Assessing the Physical Security of Your Information Assets

The first time I heard the phrase “physical security,” I immediately thought of Raiders of the Lost Ark, with its booby-trap boulders, moving spike walls, and light beams that trigger darts. Fortunately, it didn’t take me long to figure out that the physical side of information security is (almost) never as wild as an Indiana Jones movie!

In fact, whether your office space is within a managed building environment, at home, or in a shared location, assessing the physical security of your information assets isn’t a particularly difficult task—and there’s no need to go overboard. The goal is to determine how you can best protect those assets without compromising your workplace's warm, inviting atmosphere.

There are three categories to consider when thinking about your sensitive information: 

1. Personally identifiable information: Client addresses, account numbers, social security numbers, employee information, or any other private information that uniquely identifies an individual
2. Protected health information: Insurance card numbers, medical records
3. Your office’s specific information: Policies, trade secrets, strategic business plans

Some of this information might live physically as paperwork; some might live on an information server. These are key areas to focus on when improving your physical security program, as they’re the heart of what you’re protecting.

Once you know what you’re protecting, it’s time to think about all the possible threats that could negatively affect those assets. Your list can be as long as you see fit. The only real requirement is that it captures all realistic scenarios that could result in unauthorized disclosure, modification, or destruction of your information assets.

If you’re having trouble imagining such scenarios, I’d recommend checking out the Harmonized Threat and Risk Assessment (TRA) Threat Listing (Appendix C-2). You’ll notice that this list is compiled by a Canadian government agency, but it’s still useful for assessing security in the U.S. You’ll find a similar catalog of threats in the National Institute of Standards and Technology’s “Guide for Conducting Risk Assessments” (see Appendix D for threat sources and Appendix E for threat events).

These lists may get a little extreme, as they range from coffee spills to military invasions. But they’re worth scanning for a comprehensive overview of possible threats. You must decide what you’d realistically need to defend against, while also considering impact and probability.

Proper physical safeguards should attempt to achieve one (or more) of the following: 

1. Deter
2. Deny
3. Detect
4. Delay

Let’s go through what these four Ds mean and how they can help prevent an unauthorized intruder from accessing your information. 

Deter. This category includes any physical measure that discourages an attacker from attempting to penetrate your security. The most common example is a repellent alarm; even if the siren doesn’t notify the building owner, attackers don’t want to draw attention to themselves. Other frequently used deterrent options include signage, fencing, and motion-sensor lightning.

Deny. Physical controls that deny are those that prevent attackers from accessing your sensitive information. Once again, you want to focus on where your sensitive information lives (rather than starting with your building’s entrance). Asking yourself the following questions can help you pinpoint your needs: 

• Do your employees practice a clear-desk and clear-screen policy? That is, do they secure sensitive paperwork and lock their workstations whenever they leave their desks?
• Are your data-disposal processes secure? Do you cross-cut shred sensitive paperwork? Do you securely dispose of your hard drives? After all, “dumpster divers” who might rifle through your trash to find sensitive information are a real information security threat.
• Are your workstation hard drives and other devices encrypted? Keep in mind that once information is encrypted, thieves won't be able to access your information without your password (even if they are able to steal it).

Here's the bottom line: Your devices are replaceable, but the information on them is not. That’s why it’s so important to begin with applying strong controls around your most sensitive information.

You’ll also want to prevent unauthorized people from entering your office in the first place. Think about how staff and clients access your building. Can they do so in the middle of the night? What’s stopping an unauthorized person from entering the building?

How you tackle the issue of denial is up to you, your tolerance for risk, and your office’s culture. Locks and badge readers might suffice. Or simply having a receptionist greet guests at the door might work, as that person can help deny (and deter) unauthorized visitors. (Be sure to have a process in place for when your receptionist is away from his or her desk or from the office.)

Detect. Unfortunately, not every attack can be 100-percent denied. Think about a situation in which the inevitable happens: 

• Do you have a means of detecting when it happens—or, better, who or what caused the incident?
• Does your alarm system only make noise (to deter), or does it inform the building owner or authorities of a potential break-in (to detect)?

If your building has an identification card reader, is it logging information clearly and accurately? This might successfully detect an attacker, but it can also build accountability in the event that someone else allowed the attacker into the building.

Delay. Last but not least, your security system should delay the attacker from accessing your information assets. The more time it takes for criminals to get the information they’re seeking, the more likely those criminals will be caught or give up. Minimizing what sensitive information is out in the open and easy for any visitor to access is always a smart practice. You can take it one step further by adding this concept to your policies to make your employees more aware of how their actions and cautiousness might make all the difference.

Of course, you don’t want your clients to feel like they’re entering a super-secret military compound when visiting your office. At the same time, you don’t want to keep all of your information out in the open, ready for an opportunist to access during one of your lunch breaks. But by following some of the strategies discussed here, your information security efforts will be focused, effective, and (just) enough to get the job done.

Have you taken steps to protect the physical security of your information assets? Do you have data-disposal processes in place? Please share your thoughts with us below!