Warning — possible high-risk issue
To ensure that your current security controls are adequate, it's important to assess the physical and environmental risks that your office facilities are exposed to.
Electronic access control is strongly recommended for office facilities that deal with confidential or sensitive data or have network-level access to it. Standard (non-electronic) keys are very difficult to control (short of changing the entire lock), and access is generally not logged in an auditable way.
Warning — possible medium-risk issue
Having a written physical security policy helps ensure that all offices establish the same standards for protecting against unauthorized physical access. Because overall security is determined by the weakest link in the chain, a single noncompliant office may introduce risk to your company's (and customers') confidential and sensitive information.
Physical access to office facilities should be restricted, because a breach can affect the confidentiality, integrity, and availability of information. It's important to have an auditable process for granting and revoking physical access, and for reviewing physical entry logs.
Unfortunately, security incidents (whether physical or logical) are not always immediately detected. It's important to retain physical access log files, typically for six months, in case they're needed for investigation.
In data theft incidents, it is not always immediately obvious that data has been copied (after all, nothing is missing per se). To address this, physical access logs should be regularly reviewed so that irregularities can be quickly identified and investigated.
Lack of protection for office network equipment can provide an attacker with a conveniently central place from which to attempt to breach your network. If someone manages to gain unauthorized physical access to office routers/distribution switches, they might be able to get around security controls (such as ARP-spoofing protections or 802.1x). It's best to lock away office networking equipment, to prevent unauthorized tempering.
When strong physical security controls are in place, certain requirements that are usually recommended (e.g., encryption of data at rest) may be relaxed. These exceptions are acceptable only if specific security controls are implemented in all data centers that may store confidential information. A written policy describing these requirements should be enforced to ensure that a baseline for physical security is uniformly implemented across all data centers.
Electronic access control is strongly recommended for data centers that handle or store confidential or sensitive data. Standard (non-electronic) keys are very difficult to control (short of changing the entire lock), and access is generally not logged in an auditable way.
Make sure to put procedures in place to regularly verify that security controls are working as intended.
HVAC and temperature inside data centers should be monitored, and appropriate personnel should be informed when they are outside normal ranges.
Physical access to data center facilities should generally be highly restricted, because a breach can affect confidentiality, integrity, and availability of information. It's important to have an auditable process for granting and revoking physical access, and for reviewing physical entry logs. Otherwise it won't be possible to determine at any given time who actually has access to the data center and the data stored within it.
If availability is a strong concern for your project, you should make sure you're able to quickly switch to a different data center that is not geographically close to the one that's experiencing the outage.
To ensure that current security controls are adequate, it's important to assess the physical and environmental risks that your data center (or data center provider) is exposed to.
Status: No changes Download Answers Reset Questionnaire