Physical Security
Physical security is a plan or strategy designed to protect employees and facilities from physical events that cause harm. Physical events include burglaries, hacking and malware, natural disasters like fires. The aim of physical security is to provide multiple layers of access before gaining access to company property or information. Threats to physical security could be external, arising from entities outside the company, or internal, arising from employees and other members of staff.
Site Controls.
The facility is surrounded by a 10-ft high wall with a 5000-volt electric fence at the top of the wall. Several CCTV cameras have been placed around the compound at strategic locations with overlapping fields of view to avoid creating blind spots. The main security desk is located at the front gate of the company. There are ten security guards in the compound, two of whom are found inside the security office at any given time. The front gate is divided into two sections: the large side gate for vehicle entry with self-rising bollards installed several feet away, lowered by security staff upon clearance, and a turnstile gate for access to the facility on foot. Another gate is located at the back of the facility on the opposite end of the main gate for commercial deliveries and has the same security features as the main gate. Security personnel have the right to search through vehicles and personal items for weapons. Body scanners are installed for non-intrusive full-body scans. Entry forbearers of arms will be restricted (Robert, n.d.).
The main entrance to the main office building is a biometrically activated turnstile that uses employee keycards or facial features to unlock. Therefore, guests or other unknown persons must be cleared by security at the gate and provided with a guest keycard to get into the office building. The facility is awash with floodlighting for maximum visibility at night (Look, 2016).
Office Controls.
Office hallways from the reception desk are fitted with CCTV cameras in overlapping fields of view to reduce blind spots as much as possible. The office space has been divided to include designated eating areas to avoid spills in workspaces. Sensitive offices have been fitted with biometric scanners for fingerprint verification before entry. Offices have lockable cabinets installed for storage of important physical documents (Harmening, 2013).
The server and control rooms have a two-factor verification access system, mediated by a keycard scan and an installed CCTV camera at the door. They are both served by their own electrical circuitry to minimize security breaches during power outages. Both rooms only have one point of entry or exit, and no windows, for maximum security. Access to the server room is restricted to technical support only and is closely monitored from the control room. Unauthorized access is reported immediately for corrective action. Server rooms have sensors that turn on the light when someone is inside. Racks on which the servers are put are locked in place (Harmening, 2013).
Alarm systems are fitted throughout the company and alarm trips work as and send alerts to local authorities and management. Alarms are tripped through motion detectors installed throughout the company (Harmening, 2013).
Environmental Safety.
On-site fire extinguishers are placed in strategic locations and are frequently serviced by an approved body. All offices and rooms are fitted with a fire detection system. Hallways are adequately spaced to minimize the chances of a stampede in case of emergencies. Signage has been erected to direct employees through to safety in case of emergencies. The main gate serves as the emergency exit; the other emergency exit is placed in the opposite end of the wall and is manned at all times. The emergency assembly points are large spaces located very close to the main emergency exits and can accommodate between 100 to 150 members of staff during an emergency (OSHA, 2008).
Information Security
Information security policies protect the company’s assets from the disruption of operations, data modification, or disclosure of confidential information. Information risk arises from physical damage of data storage equipment, human intentional or unintentional human activity, faulty equipment, internal or external attacks such as virus attacks, loss and misuse of data, and application error. The main objectives of information security are to maintain confidentiality, integrity and availability of data (Bhaskar & Kapoor, 2013).
Physical Security.
Staff members are supposed to use standard issue devices given to them by the company and are not allowed to use personal devices for work purposes. IT staff have the responsibility to ensure periodic software updates to devices in use in the company. All devices must have professional-grade antivirus installed and regularly updated with the latest security patches. All software installations can only occur through appropriate permission or supervision by the IT team (Look, 2016).
All company laptops are to remain within company premises unless there is a need for an employee to go home with them, in which case extra care should be taken by the employee to ensure the security of their device. The use of unauthorized storage devices such as USB drives and hard disks is prohibited. Standard issue storage devices from IT will be used for the purpose of external storage (Harmening, 2013).
All employees should take responsibility for their devices. Personal devices should not be left unlocked, and employees should not leave their workstations while their sessions are still logged on. Passwords should be changed as frequently as necessary; company policy dictates at least once every month. Standard bit locker encryption shall be applied to some laptops, external hard disks and USB devices as advised by the IT team, or depending on the sensitivity of information access level. Storage devices should not be left unattended (Harmening, 2013).
Employees are encouraged to use the designated meal areas for meals or drinks to avoid damaging computer components. All desktop devices should be connected to an Uninterrupted Power Supply to protect computers from circuit shortage during power surges. Safe wiring should be implemented, and as dictated by safety regulations, all wiring should be well hidden and insulated to avoid electrocution risks, tripping or damage to devices (Hutter, 2019).
As indicated above, server rooms shall remain locked and only accessible to the IT team. Servers shall remain locked in place on their racks.
Security on the Internet.
All official internal work communication should only be carried out through work email addresses with the right domain and format, team chats on hangouts and written and signed off documents. Communication through social media or other social networking platforms outside the scope mentioned before is not considered official. Downloading attachments from unknown email sources is prohibited (Alhassan & Adjei-Quaye, 2017).
Every employee has to secure their login information on the intranet. No one should log in to anyone else’s intranet session or page at any given time for any reason whatsoever. No employee should click on suspicious links on text messages, email or any other platform. The IT team shall conduct training on internet safety on a quarterly basis. Phishing drills are conducted randomly to test employee alertness and preparedness for phishing attempts. All phishing emails should be reported to the IT team immediately. Wi-Fi and local area connection is restricted only to employees within the company. Certain websites are banned and cannot be visited while using the company’s network. Decisions to ban websites can be revised upon consultation and approval by the IT team. Using the company’s internet to access the dark web or dark web content expressly banned. Downloading any freeware from the internet is not allowed. Up to date firewalls shall be enacted while using the internet for whatsoever reason (Chapple et al., 2018).
