Monday, July 23, 2007

Information Security Policy 101 – Physical Security Policy

Part 12 in the Information Security Policy 101 Series

In some organizations “physical” security and “information” security are separated into different groups or teams. Whether this is a good idea or not has been the subject of some debate over the years. One issue that should not be debated is the tight interdependence between the two.

Information security is a balance of physical, logical, and administrative controls. Every control must have its roots written in somewhere in policy.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

The purpose of the %ORGANIZATION% Physical Security Policy is to establish the
rules for the granting, control, monitoring, and removal of physical access to
Information Resource facilities.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Physical Security Policy applies to any person or entity that has the potential to physically interact with information resources or facilities that house information resources under the control of an organization. The policy is specifically written to provide direction to those individuals whom are charged with maintaining physical security.

The %ORGANIZATION% Physical Security Policy applies to all
%ORGANIZATION% individuals that install and support Information Resources, are
charged with Information Resource security and data owners.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Physical Security Policy
The form that a Physical Security Policy takes is dependant on many factors. This article is written with small to medium sized organizations in mind. These organizations do not typically have the staff to support a separate physical security group and/or opt to integrate physical security into a single information security program. In order to determine where a physical security policy fits best in an organization the earlier business assessment should be used.

NOTE: Physical security policy is a must in almost all organizations. If physical security is not adequately defined and applied, all other controls could be easily defeated.


- Physical security systems must comply with all applicable regulations including but not limited to building codes and fire prevention codes.
- Physical access to all %ORGANIZATION% restricted facilities must be documented and managed.
- All Information Resource facilities must be physically protected in proportion to the criticality or importance of their function at %ORGANIZATION%.

The science involved with physical security is often specialized and there seem to be a limitless supply of available technologies and controls that can be applied. The physical Security Policy should be written in broad enough terms as to not restrict the use of any one specific control. The policy does not usually require an in-depth knowledge of all the available controls, whereas the application and implementation typically do. In most cases, I write the policy then call upon physical security consultants to design effective controls.

NOTE: If you have a keen interest in the physical nature of information security and would like to demonstrate your mastery, check out the Physical Security Professional (PSP) certification from ASIS International.


Next in the series: “Information Security Policy 101 – Mobile Computing Policy”

Previous: “Information Security Policy 101 – “Password Policy”

No comments: