Chapter 9. Physical Security

The security team is responsible for identifying and analyzing possible threats and vulnerabilities and recommending appropriate countermeasures to increase the overall security of a department or the organization as a whole. Physical security is often a feature of regulatory compliance regimes and vendor assessment questionnaires, as well as materially impacting the security of the systems and data that you are tasked with protecting. For this reason, it’s a good idea to have at least a high-level understanding of physical security approaches, even if (especially in larger organizations) it is often dealt with by the facilities department and thus beyond the remit of the information security team. Physical security should be included in any internal assessments, as well as being in scope for penetration tests.

The goal of physical security is to prevent an attacker from mitigating these controls. As is the case with other aspects of information security, physical security should be applied as defense in depth. It is commonly broken into two areas: physical and operational. The physical element covers controls like door locks and cameras, while the operational side covers employee access, visitor access, and training, to give a few examples.

In this chapter, you will learn how to manage both the physical and operational aspects of physical security within your environment.

Physical

First and foremost, physical security is about managing the physical ...

Get Defensive Security Handbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.