Physical security has always been a cornerstone of any Information Security program. As a topic, it is covered by every major security standard. Most have entire sections dedicated to physical security:
- ISO27001:2013 has A.11 “Physical and Environmental Controls“
- The SoGP has CF3.3 “Sensitive Physical Information” and CF19 “Physical and Environmental Security”
- PCI-DSS Requirement 9 mandates “Restrict physical access to cardholder data“
- The NIST Cybersecurity framework includes PR.AC-2: “Physical access to assets is managed and protected.”
- Even the 1995 NIST SP800-12 “Introduction to Computer Security: The NIST Handbook,” has Chapter 15 dedicated to physical security.
- The UK Government’s Security Policy Framework (SPF) October 2013 version includes it as Security Policy 4 “Physical security and counter terrorism.”
Despite this, controls are still being neglected. Private sector organisations and government agencies spend fortunes on security, but then compromise it by missing out physical controls.
What makes this stranger is that most physical security controls are cheap and easy to implement. Maybe it is just they aren’t flashy and aren’t normally excitingly high-tech. Good security controls just work.
The perils of ignoring physical security
The Information Commissioner’s Office (ICO) has been busy enforcing the Data Protection Act this month, with a couple of actions being directly down to poor physical security practices.
First, on 13 March 2014, the ICO announced that it had issued an enforcement notice on Neath Care, with the following message:
[Neath Care] has been found in breach of the Data Protection Act after the files of 10 vulnerable and elderly people were found on a street in Neath Port Talbot.
It appears that the care agency failed to implement basic physical security controls such as asset management, monitoring and transport. This led to an employee taking the documents out of the office, dropping them and not realising until a member of the public reported it.
Often organisations have excellent controls around the expensive things (e.g. computers, laptops) but then forget everyone once the data has come off the printer. It seems unlikely that an employee would leave a laptop on the pavement and not notice.
When handling sensitive data, organisations should have a comprehensive security strategy which includes handling, and accounting for, paper copies. All employees should be made aware of this and, as always, records must be kept.
The next breach of interest was reported by the ICO in a 19 March announcement. This time it was serious enough that Kent Police were fined £100,000. This was quite a shocking example of how people can forget to track old, low-financial-value physical assets:
The Information Commissioner’s Office has served a monetary penalty of £100,000 on Kent Police after confidential information, including copies of police interview tapes, was left in the basement of a former police station.
The highly sensitive information included records relating back to the 1980s, thought to have been left at the site when the building was vacated in July 2009.
The information was discovered when a police officer was visiting a business owner about an unrelated matter on 27 November 2012 and noticed a pile of tapes with the logo of Kent Police stuck on them. The business owner confirmed that he had found the tapes in the basement of the old police station, after purchasing the site two months before, and was planning on watching them for entertainment.
It is almost certain that none of the officers or staff abandoned these tapes on purpose. It is almost certain that the business owner took them with malicious intent. However, the breach still happened.
Most people will agree that police interview tapes are pretty sensitive affairs. The officers will be asking questions about crimes, possibly including otherwise unreported information, and the interviewee will be providing information they may not expect anyone else to hear.
Given that these tapes may have ended up being used as evidence, it seems strange that they weren’t properly accounted for when the station moved offices. The problem is often that boring, “old-fashioned,” equipment is frequently overlooked when people concentrate on the modern equivalents.
The ICO’s Head of Enforcement sums it up well:
How a police force could leave such information unattended in a basement for several years is difficult to understand.
Ultimately, this breach was a result of a clear lack of oversight, information governance and guidance from Kent Police which led to sensitive information being abandoned.
Good information governance has to include good physical security controls – the most basic of which is making sure you know where your assets are. Anything else is basically asking for a breach.
Physical security underpins everything
This is the crucial point. Good physical security controls are so important that, without them, all your other controls are undermined to the degree that they may become pointless.
Good physical security controls are cheap – in the two cases here, a simple asset register would have saved both organisations – and easy to implement. They don’t make headline news, they don’t get people exited on twitter, they don’t come with flashy vendor presentations, but they do work. Isn’t that what actually matters?
Physical Security Assessment Form – Free Download
Halkyn Consulting has produced a physical security assessment form as a freely downloadable resource to help organisations get a baseline of their current security and see what areas need improving.
In addition to this form, our security resources area has a selection of other tools you can use to assess, understand and improve your physical security controls.
As part of our commitment to improving security awareness in general, if there is a specific tool you cant find but think would help people then please get in touch and we will see if we can help you out.
Remember – all good security builds on good physical security controls.