Top six controls for good physical security


The following controls should form part of the implemented security perimeter:

1. The perimeter itself is defined (and the secure environment within it is an asset that should have been the subject of a risk assessment) in a document and, if possible, by means of appropriate signage, and staff are aware of what and where it is.

2. The perimeter (particularly of a building containing information processing facilities) should be physically sound. There should be no gaps in the perimeter (risers, lift shafts, air-conditioning vents, etc should all be assessed) or areas where a break-in could easily occur. The external walls should be of solid construction and all external doors should be protected against unauthorized access using appropriate control mechanisms, oneway bars, alarms, locks, etc.

3. There should be a staffed reception area or other means to control physical access to the site or building. Access to secured premises should be restricted to authorized personnel only.

4. Physical barriers should be extended from real floor to real ceiling (ie below and above any false floor or false ceiling, particularly those installed to provide effective ducting for cabling) to prevent unauthorized entry or environmental contamination such as that caused by fire or flood.

5. All fire doors on a security perimeter should open outwards only, should slam shut (because they have working door-closing mechanisms fitted to them) and should be alarmed (and this fact should be advertised on the doors to try to prevent inadvertent false alarms). Some organizations site CCTV cameras to cover these doors to watch for deliberate false alarms that might be designed to distract security staff attention from a planned point of real break-in elsewhere or to enable a perimeter breach before security staff can attend.

6. Appropriate intruder detection systems should be professionally installed and maintained. All external doors and accessible windows should be covered and unoccupied areas should always be alarmed. The alarm cover should also be specifically extended to include computer and communications rooms. Copies of test certificates, schedules of key holders and alarm response procedures (who is to do what when an alarm goes, including out of hours) should be retained as part of the ISMS records. Key holders should receive training in how to respond to alarms, what to do to secure the site after a break-in or other incident, and what the escalation procedure is. The alarm response procedure should be reviewed after every alarm incident, and where a police response service is part of the security set-up, every effort has to be made to avoid false alarms, as these can lead the police to withdraw their cover. This is particularly important where the organization includes a manual alarm trigger at, for instance, the reception desk to help deal with unwanted intruders during opening hours; these alarms can easily be triggered accidentally. However, making them awkward to trigger detracts from their effectivenessin addressing the reason for having them in the first place.


Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Technorati

Trackback URL for this post:

http://www.itservicestrategy.com/trackback/53

User login

Who's new

  • kinommanka
  • Pebabaza
  • taibly
  • Adjuscurircar
  • Papabaze

Who's online

There are currently 0 users and 2 guests online.