Problem solve Get help with specific problems with your technologies, process and projects.

Policy for the real world: Physical security

A look at a security policy for the real world.

With my friend and colleague, James Michael Stewart, I teach a Windows security class at least twice a year. Part of that class features a demonstration of a wonderful bit of software from WinInternals called "NT Locksmith." On just about any Windows NT, 2000 or XP laptop, booting this software from a floppy permits a knowledgeable Windows person to take over the machine and reset the administrator password in 5-10 minutes (note: the bulk of the time involved is for booting the machine, not to run the software).

My point is that any savvy system wizard who can gain physical access to a computer can take that machine over in less than half an hour under most circumstances. This helps to explain why physical security -- or managing control over the space where systems and other key aspects of IT infrastructure reside in the real world -- is such an important component of a well-designed and well-executed security policy. If you don't maintain physical security in the real world, any and all safeguards you erect in the virtual world may be meaningless.

As with other aspects of security policy, what kind of physical security your organization decides to implement should be a function of risk analysis and threat assessments, where how much money, time and effort you're willing to expend on physical security depends on potential losses arising from its breach. For most small- to medium-sized businesses, this means things like locked server rooms, additional authentication or access controls to operate administrator consoles and, possibly, some kind of monitoring system to track access and use of sensitive systems. These can vary from simple logging mechanisms to video surveillance systems, depending on risk assessments and needs for accountability.

As information or technology assets become more valuable, the number and kind of physical security controls typically increase. At development, records or transaction-oriented sites, control over server and equipment rooms is usually augmented by keycard access controls for elevator and doors, often with manned guard stations at entry- and exitways. Biometrics or multi-factor authentication/access systems are more common at sites where sensitive, classified, or highly proprietary data or other assets need extra protection.

As with other forms of security policy implementation, it's wise to hire a physical security professional to come audit your site, or to hire a penetration expert to reconnoiter and attempt to bypass physical security measures. It's also important to be sensitive to who gets access to controlled areas from the infrastructure side -- such as cleaning crews, repair staff and so forth. Likewise, it's vital to be aware of alternate means of access to various spaces, such as suspended ceilings, ductwork, crawlspaces and so forth.

A quick search on Google on the phrase "physical security policy" turns up lots of real-world examples of such policies from academic and public institutions like hospitals and government offices. You can use these materials to help get a sense of what a working physical security policy looks like and tailor such documents to meet your own particular needs. Just remember that managing physical security is every bit as important as managing virtual boundaries and access, and you'll be well on your way toward building a safe and complete set of policies for your organization.

Please feel free to e-mail me with feedback, comments, or questions at

About the author
Ed Tittel is a principal at a content development division based in Austin, Texas, and the creator of the Exam Cram series. He's worked on numerous certification titles on Microsoft, Novell, CompTIA and security topics, including Security+, CISSP and TICSA. As an expert on, Ed answers your questions concerning infosec training and certification.

For more information, visit these other resources:

This was last published in March 2003

Dig Deeper on Information security program management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.