In our previous blog, we discussed the benefits of adopting a defense in depth (DiD) strategy. DiD involves implementing multiple layers of protection by utilizing three types of security controls: physical, administrative, and technical.
For this first installment of a three-part blog series, we’ll focus on physical security controls.
What are physical security controls?
Physical security controls refer to measures that safeguard data, hardware, software, and networks from physical actions and events that could have damaging repercussions to an organization, including burglary, theft, vandalism, terrorism, fire, flood, and natural disasters.
While insurance typically covers the financial losses associated with such physical actions and events, physical security controls are designed to prevent or reduce time, money, and other resources from being wasted because of these actions and events.
What are examples of physical security controls?
Physical security controls include measures that are meant to:
- Deter potential intruders
- Restrict access to sensitive information and tools
- Detect any suspicious activities quickly
- Trigger the appropriate response to an intrusion
Companies use deterrence methods to demonstrate that their defenses are too challenging to penetrate, discouraging potential intruders from even attempting a breach. Specific examples of deterrence methods include:
- Physical barriers – These include fences, cages, and walls that serve to prevent or at least delay attacks.
- Proper lighting – Well-lit areas can be enough to deter intruders from attempting a breach for fear of being seen. To ensure proper lighting at all times, companies must install security lights that are hard to tamper with and battery-backed emergency lights or a backup power supply.
- Warning signages – These include signages stating that the facility is being monitored by surveillance cameras and protected by multiple alarm systems.
Access control methods
The following measures limit access to sensitive data and tools to only authorized personnel:
- Picture IDs – They enable security guards or others in the vicinity to quickly recognize if a person is allowed to be in a particular area.
- Access control systems – This includes doors that use physical keys, biometric readers, or RFID cards to prevent unauthorized personnel from entering restricted areas.
- Document and equipment disposal – Unauthorized persons could gain access to sensitive company data if companies fail to properly dispose of documents and equipment, such as hard drives, containing such data. Therefore, paper files must be shredded and storage devices must be wiped of all data first before being thrown in the trash.
Intrusion surveillance and detection methods
These measures enable companies to constantly monitor different areas of their facilities and immediately flag suspicious activities. Examples of intrusion surveillance and detection methods include:
- Closed-circuit surveillance cameras – Cameras can monitor activity in real time and provide a visual record of any suspicious behavior. They should be placed in strategic locations, such as the server room, entrances, and exits.
- Motion sensor alarms – This system sends out alerts if it detects any motion, suggesting that a possible unauthorized person is in a restricted area.
- Thermal alarm system – This system detects and flags heat signatures that could indicate an intruder entering a facility.
Intrusion response methods
Once an intrusion has been detected, a company can alert the following personnel, who can then implement these measures:
- Security guards – Technology-based physical security controls are useless without security personnel who are trained to use these technologies and know how to properly respond to security breaches. Aside from responding to alarms, security guards can also patrol the facilities, administer electronic access control, and monitor and analyze video footage.
- Police and other authorities – Depending on the severity of the intrusion, companies can contact local law enforcement or other relevant government institutions. The police can then investigate the situation and take appropriate action.
- Event logging – Any suspicious activities must be documented for future reference and for legal proceedings, if necessary. This includes noting down the time, date, and location of the intrusion as well as any other relevant details.
By implementing a combination of physical security controls, you can better ensure that only authorized personnel have access to sensitive information and tools.
Stay tuned for the next installment of this three-part blog series where we’ll tackle administrative security controls.
For more information on adopting a DiD strategy, schedule a FREE consultation with Spectrumwise.