The physical security policy of an organization is merely a list of checks, controls, and safeguards which are necessary to protect various organizational assets. These assets include data centers, network pieces of equipment, storage facilities, operation centers and other areas critical for the organization. Additionally, the physical security measures also consider protection of the organization’s employees and other tangible products and services. Primarily, the policy is useful for determining who does or does not get access to physical locations inside the various areas of the campus. However, it also considers protection of the organization’s assets from environmental disasters from natural elements like fire or water. The subsequent paragraphs in the document provide the security team a comprehensive template for designing a physical security policy for their organizations.

Template Structure and Design

It is recommended to divide the entire policy into various sections. Each section should contain a brief description of the area of physical security that you want to cover.  It is recommended to use a bullet point guideline or a checklist containing questions that help in capturing all the significant points. It is a standard practice to use a word document to record the entire physical security policy of your organization.

It is also a good idea to have a separate page which contains information such as the version of the physical security policy, last audit date, department or individual responsible for the ownership of the document, single point of contact and other necessary information. More details can be added later as per requirement.

Now that the scope and basic structure is in place let’s talk about the various sections that you need to include as a part of the Physical Security policy for your company. Along with brief explanations, we have also provided some examples of the policy statements you can use for each segment.

Audience

The primary audience for this document is:

  • Members of the organization’s IT department
  • The Chief Information Officer (CIO)
  • Members of the organization’s Risk Assessment and Management team
  • Individual, team or department in charge of organizational security

Scope

It is a good practice to start by defining the scope of the policy. To ensure clarity, we recommend a segmentation of the organizational assets and resources into Internal and External

The internal resources include all the servers, network pieces of equipment, computing resources and other tangible assets which the company directly owns, controls and manages.

The external resources include all who are owned, controlled and managed by an entity other than your organization. It is essential to include them in the scope of these resources have the power to impact your organization’s operations and efficiency.

Construction

It is necessary to ensure that the construction of all workspaces, storage centres, and other facilities meet the specific guidelines mandated by the applicable authorities. An organization built on strong architectural foundations and construction requirements is an absolute must for adequate protection. Some of the policy guidelines can be:

  • Facilities constructed by using approved architectural and engineering drawings
  • Secure foundations built according to mandatory zoning requirements

It is advised to collaborate with the construction company from the beginning to ensure that all requirements are made clear. Apart from basic structural guidelines, this section should also ensure proper guidelines for construction of secured areas and essential facilities. Different organizations have different requirements, and hence customization plans should also be discussed with the construction team in advance.

Secured Areas

These are the areas which house the most important facilities of the organization’s campus. They might contain servers storing your most confidential data. Maybe they run critical operations and activities core to your business. For any organization, the first step is to identify and make a list of your secured areas and the facilities they consist. Since these areas contain sensitive information or equipment, the following guidelines should be there in the policy:

  • Only authorized individuals with appropriate ID should be allowed access to these areas
  • No cellular phones, recording, photography and videography devices would be permitted inside the secured areas
  • These areas should be physically secured at all times

Physical Access Control

Arguably the most basic and mandatory section of the Physical Security Policy, this section ensures asset and resource protection at multiple levels.

Security Personnel: Most organizations have a partner security agency which provides all personnel trained in security management to protect the organization’s points of entry. It is vital to ensure that the contract with the security agency includes all the requirements and is renewed from time to time based on performance. Policy guidelines to be included in this section are:

  • Security personnel to monitor and control all areas where individuals enter and leave the organization
  • Security personnel to aid and facilitate the entry and exit procedures and provisions for all employees as well as external agents
  • Security personnel to be stationed at all times outside secured areas
  • 24*7 monitoring with compliance with all facility access provisions
  • Enforcement of proper security guidelines through appropriate telephone and radio communications

Physical Barricades: This includes physical elements like gates, fences, checkpoints and others which usually get deployed at the point of public access. The physical barricades are your first line of defense since it separates authorized personnel from the general public. It is a must-have requirement for any data center, workplace or other facilities of your organization. A few examples of policy guidelines are:

  • All public entry points should have gates manned by security personnel
  • Fences should cover all the walls surrounding the central facility and campus

Physical Entry Controls: This section deals with various options that are used to allow and approve entry for both the employees as well as external agents. The protection measures generally used are biometric devices, electronic access with card swiping or facial recognition. It is necessary to have provisions for physical entry for all personnel that enters the organization. For example, trucks with essential supplies for delivery inside the organization would require a special provision for physical entry.

