Linking Physical Security & IT Security | A Plus Security

The Link Between Physical Security and IT Security

05 July 2021

In some scenarios when engaging with a new client we have found, in certain scenarios, that the link between physical security and IT security has been overlooked and has not been thought about. Without doubt, this is a two way street where IT managers has missed vulnerabilities posed by physical security, while physical security managers may not of realised the dangers posed and may have overlooked the securing of information.

With this blog, we are looking to explain the link between the two and bridge the link between the role of physical security in an IT security.

IT security management systems are essentially business management systems that aim to protect information from unauthorised access, use, modification, destruction etc. If you asked the question ‘what are IT security systems used for?’, it is fair to say that most answers would be that IT security management systems are in place to prevent hackers from gaining access to a computer or network. Whilst this is a fair and true answer it only skims the surface. An IT security management system is there to protect the integrity, confidentiality, and availability of information held. An IT management security system will protect and secure information of all types, whether it be printed, written, stored electronically, spoken, presented in video or audio format, or sent via post or email. An information management security system ensures information, no matter how it is transmitted, shared, or stored, is always protected in an appropriate manner.

Although important, the protection of information does not stop antivirus-protection software and strong firewalls, IT security also includes establishing physical security systems as well. The goal of a physical security management system, in terms of information management security, is to prevent unauthorised access, damage and interference to an organisation’s premises and information.

In establishing a physical security system for protection of an organisation’s information, the following questions should be addressed:

  • Does your organisation have a physical security policy?
  • Does this policy address the following?
  • Campus and/or Building security?
  • Floor security?
  • Room security (including data and server rooms)?
  • Asset security?
  • Are controls in place to physically protect the classification of information and information technology?
  • Are controls in place to ensure the use of appropriate identity and privilege credentials?
  • Are physical barriers present (fences, barriers, gates, walls, exterior doors, windows, interior doors)?
  • Are the physical premises monitored for fire, flood, intruders and temperature fluctuations?
  • Are appropriate controls in place to serve as physical barriers, such as vehicle barriers, access control systems and combination locks?
  • Is an adequate visitor management and staff sign in systems in place?
  • Are CCTV surveillance systems, motion detectors, proper lighting and guards (when appropriate) in place, as needed?

These are important policy questions to ask when carrying out a security review of an organisation, simple measures such as ensuring there are security controls in place on exterior doors and windows of a building go a long way in to ensuring that good physical security measures are in place. However, physical security requires further measures to ensure that information is not accessed by unauthorised parties. As an example, would it be better to label a secure room as something more non-descriptive then advertising it for what it is?

Once a security review has been carried out and the questions have been addressed and controls put in place, it is necessary to test these measures through penetration testing. Penetration tests aim at assessing the vulnerabilities of information, assets, and the physical security system. Creating and installing these new measures do not ensure that they will prevent unauthorised access and security breaches. Penetration testing can expose further errors in the physical security system, and most importantly risk associated with human error. A sophisticated physical security system is only as good as the operator so establishing any gaps and user error early and implementing a training programme will be integral to the organisations operations and security.

In order for any new controls to be successful, employees must understand the controls and why they have been established, usually this would be carried out via a training plan to ensure the education, information and awareness of the employees. To ensure the controls and measures are continually met, penetration tests should be carried out regularly. Penetration tests attempt to breach the physical security system in ways which should be prevented by the controls and measures that have been put in place.

One example of a penetration test would be to have an external specialist outside of the organisation attempt to gain access to the organisation’s secured information. This individual would pose as an engineer or technician and would be under the guise of carrying out simple task like testing certain services like electrics or air conditioning and once within the premises would then attempts to access secure information held by the organisation.

A good system would be able to stop this individual at the early stages of entry. For example, a secure, entry and exit card reader would prevent the individual from entering the premises without the necessary access rights. However, this is not always the case and the individual, dressed in a engineers outfit may be able to utilise a staff member to gain access and in turn user error by not challenging the individual on their access privileges or permits to work in that area. This pretence often fools employees into being more than willing to assist the technician to complete his tasks and therefore assisting them in access to secured areas of the organisation.

When penetration test are carried out, weaknesses and vulnerabilities are exposed. As stated, these weaknesses and vulnerabilities often exist as a result of human error. In all forms of risk management, whether it be IT or physical security risk management, employees or human factors are the ultimate source of risk. To merge the physical and IT security elements into a successful system, measures must be taken to reduce human error and its associated risk. This can be possible if sufficient effort is put into raising the level of awareness of the organisation’s security policies and procedures and staff training to minimise human-factor risks.

Both information and physical security managers should develop training sessions tailored to the responsibilities of employees and which highlight vulnerabilities such as those revealed by penetration testing results. Successful training will ensure a culture of risk management regarding both physical and IT security, and that employees consider the risks their actions often pose to the organisation.

It is important to stress the importance of the unification of IT security policies and physical security policies. In order for an organisation to protect one of its most important assets, information, that unity between the two disciplines is necessary. Through penetration testing, education and awareness, when necessary, security managers can ensure the well-being of the information, staff, and assets held by the organisation.

Are you interested in linking your physical security and IT security? Contact our experts here or call us on 01702 293157.

The Link Between Physical Security and IT Security

What other
clients have to
say about us

A Plus provides an excellent return on investment, not just through the solution installed, but the general experience they offer from pre-install to post-install and right through to the maintenance of the system. We knew we had made the right decision with A Plus as they offered a comprehensive and detailed proposal and project plan. The skill level of their engineers was a pleasant surprise with their knowledge of IT and networks, as well as electronic security, which made dealing with our internal IT team very smooth. Apart from that, the fact we never had to chase them for anything was a very nice surprise!

ACS International Schools

We needed to roll out the new system throughout Scotland, London and Europe which was very challenging. A Plus and their advice and flexibility made this process much easier for the whole project team. The one to one dialogue and personal service has been excellent. We can speak to a familiar voice at any time, morning and night which has exceeded our expectations. Since the project roll out was completed, we have been able to centrally control the physical security of the Government’s Estates seamlessly. The process Is now simpler which has led to better productivity.

The Scottish Government