Physical and Personnel Security

Access controls, identification security, hiring practices,
incident reporting, integrity management and more

Protecting your people and property

Focus will be placed on examining key access controls, identification security, internal controls, hiring & background screening, incident reporting, integrity management, and other physical and personnel security linkages that directly relate to IS vulnerabilities.

The assessment of the physical and personnel Security capacity for the client is not intended to be an "all-encompassing" analysis of every detailed aspect of physical and personnel security. That level of analysis would be another exercise onto itself and may take away from the objective to focus on Information Security. This assessment will focus on those components of physical and personnel security that impact the Integrated Information security position of the client.

The environmental scan for the physical and personnel security section will provide a short and high level overview of key considerations and drivers affecting the current situation for the client. This will also include a general description of the building and the surrounding areas, as well as environmental factors possible impacting physical security management. In addition, this section will outline high-level threats (internal and external) to the organization's physical and personnel security identified through the interviews and other information gathering.

Some key objectives include:

Primary

  1. Identify internal physical security controls that play a major role in protecting IS for the client and collect information that will support the identification of vulnerabilities.
  2. Identify corporate hiring and personnel management measures that are used to protect the client from risks that may impact IS.

Secondary

  1. What measures are in place to manage identification and access control?
  2. How are physical spaces such as offices, desks and storage areas managed to secure information?
  3. Does the client have the proper equipment to secure high value physical assets and information?
  4. Does the building present any fundamental vulnerabilities impacting IS?
  5. How does the client use CCTV technology?
  6. Is there a solid approach to managing keys, locks and security logs?
  7. How do previous security incidences relating to IS impact planning?
  8. What is the approach to after-hours monitoring, response and notification?
  9. Do the necessary policies and procedures relating to physical security exist?
  10. What is the client's approach to securing Intellectual Property (IP)?
  11. What is the process and approach to vetting / background checks before hiring or promotions?
  12. Does the client effectively use HR tools such as a code of conduct, conflict of interest policies, values and ethics, and professional integrity standards to help reduce risk and secure information?
  13. Are non disclosure agreements and procedures for termination in place to support IS?

Stakeholders we work with from your organization:

It is important to the data gathering process that the appropriate managers and other accountable representatives attend the data gathering meetings to ensure the required information to support an effective analysis is obtained. It is recognized that certain client representatives may have multiple responsibilities and terminology may vary, therefore, it is critical to make prior preparations with the Project Lead during the Introduction meeting to ensure representative with the following accountably attend this meeting:

  • Project Lead
  • Executive Responsible for Information and/or Corporate Security
  • Chief Security Officer or Manager
  • Executive Responsible for Human Resources
  • HR representatives responsible for staffing and ethics
  • Physical Security Officers
  • Representative responsible for their Privacy Protection Program
  • Executive Responsible for Corporate Services
  • Representatives from Facilities Management
  • Representative responsible for Network, Electronic Information and Cyber Security
  • Policy Development
  • Managers responsible for hiring
Unite Interactive