How to Create a Physical Security Policy

Physical security is a set of security controls put in place to ensure that only authorized personnel have access to the equipment, resources and other assets in a facility. Physical access controls refer to the selective restriction of access to a location and is most often accomplished through a number of broad security methods that will both control and track who is both entering and leaving a location. When physical security is well implemented, it will protect resources and equipment against theft, vandalism, natural disaster, sabotage, terrorist attacks, cyber-attacks, and inadvertent access to resources. Physical security controls can be determined by identifying your security risks and assets, then prioritizing the highest priority risks and assets. Physical security policies and procedures to protect your systems data and people should follow best practices as defined within industry accepted standards such as NIST 800-53. Let’s discuss some of the controls you should include within your physical security policies. First, physically secure your location with the following physical access controls. Data centers or server rooms and other sensitive areas should be secured to avoid unauthorized access using keys, key cards or biometrics. Only authorized personnel should have access to the rooms and the management of the systems or key cards. Change combinations or remove access from terminated employees. Security equipment needs to be maintained, monitored and tested. Sensitive information systems, desktops handling sensitive information or data, should be placed or positioned to prevent unauthorized access or viewing. Maintain and regularly review physical access logs and keep the logs for defined periods of time. Second, physically secured locations should be prominently posted and separated by physical controls. Third, define your controlled areas, storage locations or containers, and limit access to the controlled areas through locks, cameras, or cards. Fourth, physical access authorization should be well documented, and employees should be made aware of restricted areas through training. Fifth, monitor physical access to offices and secure offices with systems that detect and respond to physical security incidents with logging and reviewing capabilities. Sixth, control visitor access by using visitor procedures, such as a visitor sign in sheet, or a visitor log with an ID check. Provide visitors with badges or require escorts when required in those areas that are not public. Finally, deliveries and removal. Control of the egress or the ingress points into facilities, including from secure locations such as computer or network rooms and for delivery or pickup of facilities. Physical security is a continuous effort and at no point can it be considered perfect. To continue learning about how you can strengthen your organization’s physical security posture, head to 

Related Videos