Physical security is a crucial part of any information security program. Even if you have the most advanced cybersecurity program in the world, it doesn’t do much if someone can walk into your server room and physically steal your data or plant snooping devices. This playbook will walk you through implementing an effective and comprehensive security program through the NIST 800-53 security controls framework.

NIST 800-53 is a security controls framework for federal entities, federal contractors, and medium to large sized organizations. NIST 800-53 groups similar controls into control families. In NIST 800-53, physical security controls fall under the Physical and Environmental Protection Control Family, which also includes protections against natural disasters and other environmental threats.

Each Physical Security control has a priority code, ranging from one to three. Priority codes are intended as a recommended implementation order and are not mandated or set in stone. In this playbook, we will be using the NIST 800-53 default priority codes, but these can be changed to align with your organization’s needs and strategy.

Priority One Controls

Priority one controls represent the core group of physical security controls that should be implemented first.  They will form the basis of your physical security program and will provide the most security bang for your buck.

PE-1 Physical and Environmental Protection Policy and Procedures

Implementing a security policy should be the first step of any physical security program. Having a defined set of policies and procedures is critical to the effective implementation of the rest of the security controls. Your physical and environmental protection policy should address the following:

  • Purpose
  • Scope
  • Roles
  • Responsibilities
  • Management Commitment
  • Coordination among organizational entities
  • Compliance

You should also define procedures to facilitate the implementation of the policy and selected controls.

Develop, document, and disseminate the policies and procedures to the appropriate personal and groups. Regularly review and update the policy and procedures in order to satisfy PE-1.

PE-2 Physical Access Authorization

Physical access authorization ensures you know who should have access to the facility and can correctly identify them. In order to ensure that you have an up to date access list for the facility, you should maintain and periodically review a list of individuals who are authorized to access the facility as well as remove individuals who no longer require access. Additionally, your organization should issue authorization credentials required to access the facility.

There are three enhancements that are included in PE-2, authorizing based on position or role, requiring two forms of ID for visitor access, and restricting unescorted access. Although not required, if your organization wants to increase their physical access authorization security these are a good place to start.

PE-3 Physical Access Control

Physical access control enforces physical access authorizations by ensuring that individuals who fail authentication from PE-2 are unable to access the facility. Control ingress and egress using physical access controls and maintain an audit log for these access points.  Implement security safeguards to control access to areas within the facility that are publicly accessible as well as escort and monitor visitor activity.  Guard against unauthorized entry with physical access devices such as locks and pin-pads.  Keys and combinations should be changed at regular intervals as well as when keys are lost, combinations are compromised, and when individuals are transferred or terminated.  Finally, an inventory of physical access devices should be kept and checked regularly.

There are several security enhancements for PE-3.  These include the following:

  • Enforcing physical access authorizations to information systems as well as the facility
  • Performing security checks at physical boundary of the facility/information systems for unauthorized exfiltration of info or hardware
  • Employ guards or alarms to monitor physical access points 24/7
  • Use lockable casings to protect information system components from unauthorized physical access
  • Employ safeguards to detect or prevent physical tampering of hardware within the information system
  • Employ a regular physical penetration testing process to attempt to bypass or circumvent security controls

See the official NIST PE-3 documentation for more details

PE-4 Access Control for Transmission Medium

Safeguarding the transmission mediums of your information system is just as important as safeguarding the information system itself. The transmission mediums can include ethernet cables and phone lines, and other data carrying cables.  Control physical access to these data lines in order to prevent disruption, tampering, and eavesdropping.  This can be implemented by locking wire closets disconnect unused jacks, and protecting cable runs with conduits or cable trays.

PE-6 Monitoring Physical Access

Monitoring who is in your facility allows you to catch anyone who has bypassed your first line of physical access control, as well as respond quickly to developing security incidents.  Ensure that you review physical access logs regularly and when there is an indication of a security incident. Make sure to coordinate the results of reviews and investigations with your organization’s incident response team.

Control enhancements for PE-6 include the following

  • monitoring physical intrusion alarms and surveillance equipment
  • employing automatic mechanisms to recognize intrusions and initiate response actions
  • monitoring video surveillance and retaining recordings for a defined time period
  • monitoring physical access to both the facility and the information systems.

Chances are that in the process of implementing the base control for PE-6 you will end up implementing one or more of these enhancements.

Priority Two Controls

At this point, you have implemented a solid core of controls that form the basis of your physical security program. The priority two controls build off the core set of controls to further enhance your physical security.

PE-5 Access Control for Output Devices

Ensuring that data cannot be exfiltrated is a good example of defense in depth, ensuring that if someone manages to breach your first layer of security that there are still many more that they need to get through.  Restrict physical access to information system output devices like printers and monitors in order to prevent unauthorized individuals from obtaining output of the information systems.  These output devices should be in locked rooms or other secured areas as well as placed in locations that can be monitored.

There are a couple interesting enhancements for control of output devices that attack the issue from two different sides, limiting the access to the room the output device is in to authorized individuals, and limiting the use of the output device itself to authorized individuals.  Limiting the output to authorized individuals includes locking the output device behind a locked door or keypad and ensuring that unauthorized individuals cannot get to the output device. Limiting the use of the output device to individuals involves putting authentication on the device itself such as requiring a pin or hardware token in order to use the device. With this strategy, you can also put a watermark or receipt of who accessed the resource on the output itself.

PE-16 Delivery and Removal

Controlling what equipment is coming into and out of your facility is an important but often overlooked aspect of data security.  The files on your server aren’t secure if someone can just walk up and take a hard drive out of it!  Your organization should ensure that they are authorizing, controlling, and monitoring any information system components coming in and out of the facility.  Your organization should also maintain records of any components that are brought to or removed from the facility.  Depending on your organization, restricting access and/or isolating delivery areas may be needed in order to ensure that this control is enforced at all entry and exit points that components can pass through.

Priority Three Controls

Once you have implemented the priority one and two controls, it is time to look at the priority three controls.  These will ensure that you have a well-rounded physical security program and plug gaps between a couple of the above controls.

PE-8 Visitor Access Records

Partly addressed in PE-2 and PE-3, visitor access record should be kept for the facility in order to keep track of non-organizational personal.  These logs should be kept for a period defined by your organization and should be reviewed regularly.  The only control enhancement for PE-8 is to employ automated mechanisms to facilitate the maintenance and review of visitor access records.

PE-18 Location of Information Systems Components

Your organizations should strategically position information systems within the facility to minimize potential damage from environmental or physical hazards such as flooding, tornados, acts of terrorism, etc. What hazards your organization protects against should be based on the risk model of your company and the likelihood of the hazard occurring. It wouldn’t make sense to defend against tornadoes in Maine!

Additionally, you should be strategically locating restricted areas away from physical entry points to the facility and publicly accessible areas.  This prevents someone with a wireless sniffer or microphone from accessing secure communications from a publicly accessible location.  For example, it would not be a great idea to put a sever room or an executive office next to the publicly accessible waiting room.

Next Steps

Congratulations! You have successfully implemented a comprehensive and effective physical security program.  The work does not stop here though.  For your program to continue to be effective, you must periodically review the program and identify areas that can be improved upon.  Have you determined that you want to increase security for a specific control? Consider implementing some of the enhancements listed.  Want to validate that your program is effective? Get an external penetration test to attempt to bypass your security measures.  You should be constantly iterating your program if you want to continue to maintain your security posture.

by: Hayley Froio

Information Assurance Team Member at NuHarbor Security

Follow us on Social Media for more information: