Introduction to Physical Security

Safeguarding assets, personnel, and sensitive information has become a paramount concern for organizations of all sizes. Implementing a physical security policy plays a crucial role in mitigating risks, deterring threats, and ensuring the continuity of operations. As we delve into this comprehensive guide, we will explore the intricate facets of physical security, its significance, and the essential controls every organization should implement to enhance overall safety and resilience.

Physical security encompasses many measures to protect tangible assets, facilities, and people from unauthorized access, theft, vandalism, and other malicious activities. It is a vital defense against potential threats and provides a robust foundation for organizational security and business continuity.

In this guide, we will navigate the complexities of physical security, dissecting each component and offering practical insights and best practices to fortify your organization’s defenses. From understanding risk assessments to implementing cutting-edge technologies, we will equip you with the knowledge and tools to create a comprehensive physical security strategy tailored to your unique requirements.

Importance of Physical Security Measures

The significance of physical security cannot be overstated in today’s dynamic threat landscape. Effective physical security measures safeguard your organization’s assets and contribute to the well-being and safety of your employees, customers, and stakeholders.

1. Asset protection: Physical security controls are essential for safeguarding valuable assets, such as equipment, inventory, and proprietary information, from theft, damage, or unauthorized access.
2. Employee safety: Implementing robust physical security measures ensures a secure working environment for your employees, fostering a sense of safety and enabling them to focus on their tasks without unnecessary distractions or concerns.
3. Business continuity: By mitigating the risks posed by physical threats, organizations can minimize disruptions to their operations, maintain productivity, and ensure the seamless delivery of products or services to their customers.
4. Compliance and risk management: Many industries are subject to stringent regulations and standards related to physical security. Implementing comprehensive measures helps organizations comply with these requirements, mitigate risks, and avoid costly penalties or legal implications.
5. Reputation and customer trust: A well-designed physical security strategy demonstrates an organization’s commitment to protecting its stakeholders and fostering a secure environment, enhancing its reputation and instilling confidence in its customers and partners.

By prioritizing physical security, organizations can proactively address potential vulnerabilities, deter criminal activities, and cultivate a secure and resilient operational environment, ultimately contributing to their long-term success and sustainability.

Threats to physical security

To effectively address physical security concerns, it is imperative to understand the various threats that organizations may encounter. These threats can originate from internal and external sources, and their impact can range from minor disruptions to catastrophic consequences. Organizations can develop targeted strategies and implement appropriate countermeasures by identifying and assessing these threats.

6. Theft and burglary: One of the most common threats to physical security is the unauthorized removal or theft of valuable assets, such as equipment, inventory, or sensitive information. This can result in significant financial losses, operational disruptions, and potential legal implications.
7. Vandalism and property damage: Acts of vandalism, including graffiti, property destruction, or arson, can compromise the integrity of facilities and disrupt normal operations, leading to costly repairs and potential safety hazards.
8. Unauthorized access: Unauthorized individuals entering restricted areas can pose a significant risk to an organization’s assets, personnel, and sensitive information. This can include disgruntled employees, former contractors, or external actors with malicious intent.
9. Workplace violence: Incidents of workplace violence, such as physical altercations, verbal threats, or active shooter situations, can have devastating consequences for employee safety and organizational operations.
10. Natural disasters and environmental hazards: Extreme weather events, earthquakes, floods, or fires can damage facilities and disrupt operations, necessitating robust physical security measures to mitigate their impact and facilitate effective emergency response.
11. Cyber-physical threats: As technology advances, the convergence of physical and cyber domains introduces new threats, such as the potential for cyber-attacks to compromise physical security systems or the misuse of Internet of Things (IoT) devices for malicious purposes.

By conducting comprehensive risk assessments and staying informed about emerging threats, organizations can proactively identify vulnerabilities and implement appropriate countermeasures to mitigate the risks posed by these various physical security threats.

