Physical security perimeters

Phisical perimeters are the surroundings of your office buildings, data centers or any other location your employees work, store or process your information. So with physical security perimeters you want to secure not just an office building, but also its direct surroundings, like parking places or office gardens. Any surroundings that are part of your office locations. Your information is not only accessible by direct access to a computer, also from a distance your information can be viewed or infrastructure can be attacked.

For example, your workspace is located near a window. Because you hate bright sunlight shining into your eyes, you have your desk turned away from the window. Anyone who walks outside the window location, might be able to view your screen and read the information.

You might think, who would be stupid enough to turn his screen towards a windows. That way your ask for others to read your screen. But i have seen this happen at a lot of organizations. Specifically at organizations who work at or near a shopping center, like job centers or travel agencies.

Physical security perimeters is not only for the workplace security, but also for the location where your information is stored or processed, like data centers. However most organization won’t have their own physical data center, you’ll probably use a cloud provider, like Microsoft 365 or Google Workspace. Even in that case, you will need to check if these cloud providers have managed their physical security in such a way so it matches to your security needs.

How

To successfully implement this control you need to know where your information is located during processing, storing and where it is accessed from. Basically this means that your office locations and data centers are secured. And if you have employees who work from outside the office location, you need agreements or guidelines so these employees know how to setup a remote workplace. These agreements or guidelines do not only include security, but might also state any legal or regulatory requirements like the EU-OSHA or any other working conditions laws.

Securing the perimeter of the buildings you control is the next step. What measure you need to take depend on the risks levels and your risk appetite, but basic measures would be a fence, locks, an alarm system and CCTV setup. For high risk locations you can add security measures like motion detection or electric bollards.

Finally you need to know if the measures you have taken are working as intended. So test each of the measures regularly. Which tests and how to perform them depends on the measures you have taken. The supplier of these measures should be able to help you design a reliable and repeatable test.

Risks

As with most security measures you do not want to overdo it. Make sure you have your risks in sight and act on those risks that are too high. In these risk assessments take, at a minimum, the following topic along:

  • Piggybacking and Tailgating
  • Social engineering
  • Dumpster diving

Other risk topics to think about are:

  • Breaking in and theft
  • Vandalism
  • Sabotage
  • Terrorism
  • Natural disasters
  • Unaccounted visitors
  • Accidents


Example Control Set

When the following controls are used, you should be compliant for this topic:

  • The perimeter is defined for each location
  • An alarm system is activated after officer hours
  • The alarm system monitors open doors and windows, movement, smoke and heat
  • The alarm system is tested every 6 months
  • Access to the offices requires an identification pass
  • Access to rooms or departments which have access to sensitive information requires the use of an identification pass


Related links

Physical security at Microsoft
Physical security at AWS
Physical security at Google