Physical Security is an important area of Information Security Risk Assessment Process. If other technical controls are well placed coupled with weak physical security, the breach is prone to occur. Physical access controls fall first in the line of defense to deter/detect the malicious activities and must be the strongest. The steps of physical security assessment comprises of the following steps:
1. Assess the Identified areas, including but not limited to:
- Physical Access Control to Buildings: Facility Security – Entry points, Data center, User and sensitive environments, Access control and monitoring devices, Guard personnel, Wiring closets.
- Internal Company Personnel – Control and accountability, Use of equipment, Security procedure compliance, Awareness, Use of break areas and entry points
- External Visitor and Contractor Personnel – Control and accountability, Use of equipment, Security procedure compliance, Use of break areas and entry points
- Physical Access Control to Information Technology Resources: Computer Systems and Equipment (Workstations, Servers, Backup media, PDAs, Modems and other physical access points)
- Sensitive Information and Data – Control, Storage, Destruction
- Physical Security Control Mechanisms within the Server or Critical processing areas.
2. Prepare Physical Security assessment report and discuss with relevant stakeholder for finalization of assessment report.
3. Discuss the findings with process owners/ ecosystem partners for resolution.
4. Assist relevant stakeholders to ensure all identified issues are resolved/ corrected within per-defined timelines.
5. Once the identified issues are addressed, submit final report to management, along with implementation plan and recommendations for unresolved issues
