Categories Topics
Description
Physical Access Security

Overview
The objective of Physical Access Security includes mechanisms to detect, prevent and deter unauthorized access to facilities.

Guidelines
Physical Access controls include:
  • Duress alarms to detect unauthorized access to facilities
  • Emergency exits that are alarmed 24/7
  • Restricted access to authorized access (e.g. security guard desk, ID badge/card readers, fingerprint biometric devices)
  • Physical barriers (e.g. fences, door locks)
  • Mechanism to log individuals identity, time of arrival and departure
  • Process to log and identify visitors during visit (e.g. badges, log book, escort by employees)
  • Intruder detection and recording mechanisms
  • Security guard staff
  • Security of loading and shipping facilities (separate from information processing facilities)
  • Secure roof access points
Physical Access security should start with securing the facility entrance points with security guards and desk (for larger organizations or facilities) or a reception desk (for smaller organizations).  Security guards will act as a deterrent for intruders, but also to ensure individuals can prove their identity before allowed access to facilities. Access to sensitive areas, such as server rooms or data processing facilities, should be locked and secured. 

Most enterprises should implement badge access readers at entrance points such that only authorized personnel will be granted access to the building or secure computing facilities. Common mechanisms to allow physical access upon successful badge identification include half-height/full-height turnstiles or "mantraps" for more sensitive facilities that may require additional identification (e.g. finger print and/or hand geometry biometric devices).  For sensitive areas where badge readers are not available, lock and key or key code locks should be used to secure data processing facilities.

For smaller organizations with limited budget to deploy electronic access control devices, showing a badge ID and logging access to a log book managed by a security or reception desk may be effective controls. Visitors should also be required to show and log identity and also be required to wear numbered visitor badges. Visitor badges should be returned and expired when no longer needed. Access logs should also be periodically reviewed for unauthorized access.

Finally, duress alarms should also be deployed at strategic locations of facility entrances and exit points. Special emphasis should be placed on entrances to server room or processing facilities where sensitive information is stored or accessed. Alarms should alert local security staff or outside security service (for smaller organizations).

Topic Category
Physical (and Environmental) Security
 
News Articles
US Customs wants foreign nationals to reveal their social media handleswww.zdnet.com6/28/2016
Court Upholds Willy-Nilly Gadget Searches Along U.S. Borderwww.wired.com12/31/2013
House Keys Under the Doormat? Nope, in Your Phoneblogs.mcafee.com5/21/2013
Crooks Spy on Casino Card Games With Hacked Security Cameras, Win $33Mwww.wired.com3/15/2013
Need to lend your key? E-mail it, Fraunhofer saysnews.cnet.com3/4/2013
Simple, low-tech solutions for school safetywww.zdnet.com12/22/2012
Policies
Physical Access Policy