Management, compliance & auditing

A physical security policy can save your company thousands of dollars

Investments in cybersecurity and physical security are proportionally connected to your organization's improved financial picture for a long-term perspective. Our digital lives are getting smaller as technology simplifies our communications, but cyber attacks are also prevalent. While the Internet radically changes the way organizations operate globally, from handling sensitive data to offshore outsourcing of IT architecture, the payoffs of security are significant and can't be overlooked.

Organizations are becoming smarter as they leverage on the available resources such as physical security systems, software, and advanced IT infrastructures to protect their property, digital assets, and of course the employees. Unfortunately, vulnerabilities, threats, and risks are everywhere. However, you can mitigate them as long you dutifully enforce proper planning and implementation of standards, policies, and procedures through a physical security policy.

We leave the cybersecurity to IT professionals as we discuss the security expert's field: physical security. However, as technology advances, it is important to take note that software and computers today power the physical security systems, implying that cybersecurity and physical security are overlapped concepts.

There are three factors to consider when discussing a physical security policy: cost, benefits, and return of investments. And we leave you the question: will you spend more or spend nothing? Your answer will affect the latter years of your operations as you explore physical security.

Understanding physical security: Definition, forms, and importance

Organizations are connected internally and externally—the data stored in the hardware, software, and applications are your assets, and so are your gates, doors, and buildings that are being used throughout the daily operations. When you have an established physical security policy, you provide a sense of protection and safety in the working environment.

In his book, Effective Physical Security, Lawrence Fennelly defines physical security as "The most fundamental aspect of protection. It is the use of physical controls to protect the premises, site, facility, building or other physical assets." The process includes layers of physical protection measures to prevent unauthorized personnel from accessing your property (office, building, stores, factories, etc.).

Physical security systems can be any of the following:

• Video (cameras, CCTVs, monitors, and encoders)
• Access controls (gates, sensors, doors and locks, panels, alarms, and biometrics)
• Communications (WAN/LAN and phone lines)
• Padlocks and keys
• Roofs, rooms, and other safety areas
• Security guards

Importance of physical security systems:

• Protection – one of the main purposes is to protect your property and premises against theft, crime, and unauthorized personnel and attacks.
• Tracking and monitoring – implementing a physical security policy for surveillance throughout the premises help organizations track and monitor the productivity and security of employees.
• Archiving and recordkeeping – in special cases like crime, anything that has been recorded in the CCTVs can be acquired for legal matters.

Developing standards for a physical security policy

Thomas Peltier's book "Information Security Policies" provides insights on how to develop standards when creating policies based on the Information Security Architecture, ISO 1779 and Partial GLBA. The table covers a list of physical and environment securities as references to companies and security practitioners.

They are divided into three (with sub-categories) to help you understand the functions.

1. Secured Areas – these areas are the IT facilities that operate your critical and core business activities.

• Physical security perimeter – you can define the perimeters from the point of entry to barriers, which the physical security can cover.
• Physical entry controls – you can implement the entry points and procedures for authorized personnel and visitors who can access the areas.
• Securing offices, rooms and facilities – these areas include the computer rooms, servers or data centers, and other advanced hardware in the organization.
• Working in secured areas – define procedures and control for contractors or third parties working in your offices that have access to the secured areas mentioned above.
• Isolated delivery and loading areas – you can define and implement rules that separate the secured rooms and facilities to the loading and delivery areas.

2. Equipment and device security – developing a physical security policy will also include the equipment and devices in your organization, protecting them against threats and environmental hazards.

• Equipment and device location and protection – you can set the procedures and standards for protecting the equipment and devices within your premises against environment hazards or access by unauthorized personnel.
• Power supplies – anything used for electronics and computers, you must create standards to avoid power failures, short-circuits, and irregularities that could cause fire or accidents.
• Cabling security – define standards to protect your cable systems and telecommunications equipment from being hacked, damaged or intercepted by unauthorized personnel.
• Equipment maintenance – this may include the proper maintenance of all equipment throughout the organization, ensuring that employees can enjoy their availability.
• Security of equipment off-premises – your policies should also include the protection of assets and equipment off-premise, regardless of their location or ownership if they are outsourced.

