How to Prevent Security Breaches Using Physical Safeguards
This article is part of my series on how to prevent data security breaches. Read more about how you can use administrative controls and technical safeguards to mitigate your business risk.
Preventing data breaches requires a combination of approaches to manage people, processes, and technologies to implement robust security controls. This article addresses the security controls that can help you minimize the risk of security breaches. It is impossible to prevent all data breaches, and it would be cost-prohibitive to try. Nonetheless, each organization will need to conduct its own risk management process to settle on a balance between implementing controls to minimize the risk of breaches and the time, effort, and money needed to implement such controls.
Physical safeguards consist of the business policies, procedures, and record-keeping required to protect a Covered Entity’s (business covered by a security policy) physical facilities and equipment that contain security-sensitive information against specified hazards.
Facility Planning
Part of planning for physical safeguards involves protecting information systems from physical intrusions, such as break-ins, and from workers with legitimate access to some facilities seeking to gain unauthorized access to facilities to which they have no access privileges. A Covered Entity should have documented and implemented policies and procedures to limit who has physical access to information systems, such as who has the ability to touch the information system component’s keyboard, to look at its screens, to access servers, or to take a laptop out of the workplace and into the home or car.
Datacenter construction involves complex planning to protect sensitive systems in high- security zones. Information security professionals speak of protecting sensitive systems with multiple physical security tiers. A tier is a self-contained protected area that cannot be accessed from outside without entering through an opening to which access is controlled, for example, a locked door. High-security zones are protected by multiple tiers of physical security.
Because information systems are increasingly mobile, the physical premises, interior, and exterior of a building that contains sensitive information could include an employee’s home or other structure outside the general intuitive meaning of a workplace building. Thus, the concept of a controlled facility may extend into these non-traditional areas. The Covered Entity must consider the impact of physical security across its entire extended facility.
Workstation, Mobile Device Use Policies and Procedures, and BYOD
The mobile revolution has engulfed the business world. People are increasingly using tablet computers, smartphones, and other mobile devices to perform business-critical functions. At the same time, people still use PCs for much of the intensive work they do, such as writing lengthy reports, doing work that requires the use of large displays, or running processor-intensive applications. Theft and loss of mobile devices and laptops are still leading causes of data breaches. Office break-ins show that even desktop PCs and servers are vulnerable to theft. Both computers and mobile devices require protection, and the Covered Entity should have policies and procedures in place to prevent the accidental loss and theft of computing devices.
In addition, companies are increasingly embracing “bring your own device” (BYOD) — a policy that permits workers to choose the mobile device they want to perform work functions. Companies may pay for such devices, may subsidize the cost, or may simply require employees to bear the cost of such devices. BYOD advocates tout the policy’s ability to increase worker productivity and acceptance since they are using devices they like and feel most comfortable with. Companies that shift some or all of the cost of devices on employees may see savings.
On the other hand, BYOD policies have their own set of security and privacy challenges that companies must consider before adopting them. For instance, among other things, companies must have policies, procedures, and technology to secure company information stored on it, ensure that mobile devices do not introduce malware into the company’s systems, ensure that they meet company security standards, register the devices, control access to company networks when workers are using them, and ensure that they have access to such devices in the event of an eDiscovery request or upon termination of the worker.
Physical Safeguards Around Workstations
Workstation security involves the Covered Entity assessing and managing the risk of what work is being done and where. Administrative and technical safeguards may be taken into account when a Covered Entity determines the overall risk to information security that a particular location poses. The use of partitions and the layout of the workstation may reduce the risk of unauthorized viewing of information on screens. Locks may prevent visitors from taking devices from the workstation area.
Strong authentication, encryption, and software access controls, for example, may mitigate risks of poor physical security. Laptops and other mobile devices often contain these kinds of technical safeguards to mitigate risks to confidentiality.
Inventory and Media Control and Disposal
The Covered Entity should inventory and track the devices under its control. A failure to know what devices it has could allow personnel or persons outside the Covered Entity to take devices without authorization and without detection. An updated inventory allows the Covered Entity to notice if devices are missing and to investigate any discrepancies.
The Covered Entity should have policies and procedures to ensure that security-sensitive information located on hardware or electronic media is in fact destroyed prior to its disposal. “Disposing” can include reusing a piece of hardware for applications that do not require access to security-sensitive information. All security-sensitive information should be erased before reuse or disposal. When erasure is impractical, as in the case of a CD-ROM, the Covered Entity should physically destroy the electronic media.
One particular threat is the reuse or disposal of a workstation or laptop that previously-stored or processed security-sensitive information. Simple file deletion generally does not permanently erase the information, and many utilities can easily recover these files. The Covered Entity should use a secure data destruction methodology to cleanse any storage media before reusing it.