Assessing the Physical Security of Your Information Assets
The first time I heard the phrase “physical security,” I immediately thought of Raiders of the Lost Ark, with its booby-trap boulders, moving spike walls, and light beams that trigger darts. Fortunately, it didn’t take me long to figure out that the physical side of information security is (almost) never as wild as an Indiana Jones movie!
In fact, whether your office space is within a managed building environment, at home, or in a shared location, assessing the physical security of your information assets isn’t a particularly difficult task—and there’s no need to go overboard. The goal is to determine how you can best protect those assets without compromising your workplace's warm, inviting atmosphere.
There are three categories to consider when thinking about your sensitive information:
- Personally identifiable information: Client addresses, account numbers, social security numbers, employee information, or any other private information that uniquely identifies an individual
- Protected health information: Insurance card numbers, medical records
- Your office’s specific information: Policies, trade secrets, strategic business plans
Some of this information might live physically as paperwork; some might live on an information server. These are key areas to focus on when improving your physical security program, as they’re the heart of what you’re protecting.
Once you know what you’re protecting, it’s time to think about all the possible threats that could negatively affect those assets. Your list can be as long as you see fit. The only real requirement is that it captures all realistic scenarios that could result in unauthorized disclosure, modification, or destruction of your information assets.
If you’re having trouble imagining such scenarios, I’d recommend checking out the Harmonized Threat and Risk Assessment (TRA) Threat Listing (Appendix C-2). You’ll notice that this list is compiled by a Canadian government agency, but it’s still useful for assessing security in the U.S. You’ll find a similar catalog of threats in the National Institute of Standards and Technology’s “Guide for Conducting Risk Assessments” (see Appendix D for threat sources and Appendix E for threat events).
These lists may get a little extreme, as they range from coffee spills to military invasions. But they’re worth scanning for a comprehensive overview of possible threats. You must decide what you’d realistically need to defend against, while also considering impact and probability.
Proper physical safeguards should attempt to achieve one (or more) of the following:
Let’s go through what these four Ds mean and how they can help prevent an unauthorized intruder from accessing your information.
Deter. This category includes any physical measure that discourages an attacker from attempting to penetrate your security. The most common example is a repellent alarm; even if the siren doesn’t notify the building owner, attackers don’t want to draw attention to themselves. Other frequently used deterrent options include signage, fencing, and motion-sensor lightning.
Deny. Physical controls that deny are those that prevent attackers from accessing your sensitive information. Once again, you want to focus on where your sensitive information lives (rather than starting with your building’s entrance). Asking yourself the following questions can help you pinpoint your needs: