Checklist for Physical Security Risk Assessments
Linda McGlasson •
February 12, 2008
What are the most overlooked areas for physical security?
Ken Stasiak, president of Secure State, an Ohio-based information security firm that performs penetration testing, says physical security as a whole is overlooked.
"A handful of our clients say they don't need to test it because they know that their physical security is poor," Stasiak says.
Before conducting a physical security risk assessment, Stasiak has institutions answer these questions:
Are physical controls documented?
Are secure areas controlled?
Are review and maintenance of access controls taking place?
Are there non-standard entry points to secure areas?
Are these non-standard entry points secured and/or monitored?
Are visitors required to have supervision at the institution?
Are visitors allowed within secure areas?
If your organization shares access to your facility, does it have proper controls to segregate access?
Is sharing physical access to the institution by other organizations documented?
Are there contracts or agreements with the organization regarding this physical access?
>Has a physical penetration test been performed?
Are magnetic media stored in accordance with regulatory requirements and manufacturers' suggested standards?
Do guards at entrances and exits randomly check briefcases, boxes or portable PCs to prevent unauthorized items from coming in or leaving?
Do guards allow visitors to bring laptop computers into the institution without proper signoff or authorization?
Are fire detectors and an automatic extinguishing system installed on the ceiling, below the raised flooring and above dropped ceilings in computer rooms and tape/disk libraries?
Are documents containing sensitive information not discarded in whole, readable form? Are they shredded, burned or otherwise mutilated?
Are DVD and CDs containing sensitive information not discarded in whole, readable form? Are they "shredded" or mutilated with no restoration possible? (This also should be asked of hard drives and other data storage technology prior to disposal).
Are data center and server center activity monitored and recorded on closed-circuit TV and displayed on a bank of real-time monitors?
Does access to a controlled area prevent "Tail-gating" by unauthorized people who attempt to follow authorized personnel into the area?