Summary

During this component an auditor tours the audit location(s) and flags potential risks related to physical access at that location.

Considerations

    • Any physical notes taken on physical security should be destroyed. Digital notes should be kept in line with overall SAFETAG standards.
    • Any remote communication on physical security should be done over secured channels from a private space
    • It should be noted that SAFETAG is focused only on the digital impacts of physical security. This guide does not provide a full physical security assessment.

Walkthrough

    As part of your first day, have your point of contact walk you around the office - this is primarily a chance to understand the office layout and meet the rest of the staff, but take mental note of the devices in use and laying out on desks as you walk around the office. Note as well the location and access to components such as servers and networking components. Taking actual notes may make the staff feel that you are judging them, especially if this is your first interaction -- refrain from this, and if needed, also consider a more "neutral" note-taking process by integrating the Office Mapping activity.

    If the auditor is unable to go to the office (or can only visit one of multiple offices), consider having the point of contact use a video call. You will want to have the entire staff be aware of this activity and know the person who is walking around the office. This requires sufficient bandwidth (and unmetered or low-cost) for a 1-hour video call. This could be scheduled for before or after office hours to both discover how devices are left overnight as well as reducing the impact on the network.

    Similarly, the in-person tour can also be done outside of normal business hours. Please note: this can damage the trust the staff has in the auditor, as well as unintentionally embarrassing specific staff members in the eyes of the point of contact. It is not recommended to do this except for organizations who have already received training and worked on improving their physical/operational security practices and face an active adversary. This could be before the staff arrives in the morning, during lunch, or after hours (perhaps have dinner with your point of contact, and come back to check the organization afterwards). This gives a clearer picture of how devices are secured outside of the work day (are desktops and laptops unsecured, still on, logged in?). Are backup drives or other storage media easily accessible? Are doors to server rooms/closets locked? Are keys to these locked cabinets/rooms visible?

Recommendation

    Office Equipment is unsecured against burglary

    Unsecured physical network components and devices such as computers, servers, and external drives present a risk of sensitive data loss through theft, seizure, and malicious interference. Access to network compontents and servers should be limited and devices should be secured when not in use.

    In the event of a burglary or office raid, an attacker could easily obtain sensitive information from devices without encryption, external hard drives, and other easily accessible items. An advanced attacker could compromise the network for later surveillance.

    Secure Devices

    Lock in desks or via security cables all easily portable items

    Any device which connects to the organization's digital assets (and therefore has passwords or cached data) or stores organizational data (including backup drives, laptops, desktops, cameras, other storage media), should be secured (ideally out of sight, such as in a locked cabinet or desk drawer) when not in use to prevent theft and discourage seizure.

    Follow the Device Assessment guidelines on drive encryption.

    Encrypted drives offer the best protection against data loss from stolen or seized devices. Follow the recommendations of the Device Assessment section, paying specific attention to the need for strong passwords, automatic locking of logged-in accounts, and the importance of turning a machine off to fully benefit from drive encryption.

    Place core network components and servers in a locked space.

    Direct access to servers and network components such as routers, cablemodems, patch panels and switches provides an adversary multiple ways to extract sensitive information and cause extensive, yet hard to detect, damage. Ensuring that not only are these physically protected, but that there are organizational policies around which staff have access to them is critical - a locked cabinet that always has the key in the lock does not provide security. If a particular component needs, for example, regular rebooting, creative solutions should be found to balance security and staff needs.

    De-activate unused network ports

    Hard-wired network ports tend to connect directly into the most trusted parts of a network. De-activating any that are in public areas of the office (front desk, conference rooms, break rooms), as well as any that are not needed is recommended.