Back to

Physical and Operational Security

Summary

The organizational security methodology is focused on how to mitigate against threats that occur because of the arrangement of digital assets in the physical world -- how secure are the devices at an organization's office, where and how staff travel with organizational devices, and whether staff work outside of the office (e.g. in remote offices, at their homes, while traveling, or at cafes). Further, is organizational information accessed from personal devices, and how are those devices secured?

Purpose

While the SAFETAG framework is focused on the security of data, the physicality of devices, backup drives, servers, and even hard-wired networks cannot be overlooked.

For many organizations, digital threats that depend on physical access are considered the least probable. So much so, that many security specialists concede that there is no proper defense against an attacker with physical access to sensitive hardware. While there is some truth to this, it is not useful advice for small scale civil society organizations or independent media houses. The risks that advocacy and media organizations face are far more varied, and the cost of lost information can be crippling to their ability to operate.

Depending on the specific threats for each organization, the auditor should consider the challenges of not only one-time exfiltration of data as well as potential ways an adversary could use physical access or proximity to the organization or its devices to gain ongoing remote access, track, or cause harm to the organization through the outright destruction of data.

Guiding Questions

    • Who has physical access to what? When are devices not monitored by trusted staff?
    • Who has independent access to the office space?
    • How could adversaries gain access? (forced entry, theft, social engineering, seizure)
    • How are daily devices used and stored -- where are they when employees go home?
    • Where are the servers and network components that host and manage the organizations assets? Are there active network jacks that are unused, are they in public spaces, are they in places where people would not notice if there was somthing plugged into them?
    • How is data accessed and stored outside of the organization's main offices/workspaces?
    • Do staff travel with organizational information?
    • How are backups managed? Where are they stored?

Operational Security

  • Any physical notes taken on physical security should be destroyed. Digital notes should be kept in line with overall SAFETAG standards.
  • Note relevant laws regarding wireless signal monitoring.
  • Ensure and mapping tools used do not themselves leak or share data

Outputs

    • Notes on specific unsecured workstations, smartphones/tablets, and digital storage media.
    • Exposed network devices, servers, and network jacks.
    • The reach of the wireless network(s) outside of the physically controlled office space, and how easy it is to identify it as connected to the organization.
    • Access controls to the office
    • Travel policies and practices
    • Remote work and other external / non-organizational device access to organizational data.
    • Depending on the risk level of the organization, observations on digital media (USB sticks) and digitally-related items (print-outs)
    • Office Map with potential vulnerable locations and the extent of wifi access outside of the controlled office space.
    • Discussion of potential risks associated with broadcast wireless data.
    • Document potential, but relevant vulnerabilities to the organization's information security based on physical aspects -- e.g. unencrypted devices which could be stolen, written passwords, or even wireless network metadata.

References and resources for Physical and Operational Security