Don’t forget physical security. There are a number of aspects that you need to keep in mind including security of server rooms and data centers, access to office space, and verifying that security controls work. Thieves will target hardware: two incidents I’m familiar with involve one case where the alarms weren’t working, and another where , in broad daylight, criminals walzed in past the building reception desk and walked out with servers. There have also been some high profile incidents in the press such as this one here.
There are a number of simple questions to ask when thinking about physical security: Does the business share building space with other organisations? How frequently are physical controls tested? Is there a suitably descriptive SLA in place with third party security firms? What restrictions are there in place for accessing server rooms and data centers (and is access to these sensitive areas properly authorised and monitored?).
Keep in mind that assets do not necessarily need to be of a high value before some-one will steal them. If you leave the door open then you’ll inviting in the crooks.
You also need to remember that physical security controls do not just apply to hardware assets within the premises. Backup tapes being transported off-site can also be vulnerable so make sure they are encrypted. Mobile computing devices are particularly vulnerable.
Your information security program needs to include an assessment of physical security controls even if you’re not the person responsible for it. Don’t be afraid to highlight concerns. And always check. I checked and found a server room side-door “locked” using sticky tape and a well placed cardboard box….it’s true!