<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Physical Facility Access Policy Best Practices

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Physical security is not just a concern for large companies. A small business also needs an established physical security policy to protect their physical assets and provide their employees with a sense of protection and safety.

In this policy, you will define the controls, monitoring, and removal of physical access to your company’s facilities. Here are five practices for writing your office physical security policy:

Create an access control system

You need to have a system in place to control who can enter your office space and how. For most small businesses, a physical key or key card access system will suffice. Keep a log of keys, their owners, and when/where the keys are used. If access cards go lost or stolen, deactivate them immediately to avoid misuse. Additionally, make sure any issued keys are returned as part of employee offboarding/termination procedures.

Secure the office interior/exterior

Before spending too much time and money on information security controls, you need to step back and think about what is practical for your business. If you’re a young company with just a few employees working out of a single room, you probably don’t need a security guard or receptionist. But if you work out of a larger, sprawling complex with many public areas and points of access, more advanced controls such as CCTV cameras around the perimeter might be appropriate.

Inside the structure, additional controls such as alarms, motion and glass-break sensors are common as well. If your office has additional sensitive areas, such as a datacenter, it may make sense to install additional layers of physical security. These layers might include a key card system that provides physical protection by only granting access to member of your IT/security teams. At a minimum, create a sign in/out log to track employees who access these secure areas.

Control staff and contractor access

Your full time staff members will already have access to the building through your determined access system, but you may also need to use this system for part time staff and contractors as well. In these cases, any temporary employees should have access that is pre-configured to expire on the last day of employment. Perhaps better yet, they should be formally off-boarded by a member of HR, who would also take any access keys at that time. Additionally, these part time employees should wear ID badges/passes that clearly indicate their access to the building is temporary.

Guest/visitor access

At your building’s main access points, have a sign-in sheet for all guests and visitors. This sheet should include fields for the visitor’s name and company, as well as check in/out times. Visitors should also wear badges that clearly distinguish themselves from regular staff - that way they stand out clearly to everyone in the office. The badges, if not tracked carefully, can often end up walking right out the door. Consider using temporary sticker badges that expire - either by changing color or by gradually overwriting the badge with a “VOID” message - after about eight hours.

It’s also important that visitors be escorted at all times. This is especially important if they are entering sensitive areas such as your data center or server room. And if the visitor will be exposed to company data while on premise, have them sign an NDA agreement as well. As part of your security awareness training, remind users to ask any unattended visitors for identification or a reason for their visit, and then escort them to the appropriate room or personnel. Also, users should immediately report any suspicion of unauthorized access to physical office spaces.

Log management and review

Much like technical incidents, where you need as much verbose logging detail as possible to get to the bottom of an investigation, the same holds true for physical security. It’s important to keep detailed access logs, such as keys issued (and when they’re used), as well as visitors entering/exiting the premises. You also need to make some decisions on how long you will retain footage from video cameras. A common retention period is 90 days. All-access logs should be reviewed at least quarterly.

Summary

Many organizations spend much of their time and money on technical protections to guard their most valuable assets and sensitive information. But all those layers of security can be bypassed if someone can walk in your front door and plug a rogue device into your network without being noticed. A good physical security policy will make sure you have the appropriate controls deployed around your perimeter and throughout your office interior, as well as solid guidance around how to securely manage temporary employees and visitors. Finally, the policy will ensure you have the necessary logging information to investigate a physical security incident if needed.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

Automating access to cloud environments
Managing Access to Ephemeral Infrastructure At Scale
Managing a static fleet of strongDM servers is dead simple. You create the server in the strongDM console, place the public key file on the box, and it’s done! This scales really well for small deployments, but as your fleet grows, the burden of manual tasks grows with it.
Illustration of an technical employee who is offboarding from their employer.
All Offboard! The 2022 Tech Staff Offboarding Checklist
Offboarding technical employees can be a complex and arduous process with a lot of moving parts. The key to successful offboarding is to have a clear understanding of what needs to be done, who does it, and how to monitor for any shenanigans from former employees.
User Provisioning: How To Automate & Manage Credentials
How We Automate User Provisioning & Keep Track of Credentials
There are a number of ways to automate user provisioning but the real challenge lies in keeping track of those credentials.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Policies Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.