stasiak has institutions answer these questions:

Are physical controls documented?
Are secure areas controlled?
Are review and maintenance of access controls taking place?
Are there non-standard entry points to secure areas?
Are these non-standard entry points secured and/or monitored?
Are visitors required to have supervision at the institution?
Are visitors allowed within secure areas?
If your organization shares access to your facility, does it have proper controls to segregate access?
Is sharing physical access to the institution by other organizations documented?
Are there contracts or agreements with the organization regarding this physical access?
>Has a physical penetration test been performed?
Are magnetic media stored in accordance with regulatory requirements and manufacturers' suggested standards?
Do guards at entrances and exits randomly check briefcases, boxes or portable PCs to prevent unauthorized items from coming in or leaving?
Do guards allow visitors to bring laptop computers into the institution without proper signoff or authorization?
Are fire detectors and an automatic extinguishing system installed on the ceiling, below the raised flooring and above dropped ceilings in computer rooms and tape/disk libraries?
Are documents containing sensitive information not discarded in whole, readable form? Are they shredded, burned or otherwise mutilated?
Are DVD and CDs containing sensitive information not discarded in whole, readable form? Are they "shredded" or mutilated with no restoration possible? (This also should be asked of hard drives and other data storage technology prior to disposal).
Are data center and server center activity monitored and recorded on closed-circuit TV and displayed on a bank of real-time monitors?
Does access to a controlled area prevent "Tail-gating" by unauthorized people who attempt to follow authorized personnel into the area?

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.