Sep 30 2017

Physical Security Checklist #physical #security, #security, #assessment, #cobit, #nist, #pci, #standards, #frameworks, #checklist, #risk #assessment


Based on my previous post where I suggested performing a physical security risk assessment for your organization, I decided to jot down a quick list of items you may want to consider for your checklist.

This list is not all-inclusive by any means, as each individual location is different. My goal is to create awareness with this list and perhaps draw attention to some areas that are sometimes overlooked.

Document law enforcement, fire department and hospital locations and contact information

Document neighboring buildings and contacts for their security staff

Account for vehicle barriers for entrances

Ensure landscaping does not provide cover for intruders

Secure dumpsters with padlocks

Document building utility shutoffs and ensure they are secure, including phone and Internet connectivity

Document emergency override for fire suppression systems

Account for emergency routes (snow routes, floor routes, etc.)

Document other building tenants: business type, number of employees, hours of operations, etc.

Secure all building entrances after hours and arm burglar alarm systems

Secure dock/shipping areas at all times

Document deliveries and procedures

Ensure monitors, marker boards and projector screens cannot be easily read through windows

Ensure clean desk policy at all times

Ensure documents are properly shredded and not placed in trash, and that sensitive printouts do not wait in unsecured printers

Secure any roof hatches and skylights

Ensure sewer/tunnel/utility building access is secured

Ensure windows cannot be opened/left open

Ensure all entrances are well-lit

Ensure parking lot and grounds lighting are in working order, timers are set for proper times and are effective

Secure doors and windows so they cannot be easily removed (secured or welded hinges)

Implement security vestibules (mantraps) for access to sensitive areas where possible

Install solid constructed doors for passages between common areas and protected areas

Ensure perimeter walls are floor to desk between public and protected areas

Closed-Circuit Television (CCTV):

Actively monitor cameras during business hours and, if possible, after business hours

Keep video footage for a minimum of 90 days

Ensure video cables are not exposed

Ensure cameras cannot be reached from the ground level or easily disabled

Ensure landscaping does not block cameras views

Ensure camera view of dumpsters and dock/garage/shipping areas

Ensure cameras cover exterior doors and ground-level windows

Ensure cameras cover all entrances/exits including employee entrances and parking areas

Electronic Card Access System:

Manage with internal staff if possible

Integrate with vendor management

Limit console access to authorized personnel

Back up to redundant disaster recovery (DR) site

Ensure system is on a uninterrupted power supply (UPS) in event of power failure

Require two-factor authentication to perimeter doors/sensitive areas

Audit card inventory to ensure return for termination and unassigned cards secured

Audit profiles to ensure business need and approved by manager/department head

Set up time zones based on employee hours/business need

Integrate with burglar alarm system

Color code access cards for employees, visitors, and vendors

Monitor and log all transactions in the system

Disable cards immediately upon termination or loss of card

Implement commercial grade, security lock cylinders

Keep master keys secured

Ensure return when employees leave, change departments, etc

Track when keys are checked out to employees

Key secure/sensitive areas with unique locks/keys

Audit keys (employee assignment, check in/out, copies made, etc.)

Mark all keys Do Not Copy

Rekey locks to sensitive areas when employees with keys terminate employment

I tried to compress this list as much as I could and still provide value, as I have over 200 items on my checklist. If you want to follow a set of standards, you can always refer to COBIT, NIST, PCI, etc.

You should perform your physical security assessment at least annually to stay compliant with the bulk of the standards and frameworks that are out there. If you take over additional floors, or if the environment changes, you should reassess the affected areas. If you do not have the appropriate staff to perform such an audit, there are plenty of third parties that can perform a thorough assessments for you.

Read more on Solutionary Minds about:

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Written by admin

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: