The first line of defense in physical security is usually accomplished through the deployment of various types of locks on doors to any rooms that house computer and telecommunications equipment. These rooms include the main computer room, wiring closets, and rooms where file servers, gateways, routers, and other devices are located.

Conventional keys can still be one of the most effective means of controlling access to restricted rooms. It is imperative that a highly trusted member of management, preferably the organization's security officer or designated subordinate, be responsible for issuing all keys, contracting with vendors to install new and replacement locks and make replacement keys, maintaining an inventory of all keys and the individuals to whom the keys are issued, and ensuring that all spare keys are properly secured. If keys are not properly controlled, conventional locks can provide only a false sense of security. For example, unauthorized access to computer equipment could be gained by custodians, former employees, transferred employees who no longer require access as part of their normal duties, and former security guards.

Vendors can manufacture various types of keys. In many buildings, vendors create separate keys for each door. They are also able to make "master" keys that can open all the doors in a certain area, floor, or building, even though each door lock requires a unique "regular" key. In cases in which there are multiple locations, ...

Get Auditing Information Systems, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.