15 Dec

Performing a Physical Security Audit

Photo from security.honeywell.com

Photo from security.honeywell.com

Physical Security audits are designed to ensure that data and information technology infrastructure are protected from malicious and/or unintentional acts of harm. That includes preventing hackers from plugging directly into your machines to steal data or preventing a clumsy co-worker from spilling coffee on a server rack.

Physical Security audits are most common for data centers and co-location providers, but might be considered valuable to any company that stores their own data or performs a critical process on site. That may include hard copy data as well.

For example, a few of my previous clients were in the industry of printing and bulk mailing customized mass mail (think bank statements or government notifications). Their print floor housed millions of envelopes full of social security numbers, telephone numbers, account numbers, and mailing addresses. It was basically a hard copy version of a large customer database. Even though they didn’t host their own data – a physical security audit was still important to demonstrate the commitment to protect customer data.

Here are a few controls you might want to consider for your next physical security audit:

1 The Company maintains up-to-data Physical Security policies and procedures governing required physical security practices for all employees.
2 Physical access to the data center, servers, and premises is restricted to appropriate employees using a key card and a biometric system.
3 Physical access to the network, telecommunications, and power rooms is further restricted to appropriate individuals using a key card system.
4 Administrative access to the key-card management and biometric scanner applications is restricted to appropriate individuals based on job function.
5 User access to the key-card management and biometric scanner applications is reviewed on a quarterly basis, and access changes requested as a result of the review are applied.
6 New employee and new customer physical access is documented and approved for activation in the key card and biometric scanner applications prior to gaining access to the facility.
7 Employee access to the key-card management and biometric scanner applications is removed upon termination.
8 Access to server cages and cabinets is secured by locking mechanisms to prevent unauthorized access. In case of an emergency, the Company’s management maintains a master key to access the server cages.
9 Visitors must be escorted by a valid badge holder (employee or customer) while onsite.
10 Background checks are performed and the results are evaluated for new employees prior to employment.
11 Video surveillance equipment is placed in key areas throughout the facility (including all access points to the data center). All video is retained for a minimum period of 30 days.
12 Access doors to the data center are configured to activate alarms if a door is held open for more than 60 seconds.
13 Sensitive data is shredded and stored in locked trash bins for disposal.
14 Trash bins which house sensitive documents are removed from the facility for disposal by an authorized third party contracted for the secure removal of waste.
15 A security guard(s) is on site at the facility at all times to monitor building access and potential security events.

Let us know if you think of any we are missing. Next week we’ll outline common environmental security controls.

4 thoughts on “Performing a Physical Security Audit

  1. Reminds me of a couple items:
    – The time I was hired into a company that put the hinges on the data center on the outside of the data center.
    – Another company I worked for built a data center NEXT to a highway, airport, railroad, inside a manufacturing plan that welded, and in an area known for tornadoes. The only items they missed: not built on a fault line or near a river. Maybe next time.
    – The co-location facility where we parked some servers had the full diagram of the facility in a location where you could see it from the outside. While fire codes dictate they have to readily visible upon entering the facility, you shouldn’t be able to read them from across the street.
    – One company in Australia that I worked for had a server sitting in plain site near an office window. One morning, the window was gone, and so was the Windows server!
    – As I’ve posted previously, the easiest, quickest, and most undetectable way to steal sensitive data is to remove it from your co-worker’s desk–he stores all the sensitive papers he knows he has to shred it in that little cardboard box right on his desk, where it sits for weeks.. He’ll never miss it.

    • Up in Alpharetta, GA, there is a data center that actually has a moat dug around it, in the middle of swamp land, sitting back in the woods a bit with a single paved road leading to it Then the moat is surrounded by a giant fence with barb wire along the top.

      No, I’m not making a joke. It was one of the most impressive things I ever seen.

  2. I think Mack’s last bullet is the more likely scenario for data loss in my experience.

    That said, I’m curious on what you all have experienced with data loss due to physical breaches of data centers? I’ve seen companies spend an inordinate amount of time, money, and effort to build an ultra secure data center. All the while, the business office is wide open, no locked workstations, or folks leaving post-it notes with passwords. They wanted to brag and boast about the data center, but fail to recognize they had an issue with laptops being stolen out of the office.

    • Keep in mind that physical security isn’t just for data centers. It is also for companies that may store data on site (could be in hard copy or in test servers) like in the example I gave in the post above (third paragraph).

      I have heard of instances of hackers plugging into ethernet ports to gain access to the network or employees simply stealing servers from a server room for home use. Those are both examples of physical security breaches.

      As related to data centers – I think typically data centers go above and beyond on physical security to create a marketable image to their customers – regardless of the risk. It makes customers feel good when they see that their data center is protected by state-of-the-art security mechanisms. And if you’ve ever been to a big data center it looks pretty cool too.

      That has, in turn, made data loss as result of physical security breach at data centers relatively uncommon.

Leave a Reply