Why A Physical Security Policy Is An Essential Part Of A Security Plan
Access control systems, intruder alarms, CCTV cameras or video door entry systems are useless without a comprehensive physical security policy in place.
It’s a bit like having all the ingredients for an excellent dinner minus the recipe or instructions. Chances are your dinner won’t be any good, and the same can be said if you don’t have a good security policy in place or have never consulted with a professional security consultancy company.
This is because a physical security policy outlines your organisation’s goals for security to mitigate internal and external threats while at the same time protecting your business and employees.
Unfortunately, confusing industry jargon and unfamiliar safety developments can leave many business owners struggling to figure out how to create an effective physical security policy for their company.
This overview provides an example of a physical security policy to help eliminate the confusion that so often surrounds this topic.
The Components of a Good Physical Security Policy
A physical security policy is made up of the following components – all of these elements should appear in your physical security policy and must take all types of access control systems and security features into consideration:
1. Policy Statement
For the business to meet its objectives and for the continuity of all operations, XXXX will undertake and follow the specified plans and procedures to ensure the physical security of all organisational, human and digital assets.
2. Defined Purpose
The purpose of the Physical Security Policy is to :
- determine the rules and protocols for granting physical access to the building, including monitoring, controlling, and removal of physical access.
- identify vulnerabilities or sensitive areas in the company
- to restrict or define user access to high risk or sensitive areas
This policy is applicable to all staff members, contractors, trainee-employees, clients and visitors to the premises.
The Physical Security Policy documentation consists of the policy and all related documents regarding related protocols, procedures and guidelines.
The Physical Security Policy document and all related documents including guidelines and procedures will be controlled. This document control will preserve the current and previous versions of the security document and all referenced documents relating to the policy. Previous versions of the documentation will be kept for a mandatory two year period in accordance with legal requirements and for the preservation of information.
Records relating to the Physical Security Policy document will be preserved for two years. These records shall be either electronic or hard copy versions. The relevant system administrators will own these documents and shall be audited annually.
Regular Document Updates
The Physical Security Policy document will be accessible to all relevant employees covered by the scope parameters. In addition, updates to the policy document and subsequent new releases of the document will be made available to all individuals bound by the policy. The CISO (Chief Information Security Officer) and system administrators will assume responsibility for maintaining the Physical Security Policy document.
The Physical Security Policy document is deemed confidential. Therefore proper access control procedures will be adhered to when making the Physical Security Policy document available to individuals with the correct access rights. Furthermore, any changes or subsequent versions of the policy document will be controlled.
The Chief Information Security Officer (CISO) and appointed personnel are responsible for the correct implementation of the Physical Security Policy.
6. The Actual Policy
The Physical Security Policy needs to be clear and well-defined to maintain physical security. If the policy is confusing or there is room for misunderstanding, this will affect your business security as the security procedures won’t be followed.
As a business, your first step will be to identify your security goals, what needs protection and how the company and staff will ensure this protection. Once you have identified potential threats to your organisation, you can decide what policy provisions to include in your Physical Security policy document.
If you are unsure what your security requirements are, it’s best to speak to the security experts at Satori Risk, who will be able to help and advise.
Also, it’s worth mentioning that many companies employ the services of a consultant to draw up their Physical and Information security policies. This ensures they have suitable measures in place to protect the business and their staff.
A good policy document outlines the policy’s basic rules, principles, and definitions. These should be standardised across the entire organisation. For example, your policy document may include rules for carrying Photo ID cards at all times, information on how to create strong passwords and stipulations regarding mandatory security awareness training sessions for each staff member.
Obviously, the rules should be relevant to your business and the security threats you wish to mitigate.
Let’s take a more detailed look at the typical policy inclusions most organisations implement into the Physical Security Policy documentation.
- Physical access to the server and hard drives is restricted, and their access rooms shall be kept locked at all times.
- Vital company backup data shall be stored off-site in a locked, fireproof safe.
- Only authorised personnel shall access facilities housing the company information systems. A list of such personnel will be kept, maintained and updated regularly by authorised members of staff.
- Protection against natural disasters or physical damage will be created and implemented. This includes but is not limited to disasters such as earthquakes, floods, fires, explosions and civil unrest.
- Physical security systems such as intruder alarms and surveillance equipment will be actively monitored at all times to prevent unauthorised access.
- Visitors to the site will be escorted by the relevant department or support personnel and monitored while on the premises if required.
- Visitors to the site will be required to sign in at reception and a record detailing the access they had to the building maintained.
- Access records should be kept of all physical access granted to all persons entering the premises. This includes visitors and authorised employees. This includes all access granted by access cards and standard keys.
- Power and telecommunication cabling will be protected from interference and damage.
- Access shall be restricted to Information Resources facilities housing vital information systems to authorised personnel only.
- Users requiring access to the external network for work purposes will require approval from management and the security team. Security risks will be reviewed before approval is granted.
- IT Personnel will ensure visitors and staff have the latest antivirus, patches and updates applied to their laptops or PC to prevent any harm to the organisation’s network.
- All unauthorised physical access incidents shall be reported to the security team and management teams to ensure the necessary actions and preventive measures are taken.
- Housekeeping staff require basic information security awareness training and will be subjected to mandatory background checks.
As mentioned, the type of policy provisions added to the Physical Security Policy document should be relevant to the business it is protecting. For example, other provisions could include rules around the access to different areas in the business, such as storerooms, office space and loading bays.
However, they could also relate to access control measures such as the permissions granted and protocols for access cards, utility systems, housekeeping and even confidential document deliveries.
Implementing the Policy
Enforcement of the policy is possibly the most challenging part of implementing the Physical Security Policy document. Physical security policies can’t do very much once they are filed away.
Appropriate personnel should be provided with an electronic or hard copy of the policy to ensure they are aware of their job responsibilities in accordance with the policy document.
But what if they ignore the document or refuse to follow the physical security control?
Most employment contracts detail the level of conduct expected from employees. Therefore consequences for flagrantly ignoring the physical security controls could lead to disciplinary action, sanctions or removal of access rights, depending on the business rules and HR policies.
Other tips for effectively implementing the policy include:
- Request all employees and appropriate personnel to sign their policy document copies
- Educate/train staff about security awareness and their responsibility with regard to the policy
- Send staff on regular security awareness refresher courses
- Impose sanctions or consequences for those who breach the policy
- Conduct an annual audit on the policy to gauge how well the policy is working
Drafting and implementing a Physical Security Policy requires seven vital steps – these are as follows:
- Identify your security requirements and vulnerabilities.
- Complete a basic risk assessment.
- Draw up your document, and include the necessary security measures and best practices you wish to include.
- Introduce the document to staff and provide the necessary training and support.
- Ensure the policy document is accessible.
- Encourage accountability amongst staff and lead by example.
- Regularly review the policy to ensure it is relevant and grows at the same pace as your business.
Physical security policies are only effective when the information they contain is understood and relates to specific criteria and principles. When your organisation’s goals are clear and concise, they are easy to follow and adhere to.
Protecting your business goes much further than ensuring you have security guards positioned at every entrance. While this may protect your physical location, it doesn’t address the potential security risks that may result in a loss of vital information technology relating to your business.
Restricting access to specific locations such as information resource facilities is a much more effective security control measure than simply crossing your fingers and hoping staff members comply.
In most cases, this could lead to serious criminal penalties for the company should sensitive or confidential data relating to clients be stolen and misused.
A Physical Security Policy ensures that the security measures implemented function correctly and do their job to protect your business.