We put the IT in city®

CitySmart Blog

Thursday, October 20, 2016
Jabari Massey, Network Infrastructure Consultant

Jabari MasseyIn the world of bits and bytes, the act of stopping hackers and preventing unauthorized access to data can seem like the highest information security priority. But physical security of electronic information is just as important—and often overlooked. It’s not uncommon for organizations to spend lots of time on information security only to leave rooms with servers and workstations unlocked—allowing anyone to wander inside.

Any city—even a smaller city—needs physical security for its onsite technology. Don’t make it too easy for a disgruntled employee or member of the public to damage or access information from a server or computer. Your liability greatly increases when you lack good physical security for your technology.

So what do you need to do? Physically lock down and prevent unauthorized access to your technology through the following best practices.

1. Prevent access to any rooms with machines that hold sensitive information.

In many cases, this will be a room with servers that contains some of your city’s most critical information. You need to house any machines with sensitive data in a locked room. For example, that means not housing servers in an office where employees sit at their desks. Employees should only access a server room through some kind of barrier (or locked door) via a key, key fob, or key card.

2. Control and oversee access to these rooms.

Only authorized people should access any rooms with servers or other sensitive electronic information. Create clear policies that outline which employees, contractors, vendors, and visitors access these rooms. You also need policies about how you terminate access so that ex-employees or former contractors can’t continue to enter these rooms.

3. Reconfigure physical access if you suspect a possible security weakness or breach.

We all make mistakes. But with physical security mistakes, you need policies that mitigate risks from any possible data breaches. Let’s say someone misplaces a key fob and it might get into unauthorized hands. Your policy may outline procedures for deactivating the lost key fob, which is much quicker and easier than changing the locks on a door.

4. Create additional procedures to monitor physical access.

In addition to controlling how people enter and exit rooms containing sensitive technology, think about the following physical access procedures:

  • Sign in and sign out: Know who enters your technology rooms by having everyone sign in and identify themselves.
  • Escort visitors: Do not let a visitor—such as a contractor or vendor—wander around your buildings without an escort. They are not employees and they need to be monitored. You may handle visitors differently depending on their role (such as a one-time visitor versus a long-time trusted vendor), but you need an escort policy for each kind of visitor.
  • Install security cameras: Cameras are more of a reactive security device but they help provide information and evidence in case of a physical security threat or breach. If it’s unclear how a physical breach occurred or a person disputes an incident, security camera footage can help provide answers.

5. Mitigate data breaches, sabotage, and disasters with physical security protections.

In case of a disaster, you want to have important physical security protections in place such as:

  • Data backup and disaster recovery: In case of server failure, deleted information, or physical damage to equipment, a data backup and disaster recovery solution will ensure you don’t lose any sensitive data.
  • Fire suppression: This includes smoke detectors and sprinkler systems.
  • Anti-flood prevention: Consider locating server rooms in places where it’s likely not to flood. Avoid basements or rooms located near low ground, and raise servers off the ground. Technology also exists to detect the presence of water within your building.
  • Redundant power supply: In case of a power outage, your technology should shift to backup power so that it keeps running.

Taken as a whole, these best practices will lock down your technology and make it difficult for a physical data breach to take place. Plus, these best practices also help with non-human disasters such as fire, flooding, or power outages.

Questions about your technology’s physical security? Reach out to us today.