NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • Curated Threat Intelligence
      • Managed Detection and Response (MDR)
      • Sentinel Managed Extended Detection and Response (MXDR)
      • SOC as a Service
      • Splunk Managed Services
      • Tenable Managed Services
      • Vendor Security Assessments
      • Vulnerability Management
      • Zscaler Support Services
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
March 18, 2020

Physical Security Playbook

NuHarbor Security

Physical security is a crucial part of any information security program. Even if you have the most advanced cybersecurity program in the world, it doesn’t do much if someone can walk into your server room and physically steal your data or plant snooping devices. This playbook will walk you through implementing an effective and comprehensive security program based on the NIST 800-53 security controls framework.

NIST 800-53 is a security controls framework for federal entities, federal contractors, and medium- to large-sized organizations. NIST 800-53 groups similar controls into control families. Physical security controls fall under the Physical and Environmental Protection control family, which also includes protections against natural disasters and other environmental threats.

Each physical security control has a priority code ranging from one to three. Priority codes are intended as a recommended implementation order and are not mandated or set in stone. We’ll be using the NIST 800-53 default priority codes in this playbook, but these can be adjusted to align with your organization’s needs and strategy.

Priority One Controls

Priority one controls represent the core group of physical security controls that should be implemented first. They will form the basis of your physical security program and will provide the most security bang for your buck.

PE-1 Physical and Environmental Protection Policy and Procedures

Implementing a security policy should be the first step of any physical security program. Having a defined set of policies and procedures is critical to the effective implementation of the rest of the security controls. Your physical and environmental protection policy should address the following:

  • Purpose
  • Scope
  • Roles
  • Responsibilities
  • Managerial commitment
  • Coordination among organizational entities
  • Compliance

You should also define procedures to facilitate the implementation of the policy and selected controls.

Develop, document, and disseminate the policies and procedures to the appropriate personnel and groups. Regularly review and update the policy and procedures to satisfy PE-1.

PE-2 Physical Access Authorization

Physical access authorization ensures you know who should have access to the facility and can correctly identify them. To ensure you have an up-to-date access list for the facility, maintain and periodically review a list of individuals who are authorized to access the facility and remove individuals who no longer require access. Additionally, your organization should issue authorization credentials required to access the facility.

Control enhancements for PE-2 include the following:

  • Authorization based on position or role
  • Require two forms of ID for visitor access
  • Restrict unescorted access

Though not required, these are a good starting point if your organization wants to increase their physical access authorization security.

PE-3 Physical Access Control

Physical access control enforces physical access authorizations by ensuring that individuals who fail authentication from PE-2 are unable to access the facility. Control ingress and egress using physical access controls and maintain an audit log for these access points. Implement security safeguards to control access to areas within the facility that are publicly accessible, escort visitors, and monitor visitor activity. Guard against unauthorized entry with physical access devices such as locks and pin-pads. Keys and combinations should be changed at regular intervals and when keys are lost, combinations are compromised, and individuals are transferred or terminated. Finally, an inventory of physical access devices should be kept and checked regularly.

Control enhancements for PE-3 include the following:

  • Enforce physical access authorizations to information systems and the facility
  • Perform security checks at the physical boundary of the facility, and on information systems for unauthorized exfiltration of info or hardware
  • Employ guards or alarms to monitor physical access points 24/7
  • Use lockable casings to protect information system components from unauthorized physical access
  • Employ safeguards to detect or prevent physical tampering of hardware within the information system
  • Employ a regular physical penetration testing process to attempt to bypass or circumvent security controls

See the official NIST PE-3 documentation for more details.

PE-4 Access Control for Transmission Medium

Safeguarding the transmission mediums of your information systems is just as important as safeguarding the information system itself. The transmission mediums can include ethernet cables, phone lines, and other data cables. Control physical access to these data lines in order to prevent disruption, tampering, and eavesdropping. This can be implemented by locking wire closets, disconnecting unused jacks, and protecting cable runs with conduits or cable trays.

