Physical Security Perimeter
Perimeters should be defined and the defenses associated with them should reflect the needs of a risk assessment. These should be physically sound offering protection from unauthorised entry.
Reception areas should be manned or otherwise protected. Access to secure areas should be restricted to authorised employees only except where under the remit of the physical and environmental security policy.
Fire doors should be alarmed, tested and monitored. Particular attention should be given to fire alarm tests where the physical security of an area is often at its weakest – this is from personal experience of working in a highly restricted area as a consultant.
Intruder detection systems should be installed, tested and monitored with unoccupied areas alarmed at all times. This should also be extended to secure areas – server rooms, communication centres etc. Information processing facilities that the organisation manages itself should be segregated from those managed by third parties.
Multiple layers of security is often more effective than one single layer. Multiple layers buys time for response to reach an alarm, appropriate access controls can keep multiple layers manageable by access card if that is appropriate.
Physical entry controls
Those areas deemed secure by policy should be protected by entry controls permitting only authorised personnel (potentially including 3rd parties).
Visitors should authenticated as appropriate, their date and time of entry/exit recorded. Activity should be monitored in line with the risk assessment. They should be advised of security and emergency procedures (especially in the case of data centres due to health and safety) and granted access for specific purposes. If authorised third parties are working alone in a server room / datacentre, ensure all other cabinets are locked and all cabling is secure. a physical inspection of cabinets after the visit may be appropriate. Personnel working in secure areas should be required to wear identification and anyone not wearing such should be notified to security employees.
Access rights should be reviewed periodically and revoked as appropriate.
Securing offices, rooms and facilities
Physical security should be designed and applied as determined by a risk assessment. This should be to avoid access by unauthorised personnel. Facilities should be designed to specifically minimise confidential information being visible/audible to visitors. Consideration should be given to the use of masking client names or activities should a risk assessment consider it appropriate, again this is from personal experience, in this case an investment bank where many phone lines are open at any one time.
Protecting against external and environmental threats
In a world that has increasing underlying unrest and unpredictable weather, physical protection against external factors should be considered, designed and applied. Specialist advice should be sought, any decision should be documented for audit purposes. This is akin to insurance, no-one expects the inquisition, yet it comes.
My opinion, natural disasters – these will be covered by BDP/DR plans – but protection against flood, fire, earthquake can all be mitigated, civil unrest is much more down to the organisations public image.
Working in secure areas
Personnel should only be aware of secure processing facilties / operations on a need to know basis. Contrary to earlier statements in this post (its not my standard) unsupervised working in secure areas should be avoided for both safety and malicious activity. If you can justify third parties working unattended in your secure areas then so be it. Phones / cameras should not be permitted in secure areas unless authorised.
Delivery and loading areas
Like the policy for logical access where everything is forbidden, unless expressly permitted, loading/delivery areas should be closed until open rather than open until closed. Activities should be on a need to know basis. Personnel should be identified.
External doors should be closed whilst internal doors are open – adding a multi layer of security. Loading bays should be designed to segregate the activities from the rest of the business. Incoming deliveries should be inspected for hazardous materials and tampering (depending on risk assessment) before passing through to the main business facilities. Incidents should be reported to the responsible security manager. Deliveries (where applicable) should be added to any asset register as a matter of course. Incoming and outgoing deliveries should be segregated wherever possible.
Hopefully this places one or two extra barriers in front of those seeking to harm the company and would dissuade all but the most determined.