How Physical Security Impacts Information Security

In previous articles, Castellan Information Security (Castellan) has discussed how it is important that your organization's information security program can't simply be handed over to your IT staff or IT service provider and then assumed that your risks have been sufficiently mitigated. It is also critical to understand that just because your data is stored in the cloud you have not done enough to truly protect your organization's information.

Comprehensive enterprise-wide approaches to information security must go beyond simply deploying a few IT counter measures as the only strategy to address these real threats.

One area that is linked to your information security maturity that is often be overlooked is how your physical security plans align with your data protection needs. To help you better understand this convergence of information security and physical security, Castellan is presenting the following considerations as a starting point:

  1. Storage of Sensitive Information

Assessing where you store sensitive organizational information within your building, office space or elsewhere is a critical place to start. This applies to both digital information and to non-digital data.

  • Are servers, hard drives, laptops, mobile storage devices, filing cabinets and other information sources located in rooms that are behind appropriate 'layers' of physical security?
  • Does the lighting in these areas meet industry security standards?
  • Is sensitive information such as financial data, personnel records, intellectual property, private information, or health data stored in more secure areas of your office than other, non-sensitive data?
  • Is any sensitive information stored in an area accessible through an exterior window, door or vent?
  • What are your 'end-of-the-day' processes to ensure sensitive information is properly put away and secured after hours or during departures from the office?
  1. Locks, Doors, Windows and Cabinets

It is imperative for organizations to invest in sufficient storage equipment, appropriate infrastructure, and implement internal processes to properly secure information assets. In most cases the investments required are not extensive:

  • Are secure filing cabinets in place and available to staff to lock-up sensitive information?
  • Do your windows, doors, locks and cabinets that are used in areas where sensitive information is stored meet basic industry security standards?
  • Do you track / log the issuing of keys or entrance passwords to secure areas?
  1. CCTV Systems

While it is common for organizations to have CCTV systems in place, some systems have not been implemented with the needs of their information security requirements specifically in mind to prevent and properly respond to a data breach. For example, it is important to ensure your CCTV camera system is in place to also monitor higher sensitive information locations such as server rooms, file storage rooms, HR offices, and safes.

  1. Access Control

Controlling access into and out of offices, buildings and specific workspaces of both internal employees and external guests is a critical starting point for an organization's overall security program. The same is true when considering how physical security measures can help develop an integrated approach to information security.

  • What measures are in place to control visitor access such as contractors and delivery personnel upon entry into the facility?
  • Are there specific controls in place to prevent unauthorized access to areas where sensitive information is stored such as server rooms and offices where non-digital data / information is stored?
  • Is there a process to log visitor information to and from your facilities?
  • Are visitors required to be always escorted while in the facility?
  1. Planning and Governance

Organizations should ensure that current and future information security requirements are considered when conducting physical or corporate security planning and reporting functions. For example, infrastructure design, construction, planning, and budgets must take into account information security threats, vulnerabilities and requirements to ensure digital and non-digital information is properly protected.

Castellan Information Security is a Winnipeg-based 'end-to-end' information security company that specializes in information security and have worked with both large and smaller private and public organizations to help them reach their information security objectives. If you have questions about this article or would like to speak to us about how our services can help your company protect its information please feel free to contact us directly at



View More

Unite Interactive