Skip to main content

2.3 Protecting Physical Spaces

Topic 2.3: Protecting Physical Spaces

Protecting an organization's physical environment requires a combination of managerial policies and technical controls. These measures work together to create a layered defense that deters and prevents unauthorized physical access.

Managerial controls are policies and procedures that guide employee behavior and establish security standards. A cornerstone of physical security is comprehensive security awareness training. This training educates employees on how to recognize and respond to threats, including detecting social engineering attempts like phishing and understanding the importance of not allowing others to tailgate them into secure areas. Another key managerial control is a workstation security policy. This policy outlines specific rules for maintaining security in the workplace, such as:

  • Requiring employees to lock their devices before leaving their desks unattended.
  • Implementing a clean desk policy, which mandates that sensitive documents be cleared from view and properly stored when not in use.
  • Using privacy screen filters on monitors to prevent shoulder surfing.
  • Ensuring critical devices are connected to an uninterruptible power supply (UPS) to protect against power surges and outages.

Beyond policies, organizations implement a variety of physical and technical controls to mitigate risks. To determine the most effective mitigation strategy, a security professional analyzes how an adversary might exploit a vulnerability and selects controls to prevent or deter that attack. These controls include:

  • Perimeter Security: Fencing, gates, and bollards (short, sturdy posts) can be installed around a building's perimeter to control vehicle and pedestrian access, acting as a first line of defense.
  • Locks: High-quality locks on doors, server cabinets, and even individual computers can prevent theft and unauthorized physical access to critical hardware.
  • Card Readers: Electronic access control systems using badges or cards can restrict entry to authorized personnel. These systems also create a log of who accessed which areas and at what times, providing a valuable audit trail.
  • Access Control Vestibules: Also known as mantraps, these are small rooms with two doors where a person must pass through one door before the second one can be opened. They are highly effective at preventing tailgating and piggybacking, as they typically only allow one person to pass through at a time.
  • Port Security: To prevent an adversary from introducing malware via a physical connection, an organization can technically disable unused USB ports on workstations.
  • Power Redundancy: An uninterruptible power supply (UPS) provides short-term battery backup for a device during a power failure, allowing for a graceful shutdown. For longer-term power needs, organizations can use on-site power generators.

When deciding which controls to implement, organizations must prioritize based on the severity of the identified risks and the cost of the proposed mitigations. The goal is to implement the most cost-effective solutions that provide the greatest reduction in risk.