Understanding Risk Assessment in Physical Security

Effective physical security strategies are built upon a solid foundation of risk assessment. This process involves identifying, analyzing, and evaluating potential risks to an organization’s assets, personnel, and operations. It enables informed decision-making and the implementation of targeted mitigation measures.

12. Asset identification and valuation: The first step in risk assessment is to identify and catalog all critical assets, including facilities, equipment, inventory, and sensitive information. Each asset should be assigned a value based on its importance to the organization and the potential impact of its loss or compromise.
13. Threat identification and analysis: Organizations must identify and analyze potential threats to their physical security, considering both internal and external sources. This includes assessing the likelihood and potential impact of various threats, such as theft, vandalism, unauthorized access, and natural disasters.
14. Vulnerability assessment: A comprehensive vulnerability assessment is conducted to identify weaknesses or gaps in existing physical security measures. This may involve evaluating access control systems, surveillance capabilities, perimeter security, and emergency response procedures.
15. Risk calculation and prioritization: Based on the identified threats, asset values, and vulnerabilities, organizations can calculate the overall risk level for each scenario. This information is then used to prioritize risks and allocate resources effectively to address the most critical areas.
16. Mitigation strategy development: After assessing the risks, organizations can develop and implement mitigation strategies tailored to their specific needs. These strategies may include physical security controls, policies, procedures, and training programs to address identified vulnerabilities and reduce the likelihood or impact of potential threats.

Regular risk assessments are crucial for maintaining an effective physical security posture. As threats evolve and organizational needs change, reassessing risks and adjusting mitigation strategies ensures that physical security measures remain relevant and practical.

Essential Controls for Physical Security

A comprehensive physical security strategy requires a multi-layered approach incorporating various essential controls. These controls work in concert to create a robust defense against potential threats, deterring unauthorized access and safeguarding organizational assets and personnel.

Perimeter Security Measures

Perimeter security is the first line of defense in physical security, establishing a clearly defined boundary around facilities or designated areas. Effective perimeter security measures include:

17. Fencing and barriers: Sturdy fencing and gates can deter unauthorized entry and channel foot and vehicle traffic to designated access points.
18. Landscaping and lighting: Strategic landscaping and adequate lighting can enhance visibility, eliminate potential hiding spots, and discourage criminal activities around the perimeter.
19. Access control points: Designated access points equipped with access control systems, such as gates, turnstiles, or security checkpoints, regulate and monitor entry and exit to the premises.
20. Surveillance and monitoring: Strategically placed cameras, motion sensors, and patrols can continuously monitor the perimeter, enabling timely detection and response to potential breaches.

By implementing robust perimeter security measures, organizations can establish a secure outer layer of defense, deter potential threats, and create a controlled environment within the premises.

Access Control Systems and Procedures

Access control systems and procedures are critical for managing and restricting access to facilities, sensitive areas, or resources based on predefined criteria. These systems and procedures ensure that only authorized individuals gain entry, mitigating the risk of unauthorized access and potential security breaches.

21. Identification and authentication methods: Organizations can employ various identification and authentication methods, such as access cards, biometric systems (e.g., fingerprint or facial recognition), or personal identification numbers (PINs), to verify an individual’s identity and authorization level.
22. Access levels and permissions: By implementing a role-based access control model, organizations can assign specific access levels and permissions to individuals or groups based on their job responsibilities and need-to-know requirements.
23. Visitor management: Robust visitor management procedures, including visitor registration, identification verification, and escort protocols, help maintain accountability and control over non-employees’ access to the premises.
24. Access logs and auditing: Comprehensive access logs and regular auditing processes enable organizations to monitor and review access activities, identify potential security breaches, and take corrective actions when necessary.
25. Physical key management: Strict policies and procedures for managing physical keys, including key distribution, tracking, and recovery, can prevent unauthorized duplication or misuse.

Organizations can effectively manage and restrict access to sensitive areas, assets, and resources by implementing robust access control systems and procedures, reducing the risk of unauthorized entry and potential security breaches.

