NIST Security Requirements: Physical Security
Physical security today is much different than it was years ago due to the fact that technological devices have become much smaller, lighter, and more easily portable. This has raised an enormous issue in the workplace, as data is continuously being stolen, lost, or misused. Physical security is the method of protecting tangible and intangible assets from any physical occurrences that could cause damage to your organization. For physical security, all physical aspects need to be considered, such as entrances, exits, surveillance systems, network infrastructure, backups, locks, passwords, and more.What most organizations don’t realize is that leaving their physical environment vulnerable because of perceived budget or time constraints will actually end up costing them more time and money in the end when data becomes stolen or damaged. Because of the threat of stolen or damaged data, physical security is an important part of NIST SP 800-171 compliance.
NIST SP 800-171
Physical Protection, section 3.10 of the NIST SP 800-171 publication, states the basic physical security requirements involved in protecting your organization. These include limiting physical access to information systems, equipment, and any operating environments to authorized individuals. The section also includes a subsection called “Derived Security Requirements,” which entails escorting and monitoring visitors, maintaining logs of physical access, controlling physical access devices, and enforcing policies regarding safe-keeping of CUI at alternative work sites. If your organization requires compliance with the NIST SP 800-171 standard, you will find a few tips below that will assist you on your journey to compliance.
Implementing Physical Security Controls and Training
When it comes to the physical security of your organization, the most important thing you can do is to train your employees. Employees are one of the main reasons why organizations become at risk for vulnerabilities. The most common occurrence an organization can experience in regards to physical security are intruders who tailgate their way in. In order to prevent that from happening, employees should be wearing badges at all times, and should be trained to be aware of who is entering the building with them. Unidentified personnel within your facility should be reported to a security officer on site immediately. In the case that an intruder does enter your facility, sensitive data needs to be locked down through locking computer workstations and ensuring that it is not left out in the open. By enacting a “clean desk” policy, sensitive data should be placed into locked file cabinets and/or drawers. Another key aspect of physical security that should be addressed is implementing surveillance. A good place to start would be to have a surveillance system setup externally to your organization, by the entrances and exits, most importantly. Finally, you should ensure that you are securing your network and the data that lives on it.
Secure Your Organization
The controls and policies listed above are just a few of the ways in which your organization can be impacted by the lack of physical security. There are many more ways that your organization can become more secure in terms of physical security. A great start towards implementing physical security controls is to train your employees. As the NIST SP 800-171 controls can be difficult to understand, please feel free to contact NeQter Labs for more information by phone, 401.608.6522, or email. Stay tuned, as there will be another blog coming shortly regarding the importance of cybersecurity training.