Physical Security Audit Checklist

Project Work Step Specific Risk: Unauthorized physical access to the facility or building by intruders. Q: Are employees required to attend any type of training class for fire emergencies and/or bomb threats? All employees should be required to attend a training session explaining the procedures in the case of a fire or bomb threat and all employees should be required to sign an agreement stating that they have attended the training. Q: Is part of the facility owned by another party? Security can be maximized if the entire facility is owned a single company. If the facility is shared, security procedures must be agreed upon by both parties. Q. Is there a process for issuing keys, codes, and/or cards that requires proper authorization and background checks. Q. Are keys and codes changed on a regular basis to prevent unauthorized persons from obtaining access. Q: Is the facility located in a high crime rate area? Check that the facility is in an area that adequately protects against malicious and random crime. Q: What types of hinges are used to hang doors? All doors should be on fixed hinged doors, or at least not removable hinges. Removable hinges are standard household door hinges that can be easily removed. Fixed door hinges cannot be removed once in place. Q: Are windows conducive to forced entry? The location and characteristics of windows needs to be inspected. Windows have the highest vulnerability to forced entry. Windows are more than 18 feet from the ground and are not easily accessible from the building exterior. Windows do not have openings greater than 96 square inches, and windows have gaps less than 8 inches vertically by 15 inches horizontally. Windows are more than 40 inches from a locking device. Q: Are fences and/or walls in place and do they adequately protect the property? Q: Is the condition of the barrier deteriorating? Physical barriers such as fences and walls deter intruders and restrict visibility into the premises. Chain-link fences need to be 9, or at least 11, gauge steel. All fences should be no higher than 2 inches off the ground if the ground is hard. If the ground is easily movable or windblown then the fence should be 4 to 8 inches below the ground. Brick fences are stronger and are not transparent, but have height limitations. Q: Is lighting sufficient for a safe work environment and to deter intruders? If the width of lighting outside the property line is not restricted, it is preferred to use glare protection by installing high-pressured sodium-type flood lights which make it difficult to see inside the property line. If lighting width is restricted due to adjacent buildings or adjoining property, normal street lighting is preferred. All entranceways should having lighting similar to that during daylight hours. Locked gates should have lighting similar to that of fully active entranceways. Parking lots inside the property lines should have standard street lighting. Additional security and lighting should be implemented for parking lots outside the facility.

Employees should have an guard available to escort them to their car if necessary. Q: How is access to the facility restricted (key, code, electronic card)? Q: If by key or code, how often are they changed? All keys should have "DO NOT DUPLICATE" on them. Specific Risk: Cables and wiring are damaged causing a loss in network connectivity. Q: How old is the cabling? Cable condition checks should be conducted once every two to five years. Q: Q: Q: Q: Are there extra cables stored on-site (CAT5, etc.)? Who has access to extras? How many are there? What condition are they in?

Inventory control should be a priority to prevent theft of supplies and damage to supplies. Q: Who has access to cabling whereabouts and conditions? Q: Who does the repairs? A cable map, if one exists, should not be public knowledge and should only be accessible to a limited number or people. Repair personnel should have knowledge of cable mapping. Q: How many floors do the cabling travel through? Q: Does the cabling come up the middle of the building or on the sides? Cabling should be heavily protected between floors. Cabling should travel from floor to floor through the center of the building. The outer parts of the building are more susceptible to weather damage. Q: Are there redundant lines in case of cutting or other failure/damage? Redundant lines should be in place entering the facility at different locations, the 2nd source being supplied from a different vendor is preferred. Q: Do the cables make any tight turns, bends, twists, or are they squeezed through any tight holes? Cables are laid out in a manner that does not make the susceptible to physical strains. Q: What are the cables enclosed in? - Fire resistant? - Water resistant? - Extreme temperature resistant? - Sturdy? Q: Are the lines susceptible to being cut from digging? Cables should be buried a minimum of 6 feet, be encased in protective conduit, and laid in construction free areas. Specific Risk: Unauthorized physical access to sensitive programming areas by intruders. This also applies to the input/output control room, storage areas, wiring closets, communications closets, etc. Q: Are access logs kept for the programming room? Q: Manual or Automatic? Q: Who reviews the reports and how often? Access logs of who enters the programming room should be kept to monitor activity and detect unauthorized access. Periodic reviews of the log should be conducted. Q. Is a process for issuing keys, codes, and/or documented. Keys and codes should be changed on a regular basis.

