When you hear the word vulnerability assessments, it probably conjures up network security and network related breaches. With the reliance on our networks and the amount of data we store on our networks, this should be expected. But what about our vulnerabilities from our physical and personal security issues? We discussed security fusion a little but these two areas are often disconnected from our information and network security elements. This is a problem and causes our vulnerability assessments to be limiting. Not to mention, doing a vulnerability assessment without considering physical and personal security areas will create a false sense of security.
So where do you begin and what do you do? For the purpose of this blog, we want to be able to focus on the physical and personal security items. Not that our network security is not important, because it is. And furthermore, network security is part of a true 360 degree vulnerability assessment. However, physical and personal security doesn’t get a lot of attention. We will tackle physical security in this post and personal security in a follow-up post.
So some thoughts.
Physical Security. As its name implies, physical security describes security measures that are designed to deny access to unauthorized personnel (including attackers or even accidental intruders) from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts (www.police.psu.edu). Pretty simple – denying access to unauthorized personnel.
- Location. Business is all about location, location, location. Well, what kind of assessment from a security standpoint have you done? What is the crime rate? What types of crimes have been committed? Is there a police presence? How quickly could the police get to your location? What do other business owners experience? If your home is your business, then the same applies? This is the foundation. You need to know the threat level at your location.
- Parking Lot. From the moment you enter the parking lot (or park your car in the driveway of your house), you need to assess your physical security vulnerabilities. Why the parking lot? Consider your lighting and visibility. Are you and your employees at risk for theft? If you have proper lighting, thieves may be deterred and you add a level of protection.
- Entry Way/Lobby. What is your access control? Do you have a receptionist? Do you have direct access to your offices or do you have someone screening people to gain access? Do you use badges or pin codes to gain access to your offices? If you are a Small Office/Home Office (SOHO) do you have a security system with video monitoring? Do you have security reminders set up to keep everyone refreshed? Do you have training that addresses social engineering and phishing attempts?
- Critical Information. First, do you have identified critical information? And if so, do your employees know that? If not, then you should start. If you do, how do you protect your critical information? Yes, this goes into information security, but I want to focus on the physical realm. If you do research and development, is that area blocked off by those who don’t need access? Do you have signs indicated a restricted area?
- Security Awareness. Alluded to in the previous two entries – how visible is your security reminders? Do you have signs and warnings up on the walls? Do you have handy reminders next to phones that provide employees with a checklist in the case of a suspicious event? Do employees know when to contact security? Do employees know how to contact security? Do you have a warning banner on your systems before login? Do you have security reminders that pop up?
- Neat Desk Policy. Do you have a neat desk policy? “A clean desk policy ensures that all important documents, confidential letters, binders, books, etc are removed from a desk and locked away when the items are not in use or an employee leaves his/her workstation. It is one of the top strategies to utilize when trying to reduce the risk of security breaches. Having a clean desk helps to not only eliminate clutter, but also helps prevent the likelihood that anyone can gain access to your company’s information or the information of your clients.” (https://adeliarisk.com/hipaa-clean-desk-policy/).
- Office Walk Through. Following up on the neat desk policy, do you have a security walk through? If you are fortunate enough to have a security staff, this is a great duty for them to walk through the office and observe any irregular activities and to do spot checks. Are employees putting passwords on stickies or under their keyboards? Do employees lock their desk drawers? If you are a small business, develop an extra duty for employees to walk through at different days and times. If you are the leader/owner, this is a great way to set the example. Talk to the employees and test them on security knowledge – not to be punished, but to highlight importance and keep it a priority.
- Reporting Process. Do you have one? As part of every security program should be a way for employees to report suspicious events or actions. During your assessment, you should review your reporting process.
- Contingency Plans. Do you have one? Do your employees know? Is it updated? Have you rehearsed it?
These are just some thoughts on assessing your physical security process and how you stand up. This, integrated with personal security assessments and information security assessments are all part of a full spectrum approach to security that fuses the disciplines together versus keeping them separate but equal.