Regardless of the organizational structure, CISOs will need to work with facilities, CSOs and anyone else in charge of physical security to plan out measures that take the following crucial physical security considerations into account.
Top 10 physical security considerations
- Hardening IT facilities and data centers
- Day-to-day office facility concerns
- Blocking lateral movement in physical spaces
- Protecting assets in co-located and cloud facilities
- Physical-cyber connections OT environments
- IoT devices in far-flung locales need special consideration
- Locking down devices in a remote/hybrid world
- Integrated access control is ideal
- Securing surveillance systems and their data
- Ready access to surveillance data for investigation
Hardening IT facilities and data centers
Data centers, sensitive IT facilities and computer rooms in multipurpose office facilities are some of the most obvious areas where CISOs will need to focus their efforts to instill control over physical access to sensitive systems.
“A CISO should mandate access to all computer rooms be limited to only people who need access and enforce that contractors are escorted and never left alone in computer rooms. Access to computer rooms should be logged and reviewed daily,” says David Ortiz, CISO at Church & Dwight.
The measures taken should vary by facilities, scaling up or down based on risk, Justin Fier, senior vice president of red team operations at Darktrace, tells CSO. “Facilities that house critical information, like offices with sensitive servers, should have tighter security controls than facilities with less sensitive assets. CISOs must understand what data and resources are stored in which facilities, assess the risk these facilities pose if breached, and harden physical protections accordingly.”
Day-to-day office facility concerns
At the same time, even the most ho-hum office settings can be a target for a wily attacker looking for foothold into the corporate network. “Any network jack in a facility can be a potential entry point to the IT environment,” says Will Bass, vice president of cybersecurity at Flexential. “A CISO should be heavily involved in the physical security architecture and standards for all facilities, sensitive or not, to ensure that the right defense-in-depth measures are in place to prevent unauthorized physical access to the IT environment.”
Optiv’s Shier adds that even though remote and hybrid work has changed how workers perceive the office and may have lessened foot traffic into many facilities, CISOs should be overseeing some basics in physical security hygiene. “We still need to ensure we have adequate controls in the office for physical security,” Shier tells CSO. “Port security, wireless access point security, badge access controls, and cameras are all still relevant today and should not be overlooked.”