PE-6 Monitoring Physical Access

Monitoring who is in your facility allows you to catch anyone who has bypassed your first line of physical access control and respond quickly to developing security incidents. Ensure that you review physical access logs regularly and when there’s an indication of a security incident. Make sure to coordinate the results of reviews and investigations with your organization’s incident response team.

Control enhancements for PE-6 include the following:

  • Monitor physical intrusion alarms and surveillance equipment
  • Employ automatic mechanisms to recognize intrusions and initiate response actions
  • Monitor video surveillance and retaining recordings for a defined time period
  • Monitor physical access to both the facility and the information systems

Chances are that in the process of implementing the base control for PE-6, you’ll end up implementing one or more of these enhancements.

Priority Two Controls

At this point, you’ve implemented a solid core of controls that form the basis of your physical security program. The priority two controls build off the core set of controls to further enhance your physical security.

PE-5 Access Control for Output Devices

Ensuring that data cannot be exfiltrated is a good example of defense in depth, ensuring that if someone manages to breach your first layer of security, there are still many more they must get through. Restrict physical access to information system output devices like printers and monitors in order to prevent unauthorized individuals from obtaining system output. These output devices should be housed in locked rooms or other secured locations that can be monitored.

There are a couple of interesting enhancements for control of output devices that attack the issue from two different sides: limiting storage location access to authorized individuals and limiting use of the output device itself to authorized individuals. This includes locking the output device behind a locked door or keypad, ensuring that unauthorized individuals cannot access the output device, and putting authentication on the device itself (e.g., requiring a pin or hardware token in order to use the device). With this strategy, you can also get receipt of who accessed the resource on the output itself.

PE-16 Delivery and Removal

Controlling what equipment is coming into and out of your facility is an important but often overlooked aspect of data security. The files on your server aren’t secure if someone can simply walk up and take a hard drive out of it! Your organization should ensure that they’re authorizing, controlling, and monitoring any information system components coming in and out of the facility, and maintain records of any components that are brought to or removed from the facility. Depending on your organization, restricting access and/or isolating delivery areas may be necessary to ensure that this control is enforced at all entry and exit points.

Priority Three Controls

Once you’ve implemented the priority one and two controls, it is time to look at the priority three controls. These will ensure that you have a well-rounded physical security program and plug any gaps between the above controls.

PE-8 Visitor Access Records

Partly addressed in PE-2 and PE-3, a visitor access record should be kept for the facility in order to keep track of non-organizational personnel. These logs should be kept for a period of time defined by your organization and reviewed regularly. The only control enhancement for PE-8 is to employ automated mechanisms to facilitate the maintenance and review of visitor access records.

PE-18 Location of Information Systems Components

Your organization should strategically position information systems within the facility to minimize potential damage from environmental or physical hazards such as flooding, tornados, acts of terrorism, etc. What hazards your organization protects against should be based on the risk model of your company and the likelihood of the hazard occurring. For example, it wouldn’t make sense to defend against tornadoes in Maine!

Additionally, you should be strategically locating restricted areas away from physical entry points to the facility and publicly accessible areas. This prevents someone with a wireless sniffer or microphone from accessing secure communications from a publicly accessible location. For example, it would not be smart to put a sever room or an executive office next to the publicly accessible waiting room.

Next Steps

Congratulations! You’ve successfully implemented a comprehensive and effective physical security program.  But the work doesn’t stop here. For your program to continue to be effective, you must periodically review the program and identify areas that can be improved upon. Do you want to increase security for a specific control? Consider implementing some of the enhancements listed. Want to validate the efficacy of your program? Get an external penetration test to attempt to bypass your security measures. Constant iteration of your program is necessary to maintain your security posture.

 

Included Topics

  • Compliance,
  • Cybersecurity Technology

Related Posts

Compliance 3 min read
NIST 800-53 Security Assessment Process Read More
Application Security 6 min read
alert(‘XSS – Pwn3d!’): The Real Dangers of Cross-Site Scripting Read More
Managed Detection and Response 4 min read
Disaster Preparedness With NIST 800-53 Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.