The IT Security Cookbook - Physical Security

This document is not designed for a detailed study of physical security, however a brief summary of computer related issues are listed here.

8.1 Buildings

  • Zones should be defined, for example:
    • Zone 1: Areas open to the public.
    • Zone 2: Areas not open to the public, open to company staff.
    • Zone 3: Protected areas. Only accessible with identification, access strictly controlled. Don't allow externals unaccompanied access.
  • Buildings should always be locked, except for access via a reception area during office hours.
  • Public areas shouldn't have any computers with access to the internal Data Network, unless through a Firewall.
  • Server rooms must be locked, if possible with electronic card access (Audit list).
  • Consider protect sensitive computers against Van Eck radiation (see also Protecting against Snooping via Van Eck Radiation/ TEMPEST ).
  • Consider protecting systems against Electromagnetic Pulses.
  • Server rooms must be locked, with electronic card access (Audit list). Very few people should have access.
  • Buildings must be monitored 24 hrs x 7 days by security personnel.
  • Access to server rooms should be recorded on Video.
  • Contingency plans should exist which cover events such as power cuts, theft, fire, flooding, explosions, earthquakes (where necessary) etc.

8.2 Transport of Data

What is the company policy on the use of public, private, company transport as respects the transport of Information (paper, diskettes, disks, tapes, computers..)?

8.3 Backups

Backup media should be stored in locked safes or locked rooms.
Regular backups (at least once per month) should be stored off site.
Backups should only be transported by secure methods (like money transport).

8.4 Disks

Floppy and removable disks are often a source of virus and illegal software (as is Email). They may be also used to illegally copy confidential data. When data is erased from diskettes, it must be completely erased (a standard product should be recommended for PCs). Floppy drives are rarely needed when users have reliable networked printers, file servers and email available.

  • Removable hard disks and floppy disks should only be used where absolutely necessary.
  • Avoid copying data to floppy disk.
  • Floppy drives should be removed, unless the internal network is considered too insecure. Removable disks can be more secure than using a network server since all data is kept locally. In this case disks must be kept carefully in a locked safe.
  • Confidential data should be encrypted. If the network server is not considered secure enough, files may be treated locally, encrypted (using DES for example) and then saved on the network server. This is preferable to the use of removable disks since regular backups will be made. The risk of losing data is minimised (unless the DES key is lost or forgotten).
  • Forbid repair of confidential disks, they must be destroyed unless it is 100% sure that the disk has been written with nulls or 1s. Products which promise this feature presumably require that the disk can still be accessed..
  • All disks should be classified and the classification level should be written on the disks.
  • Consider protecting media against Electromagnetic Pulses.

8.5 Laptops / mobile computers

  • Protect (encrypt) Laptop hard disks or individual files/directories (a standard software should be defined).
  • See also the chapter "Securing PCs".

8.6 Printers

Only Printers in directors offices or restricted access rooms should be used for printing confidential information.

8.7 Computers

EPROM passwords should be used on PCs and workstations.
Screens not used for 15 min should be blanked automatically with password protection.
Computer housings should be locked if possible

8.8 "Clean desk"

The principle of a "clean desk" each evening when an employee leaves his place of work is used by many corporations. It ensures that confidential data is not made available to (for example) cleaning personnel and encourages methodical management of one's workspace. Confidential information should be always under lock & key.

  • This is however, sometimes a difficult policy to implement in development departments, due to the mindset of creative personalities.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update.



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center

Readers' Choice

Which is your preferred Authentication solution?