Security Personnel and their Roles

Trained and competent security personnel play a crucial role in implementing and maintaining effective physical security measures. Their responsibilities encompass a wide range of tasks, including:

26. Access control and monitoring: Security personnel manage access control systems, verify identities, and monitor entry and exit points to ensure that only authorized individuals gain access to facilities or restricted areas.
27. Patrols and surveillance: Security personnel conduct regular patrols and surveillance activities to help detect potential security breaches, deter criminal activities, and provide a visible security presence within the premises.
28. Emergency response and incident management: In an emergency or security incident, security personnel are responsible for initiating appropriate response protocols, coordinating with emergency services, and managing the situation to minimize potential risks and damages.
29. Reporting and documentation: Accurate and timely reporting of security incidents, observations, and activities is essential for maintaining comprehensive records, enabling analysis, and supporting investigations or legal proceedings when necessary.
30. Training and awareness: Security personnel are crucial in promoting security awareness and training employees, contractors, and visitors on physical security policies, procedures, and best practices.

Effective security personnel management involves thorough recruitment processes, comprehensive training programs, and transparent policies and procedures to ensure consistent and professional conduct. Regular performance evaluations and ongoing training help maintain high standards and ensure personnel are equipped with the necessary knowledge and skills to fulfill their roles effectively.

Video Surveillance and Monitoring

Video surveillance and monitoring systems are invaluable tools in physical security, providing real-time visibility, deterring criminal activities, and enabling prompt incident response. These systems encompass various components, including:

31. Closed-circuit television (CCTV) cameras: Strategic placement of high-quality CCTV cameras throughout the premises, including entry/exit points, restricted areas, and high-traffic zones, enables comprehensive monitoring and recording of activities.
32. Video management systems (VMS): A VMS is a centralized platform that integrates and manages multiple camera feeds, enabling efficient monitoring, recording, and retrieval of video footage.
33. Video analytics: Advanced video analytics capabilities, such as motion detection, object tracking, and facial recognition, can enhance the effectiveness of surveillance systems by alerting security personnel to potential threats or suspicious activities.
34. Remote monitoring and access: Secure remote access to surveillance systems allows authorized personnel to monitor and review footage from off-site locations, enabling timely response and support.
35. Data storage and retention: Robust data storage solutions and retention policies ensure that video footage is securely stored and readily available for investigation or evidentiary purposes when needed.

Effective video surveillance and monitoring systems enhance situational awareness and provide valuable evidence in security incidents or investigations. Regular maintenance, software updates, and personnel training are essential to ensure these systems’ optimal performance and reliability.

Alarm Systems and Emergency Response Procedures

Alarm systems and well-defined emergency response procedures are critical components of a comprehensive physical security strategy. These measures enable timely detection of potential threats and facilitate coordinated and efficient responses to mitigate risks and minimize possible damages.

36. Intrusion detection systems: These systems, which may include motion sensors, door/window contacts, and glass-break detectors, are designed to detect unauthorized entry or movement within protected areas and trigger alarms.
37. Fire and environmental monitoring systems: Fire alarms, smoke detectors, and environmental monitoring systems (e.g., temperature, humidity, and water leak sensors) help detect and alert personnel to potential fire or environmental hazards, enabling prompt response and mitigation efforts.
38. Duress alarms and panic buttons: Strategically placed duress alarms or panic buttons allow personnel to discreetly alert security teams or law enforcement in an emergency or threat, enabling rapid response and intervention.
39. Emergency response plans: Comprehensive plans outline specific procedures and protocols to be followed in various emergency scenarios, such as fires, natural disasters, or security breaches. These plans should be regularly reviewed, updated, and communicated to all relevant personnel.
40. Coordination with emergency services: Establishing solid relationships and communication channels with local emergency services, such as law enforcement, fire departments, and emergency medical services, is crucial for ensuring effective coordination and response during critical incidents.

Regular testing, maintenance, and drills for alarm systems and emergency response procedures are essential to ensure their reliability and effectiveness. Additionally, providing ongoing training and awareness programs for personnel can enhance their preparedness and ability to respond appropriately in emergencies.

