Test, Audit, and Reassess Physical Security

Over time, physical environments change, and security controls need to change with them. It is important to regularly test and audit your physical environments to ensure that the necessary controls are in place and are still effective. Recommendations for this include, but are not limited to, the following:

  • Look for changes in the environment, and think about how those changes may affect physical security. For example, are new people using an office area? Has new construction or renovation been done? Have services such as HVAC or power supply for the environment changed?
  • Check whether security controls are still in place and working. Do any need to be removed? Do new controls need to be applied? Key things to check for are:
    • Have there been changes to the classification level of the data being stored in the environment?
    • Are there new requirements that need to be met, such as requirements for a new research project?
  • Regularly review access logs, such as isitor sign-in sheets, card reader access logs, or physical key ownership records.
  • Perform an audit to ensure that appropriate processes are still being followed by persons with access.
  • Review and update documentation with any changes to the environment or procedures.
  • Ensure maintenance is being performed on physical controls such as doors, fencing, alarms, video cameras, and environmental systems, such as power and HVAC.

Reasses the physical security of the environments you are responsible for to ensure that you are meeting the minimum information security requirements for physical security, additional requirements of Physical Security (DS-17), and any other requirements based on compliance or contractual obligations.