Physical security in the office
Rebecca Herold has written an excellent list of typical physical security issues in the average office, or indeed other information-rich workplaces. She suggests conducting physical security reviews out-of-hours. I have done this kind of review hundreds of times myself, as part of "installation audits" using ISO/IEC 27002 as a benchmark for the kinds of controls expected. Doing them in the daytime or out-of-hours makes little difference - if anything, during the daytime the number of issues is magnified by the things employees typically do while at work, such as:
- Leaving work-in-progress all over their desks and screens, not just while they are actively working on it but while they go to coffee or lunch;
- Leaving desks, filing cabinets, and even safes open;
- Chatting merrily away to each other on on the phone about sensitive personal or commercial matters, with no regard to who else might be listening;
- Leaving personal stuff (mobile phones, PDAs, USB sticks, wallets/purses, home keys etc.) unattended on the desk ...
This kind of stuff makes good photographic evidence for the audit report and presentation to management, along with photos of open doors, leaky patches, overloaded wiring, poor signage, excessive flammable materials, blah blah blah.
Exposing such large amounts of valuable commercially- and personally-confidential to risk represents a substantial vulnerability to industrial espionage, sabotage, information theft, privacy, health-and-safety and more. Individually, these are mostly rather trivial issues. Collectively, however, a the risk accumulates if these matters are not brought to management's attention and proactively addressed, on an ongoing basis. The clear-desk/clear-screen policy, for example, can make a big difference ... but only if managers take the trouble to achieve conformity, not least setting a good example themselves.