Physical Security Best Practices

Implementing effective physical security measures requires adherence to industry best practices and a commitment to continuous improvement. By adopting these best practices, organizations can enhance their security posture, reduce risks, and foster a culture of safety and preparedness.

41. Comprehensive security policies and procedures: Develop and maintain clear and comprehensive security policies and procedures that outline expectations, responsibilities, and protocols for all aspects of physical security, including access control, surveillance, incident response, and employee training.
42. Risk-based approach: Adopt a risk-based approach to physical security by conducting regular risk assessments, prioritizing mitigation efforts based on identified threats and vulnerabilities, and allocating resources accordingly.
43. Layered security approach: Implement a layered security approach that combines multiple security measures, such as perimeter security, access control, surveillance, and alarm systems, to create a robust and redundant defense against potential threats.
44. Integration and interoperability: Ensure that physical security systems and technologies are integrated and interoperable. This enables seamless communication and data sharing between components, enhancing situational awareness and efficient incident response.
45. Regular maintenance and testing: Establish a comprehensive maintenance and testing program for all physical security systems, including access control, surveillance, and alarm systems, to ensure optimal performance and reliability.
46. Continuous training and awareness: Provide ongoing training and awareness programs for all personnel, including security staff, employees, contractors, and visitors, to promote a culture of security awareness and ensure adherence to established policies and procedures.
47. Collaboration and information sharing: Foster collaboration and information sharing with relevant stakeholders, such as law enforcement agencies, industry associations, and other organizations, to stay informed about emerging threats, best practices, and lessons learned.
48. Incident response and investigation: Develop robust incident response and investigation protocols to effectively manage security incidents, gather evidence, and conduct thorough investigations to identify root causes and implement corrective measures.
49. Continuous improvement: Regularly review and assess the effectiveness of physical security measures, identify areas for improvement, and implement necessary changes to adapt to evolving threats, technologies, and organizational needs.

By embracing these best practices, organizations can enhance their physical security posture, mitigate risks, and foster a secure and resilient environment for their operations, assets, and personnel.

Implementing a Comprehensive Physical Security Plan

Developing and implementing a comprehensive physical security plan is a multi-faceted process that requires careful planning, collaboration, and a strategic approach. By following a structured methodology, organizations can ensure that their physical security measures are tailored to their specific needs, aligned with industry best practices, and effectively mitigate potential risks.

50. Establish a physical security team: Assemble a cross-functional team comprising representatives from various departments, such as security, facilities management, IT, human resources, and operations. This team will drive the physical security planning and implementation process.
51. Conduct a risk assessment: Perform a thorough risk assessment to identify potential threats, vulnerabilities, and the impact they may have on the organization’s assets, personnel, and operations. This assessment will serve as the foundation for developing targeted security measures.
52. Define security objectives and requirements: Based on the risk assessment findings, establish clear security objectives and requirements that align with the organization’s overall risk tolerance and business goals. These objectives should address asset protection, personnel safety, and operational continuity.
53. Develop a physical security strategy: Formulate a comprehensive physical security strategy that outlines the specific measures and controls to be implemented, including perimeter security, access control, surveillance, alarm systems, and emergency response procedures. Ensure the strategy incorporates industry best practices and aligns with relevant regulations and standards.
54. Design and implement security measures: Based on the defined strategy, design and implement the necessary physical security measures. This may involve procuring and installing security equipment, implementing access control systems, establishing security policies and procedures, and training personnel.
55. Integrate physical and cybersecurity measures: Ensure that physical security measures are integrated with cybersecurity measures to address potential cyber-physical threats and vulnerabilities. Collaborate with IT and cybersecurity teams to establish secure communication channels and data protection protocols.
56. Test and validate security measures: Thoroughly test and validate implemented security measures to ensure their effectiveness and identify potential gaps or areas for improvement. This may involve simulated security breach scenarios, penetration testing, and system audits.
57. Establish monitoring and reporting processes: Implement processes for continuous monitoring and reporting of security incidents, system performance, and compliance with established policies and procedures. This will enable timely response, incident investigation, and ongoing improvement of security measures.
58. Develop a maintenance and review plan: Establish a comprehensive maintenance and review plan to ensure the ongoing effectiveness of physical security measures. This plan should include regular system updates, maintenance, testing, and periodic reviews to address evolving threats, technological advancements, and changes in organizational needs.
59. Foster a security-conscious culture: Implement ongoing training and awareness programs to promote a security-conscious culture within the organization. Encourage employees to actively participate in maintaining a secure environment and report any potential security concerns or incidents.