Q: How many computers are used for programming? The number of computers used for programming should match the number of programmers in the company. Only those computers designated for programmers should have the appropriate software for programming. Minimize the number of "sandboxes", or test machines. As the number of computers goes up, the amount of risk goes up. Excess computers allow for more access points for intruders. Q: Is the programming area in a room by itself or combined with other work areas? The programming area should be restricted to authorized personnel, separate from normal work areas. Q: Who has access to this area? Access rights should be defined for each person based on business need. Commonly limited to programmers, supervisors, and managers. Q: How does the room restrict access (key, code, electronic card)? Q: If by key or code, how often are they changed? Q: Is there more than one entrance to the room? Q: How do visitors/guests gain access to the room? Q: How long can visitors/guests stay in the room at any given time? All guests should be escorted at all times. If visitors are not required to be escorted, a time restraint should be placed on visitation rights. Q: What hours do people have access to the room? The programming room should have defined operating hours. 24 Hour access should only be granted to the appropriate personnel. Q: Is there any hardware in the room besides the programming computers (servers, hubs, etc.)? All hardware other than that necessary for programming, should be in the computer room, data center, or communication closets. The only hardware that should be in the programming room is the hardware necessary to perform their day-to-day business functions. Q: What floor is the programming area on? Q: Is the programming room close to windows? The programming room should be on a secured floor. The 1st floor is most often easiest to access, so it is preferred to have the room on above the first floor if possible. It should never be located in the basement. If it is a multi-story building, floors 3 through 6 are preferred locations. Windows are the easiest access points to a secured area by brute force. Also, windows can be easily broken during natural disasters or storms. Q: Is the floor elevated? How high? The computer room floor should be elevated at least 18 inches. The water table of the location should be taken into consideration. Q: Are there "deadman" doors at each of the entrances to prevent piggybacking? To maximize security, the main entrance to the computer room should have "deadman" doors to prevent piggybacking. This system consists of two doors. For the second door to open the first door must close and lock with only one person permitted in the holding area. This reduces the risk of piggybacking, when an unauthorized person follows an authorized person through a secured entry. Q: Is the location of the room advertised? There should be no windows from the outside of the building or directional signs making the computer room identifiable. Specific Risk: If any of the potential threats become a reality without the proper detection,

prevention, and monitoring systems in place, significant damage to hardware could occur resulting in loss of operational capability. Q. Is there policy to protect against any and all known environmental factors and risks? Q. Do detection and monitoring devices alert the appropriate personnel? Q: How often are inspections done? By whom? The fire department should conduct inspections on a regular basis. Q. Are detection and monitoring devices tested on a regular basis, except for the fire suppression system? Q: Are there smoke detectors below the raised floor and on the ceiling? Q: Are there water detectors below the raised floor? Q: Are there fire extinguishers in the room? There should be at least one fire extinguisher in the computer room. A fire extinguisher can minimize the amount of damage done. Q: Are there manual fire alarms? There should be at least one fire alarm both inside and outside the computer room. Q: Are there any flammable cleaning supplies in the computer room? Cleaning supplies should not be stored in the computer room. Specific Risk: Power failures or surges may occur. Q: Who supplies the power sources? Yearly evaluations of power providers should be conducted to ensure that service level agreements SLA's are being met. Q: Are UPS (uninterruptible power supply)/generators installed? How many? Q: Is there an emergency power-off switch inside and outside the computer room? Q: Where do the power lines enter the building? Power lines should reside in areas of low construction and traffic. Lines that are susceptible to damage or cutting should be relocated. Q: Are there redundant power lines that feed into the facility? Redundant power sources should be available to all mission critical facilities. Specific Risk: Hardware failure can easily occur without proper cooling, therefore backup cooling sources will greatly decrease the chance of a failure in the event of an airconditioning problem. Q: What is the backup for an air-conditioning failure? Proper ventilation will help mitigate the problem, but air-conditioning from another part of the building should be available. Q: Is the temperature of the room set to manufacturer standards? Q: Is ventilation to the room adequate? The temperature of the room should be set to manufacturer standards for the hardware to operate effectively and efficiently. Specific Risk: Sensitive documents are not properly disposed. Q: Where does old media go (diskettes, papers, etc. All sensitive documents should be shredded. Each individual person should be responsible for shredding their own documents immediately after they become expired. All diskettes and other electronic media should be formatted and physically destroyed, and not stored after it is outdated.

Q: Who has access to damaged media sources? Any old media should be kept in a secure place until it can be properly disposed of. Specific Risk: Unauthorized personnel obtain access to sensitive building areas, including the computer room, programming area, or wiring closets. Q. Is a security guard always in place to watch the cameras? Tape logs should be kept for at least one year or as determined necessary for future investigation purposes. Q: How are badges or ID's issued, changed, and discontinued? A formal procedure for creating, changing, and retrieving security badges should exist. All access rights should be determined by business need. All guest badges should be discontinued immediately after they leave. Segregation of duties should be apparent Q: Are background checks performed? Q: Do all employees wear photo ID badges? Full-time personnel could be easily imitated without proper ID checks in place allowing unauthorized access. Q: Do visitors were badges, and are they different than regular employees? All visitors should wear some form of identification (i.e., name tag) so that they are distinguishable from regular employees. Q: Are there video cameras? -- How many? -- Where? -- Who watches them? -- How often are tapes reviewed? -- How far back to tape logs go? Security cameras should be in place to help monitor important areas of the building and facility. Q: Are maintenance people monitored closely? All maintenance personnel should be escorted the appropriate location. If maintenance personnel are contracted, the company should have adequate insurance to cover employee fraud or theft. In areas of highest security maintenance personnel should be treated as guests. Specific Risk: Sensitive information may be stolen from unprotected PCs or PCs may not be available when needed. Q: Have all employees been properly trained on how to care for all computer equipment and accessories? All employees should be required to attend a short training on computer care and should be required to sign an agreement attesting that they understand how to properly care for all equipment. Q: How often is inventory done? Maintaining a regular inventory schedule is a basic control for detecting theft and/or fraud. Q: Who orders new PC's, who receives them, and who delivers them? A formal procedure should exist for ordering, and receiving new hardware. Segregation of duties should be apparent. Q: How often are PC's cleaned? Q: Are all PC's connected to surge protectors? Q: Are PC's secured to desks or are they easily removable?

PC's are susceptible to theft if they are not physically secured. Q: Where are extra PC's kept? -- How many? -- What floor? Q: Who has access to the extra PC's. All extra PC's should be kept on floor that is both secure and protected from fire and water damage preferably floors 3 through 6. Access to extra PC's should be based on business need. Specific Risk: Telephone resources may be used for inappropriate purposes, disclose sensitive communications, or be unavailable when needed. Q: Who reviews the phone bills? -- How often are they reviewed? Phone bills should be reviewed on a regular basis to be sure that fraud is not being committed from neither the inside nor the outside. Q: Have lines been tested for tapping ability? -- How often? -- By whom? All phone lines should be tested on regular basis to determine if information can be easily intercepted. Maintenance inspections should be conducted on a regular basis. Service Level Agreements (SLA's) should detail maintenance agreements. Q: How many phone lines feed into the facility? There should be a detailed map of telephone lines that enter the facility, and there should be redundant supply of phone lines as well. Q: Who sponsors the phone lines? Q: Who maintains the phone lines? Service Level Agreements (SLA's) should be established with the telephone providers to clearly outline the responsibilities of both parties. Specific Risk: Portable devices may be stolen or may disclose sensitive information Q: Have portable devices been tested vulnerability of being tapped? Extensive testing of all portable devices should be conducted to ensure that the products are secure and can not easily be broken into. Q: How often is inventory taken? Inventory of portable devices should be taken on a regular basis to prevent theft. The inventory should be conducted by a different person than who orders and distributes new devices. Segregation of duties should be apparent. Q: Who issues and reorders devices? Ordering new portable devices should be done by a documented, formal procedure with one person responsible for taking those orders. Issuing the devices should also have a formal procedure to ensure timely delivery and prevent theft. This person should not conduct inventory. Segregation of duties should be apparent. Q: Where are extra portable devices kept? All extra devices should be kept in a secured storage room that is protected from water ad fire hazards. Access to this room should be restricted to only those that have a business need. Specific Risk: Confidential documents are inadvertently disclosed to adversaries.

Q: How are confidential documents marked? A conventional naming system should be in place for marking confidential documents. Five classification categories: 1. For Official Use Only: least sensitive. 2. Proprietary: restrictions exist and it is recommended that it not be distributed. 3. Confidential: Only internal people have access. 4. Company Secret: Only a select group of internal people have access to this information. 5. Company Top Secret: A select group has access. One select group to Top Secret information does not necessarily have access to other Top Secret information. Q: What is the process for someone to mail confidential or sensitive company and/or client information? A formal procedure should be in place for mailing confidential documents. All confidential documents should go through a manager check or designated approval person. The most reliable mailing method should always be used when mailing confidential information. Q: How are confidential documents handled and how are they stored? Sensitive data should be stored in a controlled area according to its classification. Proper control measures should be in place to ensure that access to one classification of documents does not enable access to another. (i.e. Company Top Secret and Company Secret documents should not be stored together in the same vault.) Q: How are documents reclassified or declassified? All documents can be reclassified only by the owner or the original document, usually a manager. There should be several checks in place before a single person can reclassify a document. A comprehensive tracking system should be in place for checking out documents to track who has what documents. Access to documents should be restricted to the appropriate personnel on a business need basis.