Summary

This activity seeks to identify potential physical vulnerabilities to an organization's information security practices by documenting the current physical layout of the office and the locations of key assets, as well as potential "external" risks such as nearby/shared office spaces.

This can be done in person independently or alongside the "Guided Tour" activity, and can also be done in advance of an assessment or remotely by a willing staff member who knows where these assets are located (often a technical or administrative staff person). This can also be conducted in a multi-office or home-office environment where the auditor is unable to visit every location.

Considerations

    • Any physical notes taken on physical security should be destroyed. Digital notes should be kept in line with overall SAFETAG standards.
    • The location of certain high-value assets is highly sensitive, and may be controlled/secret information. Handle with care when discussing with the organization, and if conducting this remotely/in advance, ensure the point of contact can handle and destroy the data responsibly.
    • If using drawing software, note that using free online tools could easily leave sensitive data exposed. Offline tools such as LibreOffice Draw, Pencil, or even Microsoft Powerpoint or Visio all work, but the product should be securely managed.
    • Any photos taken (of the map drawing or specific office areas/rooms) should be securely deleted or taken using a secure camera app such as ObscuraCam
    • It should be noted that SAFETAG is focused only on the digital impacts of physical security. This guide does not provide a full physical security assessment.

Walkthrough

    Walk around the office and draw a map of the floor-plan (do not rely upon memory). Consider taking photos of specific areas (e.g. confusing layouts or areas difficult to capture in drawing). Make notes of where intruders could gain access to the office, where sensitive data may live (in the executive director's desk, in a storage closet, on devices), and relevant other items. Also note the overall privacy that the office provides (is it a shared office space, shared building, etc.)

    Note the locations of any of the following that apply:

    • Office rooms and storage:

      • Meeting rooms
      • Staff offices/desks
      • Paper File Storage, such as human resources and financial records storage
      • Closets
      • Safe room
      • Main entry to office
      • Additional Entry/Exit doors
      • Windows accessible to the outside (terraces, ground floor, etc.)
      • Fire escapes
      • Basement/Roof access
    • People (staffing varies widely, adapt as relevant)

      • Executive Director
      • Other directors
      • Financial lead
      • Human resources lead
      • Team leads
      • Office admin
      • IT staff
      • Additional staff
    • Infrastucture and Devices:

      • Fuse box / electricity mains
      • Cable/DSL modem
      • Router / network switch
      • wifi access points and "repeaters"
      • printers/scanners
      • Paper shredder
      • Servers (fileserver, email, backup, etc.) and/or desktop/tower computers (which never leave the office)
      • Digital backups (tape drives, hard drives, "time machines" etc.)

    If doing this activity remotely and/or in advance of an audit, it may be useful to have multiple staff members independently draw maps and to provide the organization with additional guiding questions:

    • If you were playing hide and seek, where would be the best place to go? how they enter /exit, whwere they store stuff (clkosets, etc.)
    • What is nearby the office? Is it in a shared/open/co-working space? Is it in an office building? A home? An apartment? What floor of the building is the office on? What else is nearby (other offices? Residential buildings, restaurants/cafes)?
    • If you discovered your office had been broken in to, what would your first guess of where or how the burglar broke in be?