By following a structured approach and involving key stakeholders throughout the process, organizations can develop and implement a comprehensive physical security plan that effectively addresses their unique risks and requirements, ensuring the protection of their assets, personnel, and operations.

Integrating physical and cybersecurity measures

The lines between physical and cybersecurity are increasingly blurred in today’s interconnected world. As technology advances, the convergence of these domains has become more pronounced, necessitating an integrated approach to address potential cyber-physical threats and vulnerabilities.

60. Cyber-physical system security: Many physical security systems, such as access control, surveillance cameras, and building automation systems, rely on networked technologies and internet connectivity. Ensuring the cybersecurity of these systems is crucial to prevent unauthorized access, data breaches, or system manipulation that could compromise physical security measures.
61. Vulnerability assessments: Conduct comprehensive assessments considering physical and cyber threats. Identify potential attack vectors, such as exploiting vulnerabilities in networked security systems or leveraging IoT devices as entry points for cyber-attacks that could impact physical security.
62. Secure system integration: When integrating physical and cybersecurity systems, implement robust security measures, such as encryption, authentication protocols, and secure communication channels, to protect data transmissions and prevent unauthorized access or tampering.
63. Access control and identity management: Establish a unified access control and identity management system that governs physical and logical access to facilities, systems, and resources. This approach ensures consistent access policies, streamlines user management, and enhances overall security.
64. Incident response and coordination: Develop integrated plans and protocols addressing physical and cyber incidents. Foster collaboration and information sharing between physical security and cybersecurity teams to enable coordinated response efforts and effective threat mitigation.
65. Continuous monitoring and auditing: Implement continuous monitoring and auditing processes encompassing physical and cybersecurity systems. Review system logs, audit trails, and security event data to identify potential threats or anomalies that may indicate a cyber-physical attack or breach.
66. Personnel training and awareness: Provide comprehensive training and awareness programs that address the intersection of physical and cybersecurity. Educate employees on maintaining a secure environment, recognizing potential threats, and adhering to established security protocols for both domains.

By integrating physical and cybersecurity measures, organizations can adopt a holistic approach to security, addressing the convergence of threats and vulnerabilities across both domains. This integrated approach enhances overall resilience, reduces the risk of cyber-physical attacks, and ensures a more comprehensive protection of organizational assets, personnel, and operations.

Training and Awareness for Physical Security

Effective physical security relies not only on robust technical measures but also on a well-trained and security-conscious workforce. Comprehensive training and awareness are essential for ensuring employees understand their roles and responsibilities in maintaining a secure environment.

67. New employee onboarding: Incorporate physical security training as part of the onboarding process for new employees. Educate them on the organization’s security policies, procedures, best practices, and responsibilities in upholding security standards.
68. Ongoing training programs: Develop and implement ongoing training programs that cover various aspects of physical security, such as access control procedures, emergency response protocols, and incident reporting. These programs should be tailored to different roles and responsibilities within the organization.
69. Security awareness campaigns: Conduct regular security awareness campaigns to reinforce the importance of physical security and promote a security-conscious culture. These campaigns can include emails, posters, newsletters, or interactive sessions highlighting security best practices, potential threats, and consequences of non-compliance.
70. Scenario-based training: Incorporate scenario-based training exercises that simulate real-life security incidents or breaches. These exercises can help employees understand how to respond appropriately in various situations and reinforce the importance of following established security protocols.
71. Security drills and exercises: Conduct regular security drills and exercises, such as evacuation drills, lockdown procedures, or active shooter response training. These drills prepare employees for potential emergencies, reinforce the importance of physical security measures, and ensure familiarity with response protocols.
72. Security briefings and updates: Provide regular security briefings and updates to keep employees informed about emerging threats, security policies or procedures changes, and any lessons learned from previous incidents or exercises.
73. Cross-functional collaboration: Foster collaboration and knowledge sharing between departments, such as security, IT, facilities management, and human resources. This cross-functional approach ensures a comprehensive understanding of physical security requirements and promotes a cohesive security culture.

