Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2015.03.19 WMD - Integrating Physical Security into Your Cybersecurity Plan


Published on

  • Be the first to comment

2015.03.19 WMD - Integrating Physical Security into Your Cybersecurity Plan

  1. 1. Information Security and Data Privacy Bulletin March 19, 2015 INTEGRATING PHYSICAL SECURITY INTO YOUR CYBERSECURITY PLAN When contemplating cybersecurity defenses, organizations predictably focus on technological issues and solutions. This attention flows naturally from storing substantial amounts of sensitive client or proprietary data on information technology systems, as well as the legitimate cyber-threats to those systems. However, this may leave organizations vulnerable to non-technical attacks facilitated by lapses in physical security. To prevent the loss or misappropriation of data from espionage, sabotage, damage, or theft, organizations should conduct security assessments that consider the threats posed by unauthorized physical access to their offices, equipment, and documents. Based on the outcome of these assessments, organizations should address any gaps in their policies and procedures. Maintaining Access Control to Office Spaces The most critical step in ensuring physical security is establishing and maintaining access control to facilities and office spaces. For organizations that occupy space in large urban office buildings, this is typically accomplished using key cards and turnstiles monitored by security persons. Key card systems should be configured to permit organizations to know when employees are entering and exiting the building. For organizations situated in suburban campuses, physical security will be more elaborate, and extend out from buildings, with access control features such as fences, gates, cameras, and security personnel. Receptionists and employees should be provided training on maintaining a secure office environment. Receptionists should be tasked with keeping a record of visitors to the office, which should include, in addition to the visitor’s name, the date, start time and end time of the visit, and the employee who was visited. Visitors should be required to wear identifying badges that clearly identify such persons as visitors and state the floor to which they have been granted access. To ensure visitors do not attempt unauthorized access to computer systems, or obtain or record information from hardcopy documents, employees should be trained to escort visitors throughout the office at all times, and be aware of unescorted individuals. Employees at larger organizations typically will be issued identifying credentials, and employees should be trained to ask unfamiliar individuals to produce their identification cards. Organizations should make certain that employees who leave voluntarily or are terminated return any access cards and identification credentials, and that these credentials are revoked in access control systems. Employees, vendors, and consultants should be vetted with a background check whose detail is commensurate with the sensitivity of the information these employees may access. Non-disclosure agreements should also be routine for employees, vendors, and consultants hired by organizations, particularly those individuals who will be granted access to information technology networks and systems. Landlords and their agents, such as facilities workers and cleaning staff, also have access to tenants’ office space. Consequently, leases should include non- disclosure agreements that cover the landlord and its agents. WOLLMUTHMAHER&DEUTSCHLLP 500FIFTHAVENUE,12THFLOOR,NEWYORK,NEWYORK10110212-382-3300
  2. 2. 2 | P a g e Limiting Physical Access to Servers and Computers Given physical access to organizations’ servers and computers, a malicious actor could infect the information technology environments, download client or proprietary information, install unauthorized wireless routers, or steal computer hard drives. Therefore, access to computers and servers by employees, vendors, or consultants should be carefully monitored. To prevent unauthorized access, server rooms should be locked at all times. While access may be controlled with key cards or regular keys, key card systems have the advantage of being able both to grant authorization and permit identification, allowing organizations to maintain records of which employees have accessed the server room. Although telecommunications equipment and corporate servers are often co-located in the same room, organizations should consider, where possible, separating this equipment so that vendors or employees may only access that equipment for which they have a need. Alternatively, or for added security, organizations may consider using locking server racks, which add a layer of defense by preventing unauthorized access to computer hard drives, ports, and cables. Proper Handling and Disposal of Used Hardware and Storage Media All hardware equipment should be tagged and inventoried when initially configured so that it can be tracked throughout its life cycle. This includes periodically inventorying all hardware to ensure that nothing is unaccounted for. Before a computer is removed from a facility for disposal, hard drives should be securely wiped or physically destroyed. Storage media with sensitive client data or confidential proprietary information should be clearly labeled and secured. Organizations should treat any unlabeled media as confidential, until it is determined otherwise. Storage media should be rendered unreadable before disposal. This requires degaussing of magnet storage media, and grinding or shredding optical storage media. Upon disposal, inventory records of hardware and storage media should be updated to reflect their disposal. Protecting Hardcopies of Client Data and Proprietary Information Even in today’s increasingly digital environment, organizations produce and maintain substantial volumes of hardcopy documents containing sensitive client data or confidential proprietary information. The loss of this information is no less significant when accomplished through the misappropriation of hardcopy documents, than when exfiltrated from the corporate network. Therefore, organizations should incorporate policies that require hardcopy documents be properly secured from printing through disposal. If sensitive or confidential information is printed to a shared network printer, documents should not be left unattended. Organizations should consider adopting clean desk policies, which require employees to remove documents with sensitive client or corporate data from their desk at the end of the day or when leaving for extended periods of time. Hardcopy documents should be locked in desks and/or in filing cabinets when not being used, and keys to these draws or cabinets should not be left unattended. When a document with sensitive or confidential information is no longer needed, the document should be deposited in a locked bin for disposal by shredding. Vendors hired to collect and shred documents should be vetted for compliance with auditable standards of practice, such as those issued by the National Association of Information Destruction. For compliance
  3. 3. 3 | P a g e purposes, organizations should obtain confirmation reports that the documents were properly destroyed, particularly if the document destruction occurs offsite. Conclusion Employees, vendors, consultants, and visitors all have access to organizations’ offices, which provides the opportunity to collect, review, or record hardcopy documents, or access information technology equipment in an unauthorized manner. The issues presented herein are among the physical threats and possible responses that should be considered when drafting information security and data privacy policies and procedures. As with all information security and data privacy measures, organizations should design corresponding compliance documentation to ensure that policies and procedures are being carried out. For further information, please contact: Jason E. Glass (212) 382-3300 Frederick R. Kessler (212) 382-3300 Steven S. Fitzgerald (212) 382-3300 William F. Dahill (212) 382-3300 Ryan A. Kane (212) 382-3300 David H. Wollmuth (212) 382-3300 This memorandum is for general informational purposes and should not be regarded as legal advice. Furthermore, the information contained in this memorandum does not represent, and should not be regarded as, the view of any particular client of Wollmuth Maher & Deutsch LLP. Please contact your relationship partner if we can be of assistance regarding these important developments. The names and office locations of all of our partners, as well as additional memoranda, can be obtained from our website, The contents of this publication are for informational purposes only. Neither this publication nor the lawyers who authored it are rendering legal or other professional advice or opinions on specific facts or matters, nor does the distribution of this publication to any person constitute the establishment of an attorney-client relationship. Wollmuth Maher & Deutsch LLP assumes no liability in connection with the use of this publication.