Physical information security, although vital to information security strategy, does not garner as much attention as more technologically sophisticated security techniques. This inattention to physical information security exposes an organization to a host of threats, both natural and man-made, that can cause serious damage to infrastructure and assets, as well as disruption of operations. Mitigation of physical information security risks like fire, theft, vandalism, terrorism or natural disaster can be achieved through prevention, detection and planning.
Prevention measures usually incorporate barriers that deter would be attackers and features that “harden” a facility against natural disasters or accidents. Deterrents can include door locks, biometrics, man-traps, fences, moats, file cabinet locks, shred bin locks, laptop/desktop computer locks, and clean desk policies. Features that may harden a facility in the event of a natural disaster or accident include earthquake resistant construction, fire suppression systems, redundant power supply to data centers, redundant cooling in data centers, multiple telco feeds, raised floors, and data center design that minimizes the need to access the server area.
Detection can be achieved through various notification systems and surveillance methods. Building automation systems and data center monitoring devices can be used to alert of temperature deviations, humidity levels, water detection, intrusion detection, smoke detection, heat detection and equipment function. The automation systems and monitoring devices allow remote management of the facilities. Surveillance can incorporate on-site physical monitoring using security guards, as well as cameras and video/digital recording equipment.
The last mitigation technique, planning, can be implemented as a preventive measure, but can also be used as a recovery method after a physical information security breach. Organizations need to develop plans for how to recover from flood, earthquake, fire or power loss, as well as theft, burglary or vandalism. Planning helps an organization assess vulnerabilities, measure probability of occurrences, and create processes and procedures for mitigating damage and interruption of operations. Successful planning will enable the organization to recover effectively and efficiently, thereby preserving the organization’s reputation and standing.
Organizations need to be sure they have strong physical information security measures in place at their premises and should also review prevention measures of vendors who may be providing information or data center services, in order to ensure information is adequately protected from physical threats.