By investing in comprehensive training and awareness programs, organizations can empower their workforce to become active participants in maintaining a secure environment. A well-trained and security-conscious workforce is valuable in deterring potential threats, identifying vulnerabilities, and responding effectively to security incidents.

Physical security audits and assessments

Regular audits and assessments are crucial for evaluating the effectiveness of an organization’s physical security measures and identifying areas for improvement. These processes provide an objective and comprehensive review of security controls, policies, and procedures, ensuring compliance with industry standards and best practices.

74. Internal audits: Conduct periodic internal audits to assess the organization’s adherence to established physical security policies and procedures. A dedicated team of qualified personnel with expertise in physical security practices should perform these audits.
75. External audits and assessments: Engage third-party security professionals or industry experts to conduct independent audits and assessments. External audits provide an unbiased evaluation of the organization’s physical security posture and can identify potential vulnerabilities or blind spots that may have been overlooked internally.
76. Compliance audits: Conduct audits specifically assessing adherence to relevant industry regulations, standards, and legal requirements to ensure compliance with applicable industry regulations, standards, and legal requirements. These audits are essential for organizations operating in highly regulated industries like healthcare, finance, or government.
77. Risk-based audits: Conduct risk-based audits prioritizing areas with higher potential risks or vulnerabilities. These audits can be triggered by changes in the threat landscape, new technologies, or significant organizational changes that may impact physical security requirements.
78. Penetration testing: Engage ethical hackers or security professionals to perform penetration testing exercises. These simulated attacks aim to identify vulnerabilities in physical security systems, access control measures, or other security controls, providing valuable insights for improving defenses.
79. Incident response audits: Evaluate the effectiveness of incident response procedures and protocols by conducting audits that simulate security incidents or breaches. These audits can help identify areas for improvement in incident detection, response, and recovery processes.
80. Documentation review: Conduct thorough reviews of physical security documentation, including policies, procedures, incident reports, and audit trails. These reviews can help identify inconsistencies, gaps, or areas that require clarification or updating.

Organizations can proactively identify vulnerabilities, ensure compliance, and continuously improve physical security by conducting regular audits and assessments. The findings and recommendations from these processes should be carefully analyzed and incorporated into an ongoing improvement plan to maintain a robust and resilient security posture.

The Future of Physical Security

As technology continues to evolve rapidly, the landscape of physical security is poised for significant advancements and transformations. Embracing these emerging trends and innovations will be crucial for organizations to stay ahead of potential threats and maintain a secure environment.

