Physical Security


The topic of Physical Security addresses areas of security that relate to physical building access, management of physical assets, working in secure locations and environmental controls/conditions. Essentially, measures that concern areas in the company’s facilities that contain equipment and devices providing access to information and technology systems.

As a minimum, guidelines in this topic should cover:

  • Company Building Access – who and where
  • Identification – how to distinguish ‘friend’ from potential ‘foe’
  • Security Areas – definition of types and controls
  • Environmental Controls – safeguarding systems.

Policy Explanation

Controls around the purpose, use and security of each of the company buildings should be defined so there is clarity on the level of authorisation required to enter those areas. This will involve defining the different types of technology system present/available in the various areas and aligning access to those individuals that require it – following the ‘need to know’ principle.

Roughly speaking, each physical area of the business can be classified in one of the following security terms:

  • Public Access – areas available to members of the public and other non-employees
  • Office Areas – areas where employees will be located to carry out their normal duties
  • Restricted Access – areas requiring elevated authorisation levels
  • Offsite Facilities – areas remote from the main operating location(s).

In the case of public areas, this may include reception areas, meeting rooms and any general office area that members of the public (non-employees) may visit. Office areas are those that are routinely used by employees, but may occasionally have non-employees present.

The areas covered by guidelines on restricted or security areas are those that house technology and other computer equipment, eg computer rooms, data centres, network cabinets, etc. However, areas where end-user devices are located may also be included in these guidelines, if the devices can access sensitive information.

And don’t forget offsite facilities – this topic is not only about the main company premises. This may involve the housing of company equipment by hosting providers, eg shared data centre facilities, etc but also includes areas such as offsite storage facilities. If you use specialised storage facilities for tapes and other media or equipment containing digital data or hardcopy information, you must include the security of these sites to properly consider vulnerabilities that may exist, eg the risk of unauthorised access, theft, etc.

Identification concerns the means of identifying those that are authorised to access different locations in the business operating environment. Standard measures involve ID cards, name tags and badges, electronic key tags (sometimes combined with ID cards), so individuals can be identified as employees, visitors, contractors, etc. There may be a need to include different levels of ID/access cards depending on what restrictions exist to control access to sensitive areas, eg if a secure area requires separate arrangements to provide authorisation, a differently configured electronic tag may be needed to facilitate access.

Perhaps not so obvious but equally important in the context of this topic is how to manage physical security of the various cabling cabinets, ducts and electrical panels that support information technology. These areas house the building wiring needed to service the network devices, power systems and environmental controls, ensuring equipment is available and operating. Even though there may not be regular access to these areas, the security measures relevant to these areas must be included in the overall framework to protect them from unauthorised access. Generally, these building facilities are managed by personnel other than those concerned with information security. In this situation, there will need to be collaboration across several different teams to ensure the security is properly arranged.

Environment controls involve the management of conditions that allow the proper use of equipment and systems, within defined operating parameters. This will involve systems such as air-conditioning, fire-fighting systems, waterproofing, etc and any other environmental controls that maintain the operating capability of equipment and devices.

Similarly, areas that include alarms, electronic access control systems, cameras, CCTV, etc must be included in the guidelines for physical security. Again, measures to control and safeguard these devices will need collaboration between those responsible for information security and the physical building security providers. This overlap in responsibilities for different purposes must be clearly defined so there is no confusion over where the day to day management belongs.

More To Come...

Look out for the next instalment in this topic.

In the meantime, browse more Thistle Tech posts by clicking this button.

Need Assistance?

If you need assistance with this topic,

or advice on any other aspect of what we do,

feel free to contact us using this button.