  • All employees should be provided with the biometric card reader to allow physical entry inside the campus
  • All third-party agents should be required to register and enter their personal information including the purpose of the visit before granting access
  • All unauthorized equipment and personal items will either be stored or marked safe before entry into campus premises

Equipment and Device Security

An essential part of the physical security policy is to ensure the safety and protection of computers, routers, cables and other devices essential for business. We need to protect these pieces of equipment and devices from the physical threat as well as environmental harm. We can divide this section into specific areas to better address the challenges and requirements of the policy.

Secured Location: This area deals with the physical location of the device and all the necessary physical and environmental checks for its protection. For example, a server room tends to get extremely hot. Maintaining a specific temperature in that room is vital.

  • Organization must maintain all the necessary physical and environmental requirements depending on the equipment
  • Access for authorized personnel only along with essential warning signs on the room door or outside wall

Employee Awareness and Training: For some pieces of equipment, employees are the asset owner and hence the organization or the IT department needs to make them aware of the necessary rules, standards, and guidelines regarding the physical protection of the asset. Some example policy guidelines can include:

  • Regular information dissemination to the concerned employee regarding asset physical security policy
  • Employees must undergo specific training at regular intervals to ensure the following of proper response procedure in case a security incident occurs

Power Supplies and Failures: It is quite likely that even a small irregularity in the power supply may result in a massive disaster for some devices. For this reason, it is necessary to create standards to avoid short circuit and power supply related issues that can cause physical damage through fire or other accident. For example, a guideline can be:

  • Regular monitoring of power supply to essential pieces of equipment and devices

Power Backups: This area talks about the situation in case of power failure. Does your organization have the necessary generators or other alternative power sources to keep the business active and running? For example,

  • List of alternate power sources and generators in case of power failure

Equipment buying and maintenance: A company should ensure that procurement of all devices and pieces of equipment is from standard companies. This procedure avoids the risk of failure as well as the low cost of maintenance. Suggested policy guidelines are:

  • Regular maintenance check of all devices and pieces of equipment to ensure that they are in sync with the current industry standards.
  • Replacement and upgrade of devices and pieces of equipment at regular intervals

Access: Areas which contain sensitive types of equipment and devices should be cordoned off from general access by giving the actual user special access privileges. The organization should monitor these access rights frequently and keep them up to date. For example, a guideline can be as follows:

  • Server rooms and IT equipment rooms should be allowed access only to employees whose job responsibilities involve working with that server or equipment
  • Use of card readers, biometrics, facial recognition should be modified to reflect the special authorized access to specific areas of the facility where sensitive equipment and devices are there

Surveillance Systems

Especially during non-business hours, the use of surveillance systems is beneficial to detect any unusual activity that requires immediate attention. These systems usually consist of CCTV or IP cameras placed at strategic locations throughout the campus. It is necessary that security personnel is continuously monitoring the live feed to detect any irregularities. Some example of policy guidelines are as follows:

  • CCTV cameras should monitor all the necessary areas inside the campus
  • Organization should archive and store footage for at least 90 days before disposal

Security Alarm Points

These points can include both hardwired physical and wireless alarm points. The organization should install the alarms in areas of vulnerability. The idea is to trigger an alarm of a security compromise so that the responsible individual can be notified. Additionally, the response procedure with an action plan should be appropriately documented and accessible. A suggested policy guideline is:

  • Proper documentation of all security alarm points along with response procedures

Security Incidents and Reporting

Even if multiple preventive provisions are in place, sometimes it is possible that a security incident occurs. A security incident is nothing but an event in which the integrity of an organizational asset, equipment or data is either compromised or at risk. It is essential to make sure that these incidents get adequately reported and documented so that further corrective action is taken. The security guidelines corresponding to this can include:

  • The employee or the observer should immediately report all incidents related to physical security to this individual or this particular department

Emergency Policies

These policies ensure the response in case of an unlikely emergency. There are many situations both natural as well as human-made, where the physical security of the campus facilities, pieces of equipment or employees can be at risk. In case of any such unfortunate incident, there should be pre-defined policies which suggest the further course of action. Some policy guidelines to include here are:

  • Gather at highlighted defined assembly points in case of an earthquake
  • Documented response in case of a hostage situation

Download

Conclusion

That’s it. You now have a basic template to plan and design an effective physical security policy for your company. This template is an essential toolkit that provides a right direction for the Information Security department to start working. However, every organization has a unique set of requirements when it comes to protecting their assets and resources. The best way to customize this template for your organization is to follow an iterative process. Start with the basics, apply it and keep modifying it till it fits your needs.

Leave a Reply

Your email address will not be published. Required fields are marked *