Administrative physical security controls are related to the use of proper administrative processes. These processes include facility requirements planning for proper emergency protocol, personnel control, and proper facility security management.
Facility Requirements Planning: Without appropriate control over the physical environment, no amount of administrative, technical, or logical access controls can offer effective security to an organization. Control over the physical environment starts with organizing the security requirements for a facility. A secure facility plan details the security needs of the organization and highlights methods or mechanisms to implement effective security. Such a plan is created through a process called critical path analysis, which is an organized effort to identify relationships between mission-critical applications, methods, and procedures and all of the necessary supporting elements.
When critical path analysis is performed appropriately, a comprehensive picture of interdependencies and interactions necessary to support the organization is produced. Once the analysis is established, the results supply an itemized list to be physically secure. This needs to be accomplished in the preliminary stages of the construction of a facility.
One of the central physical security elements established during the construction stage include identifying and designing a secure site that will house the organization’s IT infrastructure and operations. The security needs of the organization should be the chief concern when identifying a site. The site should be accessible to both employees and external services without close proximity to possible hazards or areas with a high crime rate.
Another issue to be considered is the level of susceptibility to natural disasters in the area. The site should not be prone to earthquakes, mud slides, sinkholes, fires, floods, hurricanes, tornadoes, falling rocks, snow, rainfall, ice, humidity, heat, extreme cold, and so forth. The site should also be within reachable distance to emergency services, such as police, fire, and hospitals or medical facilities.
Secure Facility Design: The proper security applications for a facility must be planned prior to the construction of the facility. There are several security measures to take into account in the design process, including the combustibility of construction materials, load rating, placement, and control of items such as walls, doors, ceilings, flooring, HVAC, power, water, sewage, gas, etc. The walls are required to have an acceptable fire rating. Closets or rooms that store media must have a high fire rating. The same applies to ceilings, and as with floors, ceilings must have a secure weight-bearing rating.
Additionally, the floor needs to be grounded against static buildup and must apply a non-conducting surface material in the data center. Electrical cables must be contained in metal conduit, and data cables must be enclosed in raceways.
The data center should be without windows, but if there are windows they must be translucent and shatterproof. Doors should be fortified against forced entry and have a fire rating equal to the walls. Also, emergency exits must be clearly marked and monitored or alarmed. Personnel safety should be the primary concern. The facility should also be supplied with backup power sources. All marked locations within a facility should not have equal access.
Areas that contain valuable assets or vital importance should have restricted access. Valuable and confidential assets should be placed in the maximum protection area provided by a facility.
Work areas and visitor areas should also be planned for. Walls or partitions can be in place to divide similar but distinct work areas. These partitions can impede casual eavesdropping or shoulder surfing, which is a method of collecting information from a system by observing the monitor or the use of the keyboard by the operator. Floor-to-ceiling walls should be used to partition off areas with varying levels of sensitivity and confidentiality. Computer rooms should be designed to support the operation of the IT infrastructure and to block unauthorized physical access.
Facility Security Management: Audit trails and emergency procedures are in the category of facility security management. These are areas of the Administrative Security Controls that don’t involve the initial planning of the facility but are required to preserve security on an ongoing basis. In information systems, an audit trail is a chronicle of events that concentrates on a specific type of activity, such as detecting security violations, performance problems, and design and programming flaws in applications.
In physical security, audit trails are access control logs and are critical in tracing unlawful access attempts and identifying the perpetrator who attempted them. These are detective rather than preventative controls. To work as an effective tool, access logs must record the date, time and location of the access attempt, success or failure of the access attempt, the identity of the individual who attempted access as well as the identity of the person, if that individual was involved, who altered the access privileges at the supervisor level, and must be audited regularly. Some audit trail systems can also send alerts to a security officer when several or back-to-back access failure attempts occur.
The implementation of emergency procedures and proper training of employees of these procedures is another important aspect of administrative physical controls. These procedures should be clearly stated, readily accessible, and updated when required. They should include emergency system shutdown protocol, evacuation procedures, employee training, awareness programs, and periodic drills, and periodic equipment and systems tests.
Facilities that use restricted areas to control physical security will need to address facility visitors. Escorts can be assigned to visitors. Additionally, a visitor’s access and activities should be observed carefully.
Administrative Personnel Controls: Administrative personnel controls are administrative processes that are typically implemented by the Human Resources (HR) department during employee hiring and termination. These often consist of pre-employment screening, which entails employment, professional references, background checks, or credit rating checks for sensitive positions; ongoing employee checks, including security clearance checks for employees that have access to confidential information, and ongoing employee ratings or reviews by their supervisor; and post-employment procedures, including exit interviews, removal of network access and the changing of passwords, and the return of computer inventory or laptops.
