Networking / Beginners

Physical Security

This checklist is information security centric and applies primarily to the average organizational environment with medium to high security requirements, although most are prudent for any type of organization. When evaluating physical security, you will want to look at the operations and controls both inside and outside the facility. You also want to focus on specific logical areas like:

  • All facility entry/egress points
  • Data center or server rooms
  • Network operations and IT support areas
  • Executive and management areas
  • Sensitive areas such as wiring closets, loading docks, employee smoking exits, and executive briefing and conference rooms Evaluate the above areas against the following guidelines. They address the majority of physical security items of concern to the average organization.
  • Ensure that operational cameras cover key entry locations.
  • Ensure that entry points have adequate and functioning locks.
  • Ensure that alarm monitoring equipment is in proper working condition.
  • Ensure that data center and/or operational server rooms have adequate and functioning locks.
  • Ensure that a key custodian exists that tracks and assigns keys for locks; no more than two people for any given department.
  • Ensure that any maintained list of administrative accounts, either paper or electronic, is properly secured with no more than two-person access.
  • Ensure that data center and/or operational server rooms properly control and have accountability for all staff, including maintenance and cleaning personnel.
  • Ensure that data center and/or operational server rooms have alarm and/or video monitoring equipment.
  • Ensure that server cages and racks are properly secured.
  • Ensure that necessary environment controls and practices such as fire suppression, backup power, and data recovery exist for critical system operations.
  • Ensure that system repair disks and backup media are not left unsecured.
  • Ensure that backup media is being stored off-site.
  • Ensure that network jacks are disabled in public areas, conference rooms, and other unused areas.
  • Ensure that all personnel entering the facility enter through a monitored control point(s), either via electronic card key or guard/reception personnel.
  • Ensure that facility and operationally sensitive doors and other entry points are not propped open or otherwise left unsecured for any length of time without supervision.
  • Ensure that the walls for sensitive areas extend to the ceiling through drop ceilings.
  • Ensure that critical personnel do not have computer monitors and keyboards exposed to windows that would be viewable telescopically from the outside (surveillance is possible from very long distances).
  • Ensure that guard personnel monitor the facility's external perimeter and check on suspicious activity (roving personnel or video surveillance).
  • Ensure that guard personnel monitor internal areas (roving personnel or video surveillance).
  • Ensure that visitors are required to have badges and are not allowed access to sensitive areas unescorted.
  • Ensure that visitors are required to be escorted at all times.
  • Ensure that proper accountability and control exists for all modems and wireless access points within the facility.
  • Ensure that critical executive staff offices are not left unsecured in off hours.
  • Ensure that all cleaning staff entering the facility are known and identified; any changes to staff should require prior authorization.
  • Ensure that all sensitive documentation and electronic media are appropriately disposed of.
  • Ensure that manual shredder/shredding pickup service lifecycles are secure.
  • Ensure that sensitive operational documents or electronics are not left unattended for inappropriate periods of time.
  • Ensure that user system account information or network topologies are not written down or posted in work areas or otherwise left unsecured.
[Previous] [Contents]