81. Integration of artificial intelligence (AI) and machine learning (ML): AI and ML technologies are revolutionizing various aspects of physical security. From advanced video analytics and pattern recognition to predictive threat modeling and automated decision-making, these technologies offer enhanced situational awareness, improved threat detection, and more efficient security operations.
82. Biometric authentication and access control: Biometric technologies, such as facial recognition, iris scanning, and fingerprint identification, are becoming increasingly sophisticated and cost-effective. These solutions offer more secure and convenient access control methods, reducing the risk of unauthorized access and enhancing overall security.
83. Internet of Things (IoT) and smart building integration: The proliferation of IoT devices and intelligent building technologies presents opportunities and challenges for physical security. While these systems can provide real-time monitoring, automated control, and enhanced operational efficiency, they also introduce new cybersecurity risks that must be addressed through robust security measures and integration with physical security systems.
84. Robotics and autonomous systems: Robotics and autonomous systems are being explored for various physical security applications, such as automated patrols, surveillance, and incident response. These technologies can augment human security personnel, enhance monitoring capabilities, and enable more efficient and effective security operations.
85. Cloud-based security solutions: Cloud-based physical security solutions offer scalability, remote access, and centralized management capabilities. These solutions can streamline operations, reduce infrastructure costs, and enable real-time data sharing and collaboration among distributed teams and locations.
86. Convergence of physical and cybersecurity: As cyber threats evolve, the convergence of physical and cybersecurity will become increasingly critical. Organizations must adopt an integrated approach to address cyber-physical threats, ensuring that physical security systems are secured against cyber-attacks and leveraging cybersecurity measures to enhance overall resilience.
87. Regulatory and compliance changes: As new technologies and threats emerge, regulatory bodies and industry standards will adapt to address evolving security challenges. Organizations must stay informed and proactively address compliance requirements to maintain a secure and compliant physical security posture.

By embracing these emerging trends and technologies, organizations can enhance their physical security capabilities, stay ahead of potential threats, and maintain a secure and resilient environment for their operations, assets, and personnel.

Conclusion

In the ever-changing landscape of organizational security, physical security remains a critical component that cannot be overlooked. Organizations can effectively mitigate risks, deter potential threats, and safeguard their assets, personnel, and operations by implementing a comprehensive physical security strategy and adhering to industry best practices.

Physical Security Policy – Example

Purpose

This policy aims to protect the company’s physical information systems by setting standards for secure operations.

Scope

This policy applies to the physical security of SOname’s information systems, including, but not limited to, all company-owned or company-provided network devices, servers, personal computers, mobile devices, and storage media.

Policy

Limited and Monitored Physical Access

SOname maintains appropriate facility entry controls to limit and monitor physical access to SOname information assets and resources.

All SOname users ensure that every physical access point is controlled during working hours and locked during non-duty hours and ensure that the following measures are taken concerning the security of the building(s):

• Before securing the building/office, ensure that all areas are vacated.
• Ensure that all lights and electrical appliances are switched off.
• Never leave the building/office via the fire exit (unless in the case of an emergency).
• Ensure that motion sensor alarms are activated.

Environmental Controls

Environmental controls are implemented to protect all critical information assets. Critical information assets are provided in a dry, climate-controlled environment. Additional controls include:

• Uninterruptable Power Supply (UPS)
• Battery-operated or electric stand-alone smoke detectors are installed
• Computing facilities undergo a periodic fire marshal inspection

Physical Access to Network Devices

Only authorized personnel with a need-to-know shall be granted physical access to computing faculties. Network devices such as switches, routers, firewalls, and other appliances are locked. Physical access to the room must be previously authorized and logged by SOname Management.

Keys & Security Systems

Keys and systems access devices must be logged and managed. Terminated employees must turn in their keys and leave the office immediately. Supervisors should escort the employee from the office and ensure the terminated employee takes no SOname information assets or information resources. All applicable locks and security system codes should be changed as needed based on SOname management guidance.

Video Monitoring

The organization employs video surveillance of physical access to sensitive areas. These cameras shall be protected from tampering or disabling of the device. The cameras’ results shall be reviewed regularly and correlated with other entries and access control information, such as audit trails, sign-in sheets, authorization levels, and maintenance logs. The camera information shall be stored for at least three months following the organization’s retention policy.

Visitor Access

It is SOname policy to maintain the following visitor access controls:

• Use a visitor log to maintain a physical audit trail of all visitor activity.
  • Log requirements include the visitor’s name, date and time of visit, the firm represented, and the onsite personnel authorizing physical access
  • Retain this log for at least three months unless otherwise legally restricted.
• Upon validation of photo ID (government-issued driver’s license), Provide visitors with a temporary name badge or identifier to alert SOname employees
  • Require visitors to turn in the temporary name badge or identifier before leaving.
• Ensure visitors are authorized access to areas where restricted data is stored or processed.

Revision