Topic-specific policy 2/11: physical and environmental security

Yesterday I blogged about the "access control" topic-specific policy example in ISO/IEC 27002:2022. Today's subject is the "physical and environmental security" policy example.

Physical security controls are clearly important for tangible information assets, including IT systems and media, documentation and people - yes, people.

The first "computers" were humans who computed numbers, preparing look-up tables to set up field guns at the right elevation and azimuth angles to hit designated targets at specific ranges given the wind speed and direction, terrain and ordinance - quite a lot of factors to take into account in the field, so the pre-calculated tables helped speed and accuracy provided the gunners used them correctly anyway, and I'm sure they were highly trained and closely overseen!

Aside from a little mental arithmetic, most of us don't "compute" many numbers today but we still process staggering quantities of information flowing constantly from our senses and memories. In the work context, the trite mantra "Our people are our greatest assets" may be literally true, given the knowledge, experience, expertise and creativity of workers. We have valuable intangible proprietary and personal information locked in our heads, trade secrets, innovative ideas and more. We are information assets, although to be fair the true values vary markedly (and, yes, some are liabilities!). Why do you think some people are paid more than others?

Aside from the commercial value aspect, workers require adequate protection against unacceptable health and safety risks according to national laws and regulations. We also deserve respect, personal space, privacy, understanding, fair and reasonable compensation and so on, raising ethical and further legal or contractual obligations. 

Environmental protection ensures that workers have reasonably pleasant workplaces, partly for health and ethical reasons, partly for productivity reasons. Computer systems likewise work more reliably under manufacturer-specified ambient temperatures and require appropriate electricity supplies. The total demands for cooling and power can be significant in a large computer room or data centre. Oh and don't forget the physical security and environmental controls for portable equipment and home offices - safe storage, for instance, plus security cables, etched corporate logos, good quality power supplies and UPSs, spare batteries and more. 

Environmental controls relating to noxious by-products, greenhouse gases, dangerous emissions, excessive noise, explosive/flammable products, dangerous processes etc. are particularly important for chemical and manufacturing industries, among others ... but are they 'information security controls'? I would argue yes for some, perhaps most of them. For instance, electric valve and sluice gate controllers on a sewage treatment plant that are computerised and networked smart things are at risk from malware, hackers, inept system administration or configuration errors, software design flaws and programming bugs, mechanical problems, power glitches and more. 

So, there is clearly a wide variety of information risks and controls in this area, collectively presenting significant challenges in various organisations (e.g. an airport) and situations (e.g. on a passenger jet). 

Conversely, however, many other organisations get by with nothing special in the way of physical and environmental protection, although maybe they simply don't appreciate the risks they are implicitly accepting unless/until something goes seriously wrong, such as an office accident, theft, fire, flood or power cut. 

If you determine that a policy in this area would be worthwhile for your organisation, but don't presently have one, the SecAware "physical information security" policy template is a starting point. It doesn't attempt to cover everything, merely laying down the fundamentals that are common to most organisations as a foundation, a basis on which to build an appropriate risk management and control structure.

These are exactly the kinds of controls that I look for during computer installation audits, site security reviews etc. It's surprising how often I find basic physical security issues in otherwise well managed companies. Checking the policies in this area is just one part of the job: if I find none at all, or something rough and ready, badly worded with limited awareness and training, there's a fair chance I'll find obvious issues by simply wandering about with my eyes and ears open, camera in hand.

The SecAware physical and environmental security policy template costs $20. That's just over $2 per page of good practice guidance in that case. We charge the same flat $20 for our other topic-specific policy templates too, regardless of their length since length is not a good guide to the quality or value of a policy. If anything, shorter is better provided it covers all the essentials, and is readable. Perhaps we should trim this one back further than we did the last time we reviewed the templates.  

Tomorrow's topic is asset management.