3. General controls – any information should be protected against unauthorized personnel or third party affiliates from disclosure, modification, hacking, or theft.

• Clear desk and clear screen policy – protect your data by implementing a clear desk and clear screen policy to mitigate the risks of unauthorized access beyond working hours.
• Removal of property – include procedures for proper document management authorization when employees bring equipment, data or software outside the premises.

The physical security policy covers all these; large organizations need to plan and make an assessment of every area and consider the systems to be used, costs, and security management.

4. How to develop a physical security policy

Developing a physical security policy for your organization requires planning. Without proper planning, there are chances that the implementation is doomed to fail. Buying padlocks, alarms and CCTV cameras without identifying the strategic locations and the barriers doesn't solve the security issue. In most cases, organizations should consider the following steps:

• Identify the problem, point of entries, barriers, and objectives of the policy.
• Design a layout of the physical security system and discuss other elements with the authorized personnel.
• Test and assess the effects—a soft run of how the policy works determines the nuisances and overall performance, giving you the opportunity to identify for the second time the problems and solutions.
• Implement and monitor the activities; include the process as part of your routine.

5. Characteristics of a good physical security policy

• It includes the Information Security Architecture, ISO 1779 format that matches your resources.
• Written in clear and simple statements that can be easily read and understood by employees.
• If an organization comprises of a multicultural workforce, it's advisable to translate the policy in the respective native tongue.
• It includes updates and the date of amendments.
• Assessment, review, and approval of the key executives and stakeholders are included.

There's no one-size-fits-all solution for physical security. However, your IT department can work on the cybersecurity and collaborate with security experts for the development of a physical security policy—to design the layout that's fit for your needs; collaborating with third-party security experts and consultants is also a good option.

Planning is the most tedious and laborious part of the process. Support and collaboration of the key people are requisites to carry out the surveys; you must utilize all the collected data and suggestions to develop a policy that will save you thousands of dollars in the long-term.

Questions for gathering information for costs and analysis

Gathering data from your global locations can be complicated and the process varies from one organization to another based on the financial capability and other factors. In Cisco's white paper entitled, Five Steps to Accurate and Compelling Physical Security ROI, these questions were provided to help companies build sound financial analysis:

1. Who is in charge of the remote systems' budget?
2. If there's key contact persons handling the local facilities, do they have historical data of the costs? How will they gather the information?
3. Are the IT systems outsourced? If yes, are there additional costs for upgrades and system backups?
4. How much is spent on the current physical systems outsourced in other regions?
5. How are the amortization schedule and depreciation of equipment calculated?

Another computation was given to determine the total cost of ownership for physical security systems.

TCO = cost of + purchase + installation + operation + maintenance

Security is the best policy: Why we create a physical security policy

Establishing a physical security policy is a serious business. Protecting your property (including physical and digital assets on and off-premise) may require a significant amount of money in the first stages, but it could actually save you thousands of dollars in the long run. Consider it as an investment for your future as your organization grows and infrastructure expands.

Secure and improve the IT physical assets – for organizations that practice offshore outsourcing of IT infrastructure or have data centers on-site, a physical security policy of the computing resources (whether located on-site or in another region) is a must.

Hong Kong Wines and Spirits' case is an example. As the largest distributor of wines across the APAC region, the company wanted to improve the condition of physical and environmental security of a data center in Hong Kong. Several factors were considered for the physical layout and guidelines for the secured areas. You may read more of the methodology and the implementation of the policy.

Prevention of loss or theft of sensitive data – the strategic location of surveillance cameras, developed general control for clear desk and clear screen policies, and working areas will mitigate the risks of data theft and unauthorized access. Employees caught on camera sneaking to isolated and sensitive areas trying to access critical working rooms should be prosecuted.

If the organization has a complex network of systems and infrastructure and works on research and development of products, advanced physical security such as biometrics and RFID solutions are good options to ensure that only the authorized personnel can enter the secured areas.

Is your organization ready?

The success of implementing a physical security policy is proportional to the support, cooperation, and alacrity of your staff to the policies. One way to measure the alacrity of your organization is by conducting surveys.

Considering the size of your organization and budget, think for the long-term on how these physical security systems can contribute to your success, growth, and performance while serving the needs of your customers.