Maintaining the physical security of your company is an enormous responsibility with a number of components. There’s the simplest form of security: who can get in and out of the building. But that can be broken down into who has access to each floor and what equipment. When it comes to physical access to computers, hardware, networks, and equipment facilities, physical access can quickly cause data security breaches. These concerns span many departments, all of which need to coordinate in order for the company’s security to be sound. It can be hard to decipher the main person who is responsible for physical security. Depending on the unique organization of a company, there may be no one single answer.
In most companies, many aspects of physical security planning are the responsibility of designated security personnel. These employees oversee the flow of people coming in and out of the building and monitor and assess security threats. They’re the people who might greet you when you enter the building or who you call should someone become hostile. These are some of the aspects of physical security they might handle.
Physical barriers are the first defense against intruders and security threats. Requiring a code, key card, or ID to enter the building will control who can get in. It’s the first step to making your building more physically secure.
One of the most common and effective ways to monitor the activity within a company building is through a closed circuit television system (or CCTV).
Alarm systems are standard in most large corporate buildings. They help alert the responsible person for physical security when an area has been accessed without authorization, and can even be set to alert the police. They set emergency procedures in motion, which can be helpful in situations prone to panic.
It goes without saying that areas containing certain sensitive information should have a carefully vetted list of employees who can access it.
It’s better to have a locked closet than to allow just anyone to wander in and adjust controls.
This creates another level of security that can slow down or stop an intruder and mitigate the risk of an internal security breach that might occur when an employee goes snooping where they’re not needed.
A master key grants access that you don’t want falling into the wrong hands. Keep it locked in a secure place at all times, and don’t let anyone know about it that doesn’t need to know.
This may seem like a small thing, but security risks can arise when sensitive information is thrown in the trash which is left accessible to wandering eyes. Ensuring each trash receptacle is emptied at the end of the workday can mitigate this risk. If trash cans are empty when employees stay late to work alone, there’s less opportunity for searching.
Having a server room that isn’t highly restricted leaves you open to hacks that can bring down your entire network. Server rooms should have restricted access granted only to very limited authorized personnel with key card access, an alarm system, and no windows.
A human resources representative will be responsible for doing a background check and taking other measures to make sure prospective employees won’t be a risk to the company.
“I didn’t know” should never be an excuse. Before an employee is granted access to any sensitive information, they should be trained extensively in how to handle it, policies regarding confidentiality, the importance of keeping sensitive information private, and how to properly destroy it. New employees should sign an agreement stating that they’ve been trained as well.
HR will also deal with the aftermath of security breaches.
The human resources department should work closely with the IT department to develop procedures regarding the physical security of computers, hard drives, server rooms, and other tools that contain sensitive information.
Every company should have a standardized policy (that all employees are trained in) for the handling of sensitive information. There should be a chain of command for who signs off on authorizing new people to access to certain information. There should be procedures for destroying different types of information, such as shredding documents or clearing computers of former employees.
Each human resources department may not have the technical knowledge to develop adequate procedures for
HR and IT departments should work closely to develop procedures for keeping sensitive information secure when in transit between clients, offices or employees.
This is a widely accepted practice that heightens the security of email systems, computers and other high-value targets.
Again there should be a chain of command and documentation of procedures done whenever developers want to make changes to software.