- Who has physical access to what? When are devices not monitored by trusted staff?
- Who has independent access to the office space?
- How could adversaries gain access? (forced entry, theft, social engineering, seizure)
- How are daily devices used and stored -- where are they when employees go home?
- Where are the servers and network components that host and manage the organizations assets? Are there active network jacks that are unused, are they in public spaces, are they in places where people would not notice if there was somthing plugged into them?
- How is data accessed and stored outside of the organization's main offices/workspaces?
- Do staff travel with organizational information?
- How are backups managed? Where are they stored?
- Any physical notes taken on physical security should be destroyed. Digital notes should be kept in line with overall SAFETAG standards.
- Note relevant laws regarding wireless signal monitoring.
- Ensure and mapping tools used do not themselves leak or share data
- Notes on specific unsecured workstations, smartphones/tablets, and digital storage media.
- Exposed network devices, servers, and network jacks.
- The reach of the wireless network(s) outside of the physically controlled office space, and how easy it is to identify it as connected to the organization.
- Access controls to the office
- Travel policies and practices
- Remote work and other external / non-organizational device access to organizational data.
- Depending on the risk level of the organization, observations on digital media (USB sticks) and digitally-related items (print-outs)
- Office Map with potential vulnerable locations and the extent of wifi access outside of the controlled office space.
- Discussion of potential risks associated with broadcast wireless data.
- Document potential, but relevant vulnerabilities to the organization's information security based on physical aspects -- e.g. unencrypted devices which could be stolen, written passwords, or even wireless network metadata.
Guided Tour_During this component an auditor tours the audit location(s) and flags potential risks related to physical access at that location.
Operational Security Survey_This activity helps the auditor assess the organization's current operational security policies and practices through in-person or remote…
Office Mapping_This activity seeks to identify potential physical vulnerabilities to an organization's information security practices by documenting the…
Scavenger Hunt_This activity assists in identifying potential physical security concerns at an organization, particularly when an auditor cannot travel to…
Monitor Open Wireless Traffic_It can be valuable to to listen to broadcast wireless traffic at the physical office location, even before knowing anything about the…
Wireless Range Mapping_This component allows the auditor to show the "visibility" of an organization's wireless network to determine how far the organization's…
A Day in the Life_The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software…
A Night in the Life_The auditor interviews the staff about their practices, personal devices, software and other security capabilities that they use outside of…
References and resources for Physical and Operational Security
- Guide: "Step Zero: The Go / Don't Go Decision" (Level-Up)
- Standard: "PGP and Other Alternatives" (The Penetration Testing Execution Standard: Pre-Engagement Guidelines)
- Guide: "Participant Security" (SaferJourno)
- Guide: Operational Security Management in Violent Environments
- Guide: "Workbook on Security: Practical Steps for Human Rights Defender at Risk" (Frontline Defenders)
- Guide: "Protect your Information from Physical Threats" (Frontline Defenders)