Today we will talk about specific examples of some Physical Security Controls. We will focus on Perimeter access to a facility-Preventive and Deterrent Controls, controlling access once someone is inside a facility, surveillance-Detective and Preventive Controls.
Let’s start with Perimeter Access, this is a preventive and deterrent controls. Some examples are a guard gate, someone must either swipe an access card, or in a high security facility physically present identification to a security guard, and if on an approved list allowed to enter the grounds of the facility.
It gets more exciting, you can have high powered lights at night, guards patrolling the grounds both inside and at the outside gates, guard dogs. Remember to clear any obstruction from the front of the building so that no one can sneak in unperceived to the entrance, cut all trees and remove any debris from the front of the facility. You could then have bollards 10 feet in front of the entrance of the building to prevent someone from ramming a car or truck into the building. These are Preventive and Deterrent Controls.
Preventive because they can prevent a break in or physical breach to a facility and deterrent because if someone sees all the security they will think, hopefully 10 or 20 times before trying to break in and hopefully after putting much or a little thought into the matter, it all depends on how brazen they are, they may discard the idea altogether thinking it’s too much trouble and the risk of getting caught is too high, it’s better focus on some easy pickings.
The cameras are a detective and preventive control and added an extra layer of security. They are preventive because again, a would-be assailant is going to probably think a few times over before breaking in to a facility with heavy surveillance especially if they also have all the other controls mentioned above. It’s a detective control because if someone were to break in you would know who did it and open an investigation and question and/or apprehend the culprit.
Once someone is inside a facility it gets trickier if it’s a standard corporate environment. The reason being is that once someone is physically inside they are assumed to have permitted access to the facility hence they are trustworthy. As an employee or a Security Professional though never be shy to challenge someone and ask them for their badge if your company requires employee badges. Just say something like, I have not met you before, can you please show me your badge? Especially if they are in your area of work and they are unfamiliar to you.
If you see someone casing or observing key sensitive areas like the managers or executive’s offices or the server room or acting suspiciously, especially if they don’t usually have permission to be in those places, keep an eye out or challenge them, you may say something like, John, I know that you work in accounting, is there some reason you are standing by the server room, I am just curious and I want to make sure that if you need something maybe I can help. Be polite as they are most likely fellow employees but do your job. Keep the company safe.
Cameras are good for preventing some of these types of behaviors but also challenging employees is important. Have strong locks on doors and controlled access. Don’t leave key areas unlocked or with the door opened. If it is a very sensitive area access should be registered and controlled with a badge, and if very secure have guards patrolling the area.
I once worked in a very secure facility that had all the controls mentioned and even once inside you had your bags checked upon entering, you were not permitted to bring your cell phones in certain areas, and had to present your ID and get checked in or cleared upon entering and to swipe your badge several times through multiple access points before you even arrived at your desk, and the guards were always patrolling.
Physical Security Controls are critical to protecting the cyber and other assets of your organization and they complement the cyber security technical controls. Simply put, without physical security you have no security.