Building Your Cybersecurity Foundation – The Physical Layer

By Barry Semple, Director of Technology

In our previous blog installments, we have discussed securing everything with electricity running through it to provide a good foundation and reduce the risk of compromise by cyber-attack. In this fifth layer we are looking at physical access to systems and data.
Considering this series is about building a Cybersecurity Brickhouse, some may ask how physical access fits in? There are two main security concerns with physical access. The first is that physically accessing data is considerably faster and easier than trying to hack in across the Internet. The second is that if physical access is not known and controlled, then it is possible for changes to be made to equipment or environments that could drastically reduce or eliminate the security protection you’ve tried to establish.
Now back to our Brickhouse. We need to look at all the doors and windows and how secure they are. Begin by thinking of all possible locations that are holding company data or have access to the company data. For example, a datacenter is where your company data is stored, but your office has a direct connection to the datacenter, allowing information to be efficiently accessed. In this scenario both the datacenter and the company office must be physically secured.
Remembering one of our core security principles, keeping it simple, we will look at physical security in terms of “who” and “how” – so who has physical access and how do they have access? With data stored in a professionally run datacenter, the company running it will have good controls and documentation on who has physical access to your data. Simply request those records, ensure they are up to date, with any departed team members removed, and use the Principle of Least Privilege (POLP) to outline who retains access. (For more on POLP, read our last blog post)
For the company office, the physical access is more involved, as you must ensure all office entry points are protected. Start with the security alarm, ensuring that it covers all possible points of entry, including windows, emergency exits, as well as the front and back doors. Also check who has permission to disable the security alarm, ensuring that every person has their own unique identifiable and documented code. POLP applies here as well – not everyone needs this level of access.
Now that we have secured the office for after-hour periods, we also need to examine access during office hours, when alarms are off and doors are often open. If not already in place, fit all doors with a fob activated entry system that can identify when and where team members gain access to the facility. Such a system enables businesses to control access based on day of week, time of day and individual people. It also keeps records of when team members enter.
The final step to securing the Physical Layer of your Cybersecurity Brick House is to ensure that all aspects of access are documented and that any changes to access follow a documented process, including change control approvals. This will retain the accuracy of “who” and “how” as well as provide evidence to meet any compliancy requirements.

Read more in this Series: