Physical security is a crucial part of any information security program. Even if you have the most advanced cybersecurity program in the world, it doesn’t do much if someone can walk into your server room and physically steal your data or plant snooping devices. This playbook will walk you through implementing an effective and comprehensive security program based on the NIST 800-53 security controls framework.
NIST 800-53 is a security controls framework for federal entities, federal contractors, and medium- to large-sized organizations. NIST 800-53 groups similar controls into control families. Physical security controls fall under the Physical and Environmental Protection control family, which also includes protections against natural disasters and other environmental threats.
Each physical security control has a priority code ranging from one to three. Priority codes are intended as a recommended implementation order and are not mandated or set in stone. We’ll be using the NIST 800-53 default priority codes in this playbook, but these can be adjusted to align with your organization’s needs and strategy.
Priority One Controls
Priority one controls represent the core group of physical security controls that should be implemented first. They will form the basis of your physical security program and will provide the most security bang for your buck.
PE-1 Physical and Environmental Protection Policy and Procedures
Implementing a security policy should be the first step of any physical security program. Having a defined set of policies and procedures is critical to the effective implementation of the rest of the security controls. Your physical and environmental protection policy should address the following:
- Purpose
- Scope
- Roles
- Responsibilities
- Managerial commitment
- Coordination among organizational entities
- Compliance
You should also define procedures to facilitate the implementation of the policy and selected controls.
Develop, document, and disseminate the policies and procedures to the appropriate personnel and groups. Regularly review and update the policy and procedures to satisfy PE-1.
PE-2 Physical Access Authorization
Physical access authorization ensures you know who should have access to the facility and can correctly identify them. To ensure you have an up-to-date access list for the facility, maintain and periodically review a list of individuals who are authorized to access the facility and remove individuals who no longer require access. Additionally, your organization should issue authorization credentials required to access the facility.
Control enhancements for PE-2 include the following:
- Authorization based on position or role
- Require two forms of ID for visitor access
- Restrict unescorted access
Though not required, these are a good starting point if your organization wants to increase their physical access authorization security.
PE-3 Physical Access Control
Physical access control enforces physical access authorizations by ensuring that individuals who fail authentication from PE-2 are unable to access the facility. Control ingress and egress using physical access controls and maintain an audit log for these access points. Implement security safeguards to control access to areas within the facility that are publicly accessible, escort visitors, and monitor visitor activity. Guard against unauthorized entry with physical access devices such as locks and pin-pads. Keys and combinations should be changed at regular intervals and when keys are lost, combinations are compromised, and individuals are transferred or terminated. Finally, an inventory of physical access devices should be kept and checked regularly.
Control enhancements for PE-3 include the following:
- Enforce physical access authorizations to information systems and the facility
- Perform security checks at the physical boundary of the facility, and on information systems for unauthorized exfiltration of info or hardware
- Employ guards or alarms to monitor physical access points 24/7
- Use lockable casings to protect information system components from unauthorized physical access
- Employ safeguards to detect or prevent physical tampering of hardware within the information system
- Employ a regular physical penetration testing process to attempt to bypass or circumvent security controls
See the official NIST PE-3 documentation for more details.
PE-4 Access Control for Transmission Medium
Safeguarding the transmission mediums of your information systems is just as important as safeguarding the information system itself. The transmission mediums can include ethernet cables, phone lines, and other data cables. Control physical access to these data lines in order to prevent disruption, tampering, and eavesdropping. This can be implemented by locking wire closets, disconnecting unused jacks, and protecting cable runs with conduits or cable trays.
PE-6 Monitoring Physical Access
Monitoring who is in your facility allows you to catch anyone who has bypassed your first line of physical access control and respond quickly to developing security incidents. Ensure that you review physical access logs regularly and when there’s an indication of a security incident. Make sure to coordinate the results of reviews and investigations with your organization’s incident response team.
Control enhancements for PE-6 include the following:
- Monitor physical intrusion alarms and surveillance equipment
- Employ automatic mechanisms to recognize intrusions and initiate response actions
- Monitor video surveillance and retaining recordings for a defined time period
- Monitor physical access to both the facility and the information systems
Chances are that in the process of implementing the base control for PE-6, you’ll end up implementing one or more of these enhancements.
Priority Two Controls
At this point, you’ve implemented a solid core of controls that form the basis of your physical security program. The priority two controls build off the core set of controls to further enhance your physical security.
PE-5 Access Control for Output Devices
Ensuring that data cannot be exfiltrated is a good example of defense in depth, ensuring that if someone manages to breach your first layer of security, there are still many more they must get through. Restrict physical access to information system output devices like printers and monitors in order to prevent unauthorized individuals from obtaining system output. These output devices should be housed in locked rooms or other secured locations that can be monitored.
There are a couple of interesting enhancements for control of output devices that attack the issue from two different sides: limiting storage location access to authorized individuals and limiting use of the output device itself to authorized individuals. This includes locking the output device behind a locked door or keypad, ensuring that unauthorized individuals cannot access the output device, and putting authentication on the device itself (e.g., requiring a pin or hardware token in order to use the device). With this strategy, you can also get receipt of who accessed the resource on the output itself.
PE-16 Delivery and Removal
Controlling what equipment is coming into and out of your facility is an important but often overlooked aspect of data security. The files on your server aren’t secure if someone can simply walk up and take a hard drive out of it! Your organization should ensure that they’re authorizing, controlling, and monitoring any information system components coming in and out of the facility, and maintain records of any components that are brought to or removed from the facility. Depending on your organization, restricting access and/or isolating delivery areas may be necessary to ensure that this control is enforced at all entry and exit points.
Priority Three Controls
Once you’ve implemented the priority one and two controls, it is time to look at the priority three controls. These will ensure that you have a well-rounded physical security program and plug any gaps between the above controls.
PE-8 Visitor Access Records
Partly addressed in PE-2 and PE-3, a visitor access record should be kept for the facility in order to keep track of non-organizational personnel. These logs should be kept for a period of time defined by your organization and reviewed regularly. The only control enhancement for PE-8 is to employ automated mechanisms to facilitate the maintenance and review of visitor access records.
PE-18 Location of Information Systems Components
Your organization should strategically position information systems within the facility to minimize potential damage from environmental or physical hazards such as flooding, tornados, acts of terrorism, etc. What hazards your organization protects against should be based on the risk model of your company and the likelihood of the hazard occurring. For example, it wouldn’t make sense to defend against tornadoes in Maine!
Additionally, you should be strategically locating restricted areas away from physical entry points to the facility and publicly accessible areas. This prevents someone with a wireless sniffer or microphone from accessing secure communications from a publicly accessible location. For example, it would not be smart to put a sever room or an executive office next to the publicly accessible waiting room.
Next Steps
Congratulations! You’ve successfully implemented a comprehensive and effective physical security program. But the work doesn’t stop here. For your program to continue to be effective, you must periodically review the program and identify areas that can be improved upon. Do you want to increase security for a specific control? Consider implementing some of the enhancements listed. Want to validate the efficacy of your program? Get an external penetration test to attempt to bypass your security measures. Constant iteration of your program is necessary to maintain your security posture.