Summary

This activity assists in identifying potential physical security concerns at an organization, particularly when an auditor cannot travel to the office location or cannot visit every office location. The scavenger hunt approach is focused on involving the organization staff members into mapping out potential threats based on the abstraction and the gamification of the physical security mapping process. See the "Risk Hunting" exercise in SaferJourno, page 19, for additional ideas and guidance on conducting this activity.

Considerations

    • Reset credentials found during the process.
    • Any photos taken (of the map drawing or specific office areas/rooms) should be securely deleted or taken using a secure camera app such as ObscuraCam. Photos of keys in particular can be used to duplicate a key. The instructions below simply use notepads to track concerns, reducing this risk but possibly being less impactful.
    • Any physical notes taken on physical security should be destroyed. Digital notes should be kept in line with overall SAFETAG standards.
    • The location of certain high-value assets is highly sensitive, and may be controlled/secret information. Handle with care when discussing with the organization, and if conducting this remotely/in advance, ensure the point of contact can handle and destroy the data responsibly.
    • It should be noted that SAFETAG is focused only on the digital impacts of physical security. This guide does not provide a full physical security assessment.

Walkthrough

    The auditor should first meet with the facilitator (possibly over secure videochat) to brief them on the activity and map out potential challenges (particularly around trust, organizational hierarchies, and any potential repercussions).

    The auditor then prepares a checklist of physical vulnerabilities with the facilitator, based on the current understanding of the organization's assets and the context they are operating within. The auditor, facilitator, and organization point of contact should decide if any areas are "off limits." Note that this is only a list of a suggestions. As with the "Risk Hunting" exercise in SaferJourno, and it should be modified to fit the requirements, assets, and threats the organization faces:

    • Open windows.
    • Door with key hanging from the lock and/or unlocked doors to secure areas
    • Unlocked access to networking equipment - routers, wifi, modem / cablemodem / servers
    • Unsecured Laptop(s) (e.g. no locked cabinet for overnight storage, no cable lock)
    • Computer left unattended with active Outlook, Gmail, Skype or other communication application open and visible.
    • Wires or cables for devices that have been strewn on the floor where someone would need to step over them.
    • Portable backup drives, USBs, and/or other external hard drives on desktops or plugged in to computers
    • Passwords written on a “sticky note” or other paper taped to a monitor or onto the surface of a desk.
    • Smartphones, cameras or other valuable devices left unattended

    At the organization, the facilitator explains the activity to the organization members. To balance the need for consent with the benefits of identifying actual daily practices which may need improvement, the staff should already be aware that examining physical devices is part of the audit scope, but not the specific activity. Staff will be able to first identify and address their personal concerns before others.

    • Each staff member will get a paper and a pen to note the physical vulnerabilities that they notice (cameras/cellphone cameras can also be used, note the operational security considerations listed).
    • For each vulnerability noted, the staff member will get a point. The facilitator should encourage staff to also look for other, not listed, vulnerabilities. For vulnerabilities that staff members suggest which were not listed; if they can explain how that vulnerability would realistically be exploited, the facilitator can award a point.
    • If possible, a prize should be provided to the "winner" with the most points.
    • Staff must first check their own desks for 5-10 minutes total:

      • Review the physical security of their work space.
      • Take pictures or notes on their findings
      • Fix each vulnerability they found
      • Report back to the facilitator
    • In the entire office space, staff members will spend 15 minutes to:

      • Review the physical security of other desks, meeting rooms, shared spaces etc...
      • Take pictures or notes on their findings without touching anything
      • Report back to the facilitator
    • Debrief:

      • After the "hunt" time is up, the facilitator should gather the staff back together.
      • The facilitator will gather the notes and review quickly for any high-risk or embarrassing findings. If those exist, the facilitator should privately tell the finder to not bring that up in discussion
      • The facilitator can lead a discussion on interesting findings, but focus on moving towards changes in practice and policy for the organization to consider.
      • If possible, quickly calculate scores and announce the winner
    • Reporting:

      • The facilitator should combine the notes and communicate them securely to the Auditor, and securely destroy the notes.