A good approach to physical security is to implement controls in layers. This allows for one control to remain in place if another one fails. For example, you might use both a security fence and door locks to secure your location. You could even add a third control, such as requiring a visitor sign-in sheet or installing alarms or cameras in sensitive areas.
Some things to consider when securing the environment:
- Do these steps make sense for the environment? The steps being taken to physically secure an environment should be appropriate to both the type of environment and the data being stored there. For example, a shared laptop that does not contain sensitive university data does not need the same physical protection as a server containing protected health information.
- Cost. Ensure that there are funds available for physical security controls. For example, when applying for funding for a research project, be sure to include costs for any physical security controls that may be required for the classification level of the data you are collecting or working with.
- How should the whole of the environment be prioritized and physically arranged, and where should IT systems be located? Prioritize systems that store data classified at levels of higher risk and have a greater need for physical security. For example, plan to have printers used to print sensitive information installed in a secure location, rather than in a public space, while placing general-use printers in a more open area.
Follow these recommendations to begin to secure your environment. Consider additional controls as needed.
- Create documentation for work processes, disaster recovery/contingency plans, equipment inventories, lists of authorized users/visitors, and other information those accessing or controlling the environment need to know.
- Provide training to those using the environment. Ensure that faculty, staff, students, and other users know how to properly enter a sensitive location, how to validate and record visitors, and how to report problems.
- Establish a procedure to ensure that only authorized individuals are given physical keys to restricted areas.
- Install physical barriers, such locks on doors, card readers, reinforced walls, or fencing.
- Store media containing sensitive university data in secure locations.
- Lock down equipment using cable locks.
- Use sign-in sheets for areas storing or processing sensitive data.
- Implement surveillance, such as video cameras and sensors/alarms.
- Place equipment that transmits, processes, or stores sensitive data, such as servers, network switches, and printers in a secure or monitored area.
- Use other controls to secure devices that cannot be physically secured, such as many wireless access points,.
- Put environmental controls in place. These might include proper lighting, power and power backup, heating/cooling, and fire suppression.
- Encrypt data sensitive data, following Encryption (DS-15), to protect it from exposure in case a device is lost or stolen.
Once your physical environment housing your data is secured, continue to Step 4: Test, audit, and reassess physical security on a regular basis.