Physical and Environmental Security
Protection of Equipment
Consider the threat of equipment being lost, stolen, taken offsite, or in some way rendered ineffective (eg. through fault, power loss, etc). One control would be to ensure appropriate maintenance contracts and SLA are in place (procedural transfer). Another is to ensure alternative power and data supplies (redundancy: reduce, corrective). Equipment can also be protectively marked. Inside a building, additional protection can be applied to equipment and cabling (such as power supply). Sometimes this takes the form of separate electrical circuits for predetermined uses.
Moving Property On and Off Site
The control of assets on and off site is a critical security issue. Obvious ways of reducing risks to assets (for example, risk of loss through theft):
-
procedures and roles for transport of equipment across security domains
-
procedures for equipment storage and use
-
protective marking for all assets, maintain an inventory (automatically updated for new or disposed equipment as well as changes to location)
-
procedures for secure disposal and review of actual actions taken (whether the action was internal or via contractor)
-
policy for BYOD (bring-your-own-device)
-
security requirements in delivery/loading areas: persons in such areas may potentially have access to a lot of business-critical information/assets (in the form of disposed-of filing cabinets, new computers, etc)