File and Database Security
The company maintains an elaborate database management system, with access controls to restrict the content and information available to various employees depending on their rank. Employees should report loopholes and exceptions to access level to the IT team for ratification and correction. Passwords should be treated as confidential, and there are no overruling exceptions or circumstances. Sensitive or confidential information shall not be stored on devices with a direct internet connection (National Center of Incident Readiness and Strategy for Cybersecurity, 2017). Paper records are sorted out into files, accurately labeled and stored on cabinets in a locked room.
Personnel Security
Employees are the last line of defense in ensuring security in the company and are, unfortunately, its weakest link.
Job Description.
Employees are hired based on the need of the company to incorporate their specific skillset to achieve a specific objective. Job descriptions are written by companies to vividly construct the powers and responsibilities of individuals in certain positions in the company (Chapple et al., 2018). All employees’ duties are clearly defined in all workstations in the company. The HR department shall conduct job evaluations for every individual in the company and highlight their specific roles and responsibilities. Employees with sufficiently overlapping job roles will have those roles divided to new recruits to reduce collusion (Chapple et al., 2018).
The HR department shall be responsible for evaluating job roles that can be handled on a rotational roster and will work with the departments to create and effectively implement said roster. The HR shall also maintain close surveillance on cross-training schedule in various departments and ensure that every department member can adequately handle multiple tasks in that department (Chapple et al., 2018).
Hiring and Firing Process.
The HR department, through the security department, shall conduct thorough background checks on potential recruits. Each potential employee should provide details about criminal records, education credentials and experience validation. If necessary, the department shall partner with law enforcement agencies to make a complete criminal record check for potential employees. Depending on the job level, employing ex-offenders released from incarceration due to presidential pardon, good behavior release, or other legal arrangements is subject to the approval of a majority seating of the board of executive directors. For all intents and purposes, the HR and security departments shall be at liberty to contact companies listed in a potential employee’s work experience and references provided and make an unbiased decision for their employment. They shall also be at liberty to ask for additional documentation necessary to the job, such as drug tests (Chapple et al., 2018).
The HR department shall be in charge of developing and making annual reviews of the employment agreement and policies. Reviews of the documents must be presented to the executive directors and legal team for approval. The document should clearly indicate the terms of employment, job description, the company security policy, infractions and consequences, and the nondisclosure agreement. All new recruits will be required to read and understand the implications of the agreements and policies (Chapple et al., 2018).
Recruits shall be adequately trained on the company policies and agreements signed at the beginning of their employment. The onboarding process shall be well documented and include all company articles given to an employee at the beginning of their employment. These documents shall be presented to the HR department for filing and archiving. Independent departments shall be in charge of ensuring recruits are sufficiently trained and accustomed to organizational culture. Employee indiscipline and breach of contract terms shall be handled as soon as possible, with the necessary consequences applied for each offense (Chapple et al., 2018).
Termination of employees shall be conducted in a humane manner. Employees whose contract is terminated for whatever reason will return the articles given to them from various departments against the document of issuance at the beginning of their employment. Termination will occur in the HR’s office with at least one other witness from the management team. The HR shall collaborate with the IT team to remove biometric traces of the terminated employee from access points. This includes deleting all facial recognition, thumbprints or retinal scans. The IT department shall also ensure the deletion of the former employee’s login credentials and user accounts from the company’s computers, intranet and database. Keycards shall also be returned to the HR department. The security department and IT team shall also accompany the employee to their home to ascertain the absence of company information from their devices. All this information will be part of the employment agreement (Chapple et al., 2018).
After termination, the security shall accompany the former employee as they are collecting their belongings. Former employees will not be allowed to walk on company premises without a security escort. The HR shall ensure adequate, and due compensation is given to the former employee. The same offboarding process shall be applied for resigning and retiring staff members (Chapple et al., 2018).
Conclusion
Without proper security management, a company can suffer losses through property damages, data breach and leaks, or heavy lawsuits due to employer negligence and unsafe working conditions. Being aware of risks and preparing for them helps in reducing these losses. Developing and adhering to a company security program will assist in keeping everyone safe by reducing individual harm, destruction of property, and unnecessary loss of data or information.
References
Alhassan, M. M., & Adjei-Quaye, A. (2017). Information Security in an Organization. International Journal of Computer (IJC), January. http://ijcjournal.org/
Bhaskar, R., & Kapoor, B. (2013). Information technology security management. Managing Information Security, 2nd Edition, 2008, 57–74. https://doi.org/10.1016/B978-0-12-416688-2.00003-9
Chapple, M., Stewart, J. M., & Gibson, D. (2018). Personnel Security and Risk Management Concepts. CISSP, Eighth Edition, 49–96. https://doi.org/10.1002/9781119549567.ch2
Harmening, J. T. (2013). Security management systems. Managing Information Security: Second Edition, 47–55. https://doi.org/10.1016/B978-0-12-416688-2.00002-7
Hutter, D. (2019). Information Security Reading Room Physical Security and Why It is Important. SANS Institute Reading Room Site.
Look, B. G. (2016). Physical security management. In Handbook of SCADA/Control Systems Security (Issue April, pp. 350–367). Routledge. https://doi.org/10.1201/b19545-26
National Center of Incident Readiness and Strategy for Cybersecurity. (2017). Information Security Handbook for Network Beginners. Nisc, 36. www.nisc.go.jp
OSHA. (2008). Fire Protection and Applications. May.
Robert, L. (n.d.). Physical Security Handbook ( Psh ).
