Data protection as physical premises.
In the arena of data protection, the emphasis is put on the more technical measures, firewalls, virus protection and the like. For this
series we will look at the physical access to locations as by far the biggest data breach is caused by people and who has access to what.
Halt who goes there?
Unless your building is open to the public, such as a shop, church or sporting facility, your physical premises would require some sort of control over who comes in. Even is your organisation may welcome members of the public, such as a bank, it is usual that there is a separate area which is only to be accessed by staff as there is certain process’s and functions that need to be kept away from prying eyes. Considering the amount of information that an organisation holds, and the ease to which data can be replicated and distributed it would be imperative to limit the ability of people to enter such premises without proper authorisation.
Now things start to get interesting.
Some of these preventative measures can for appearances, which discourages such attempts, but also with substance, that there would be consequences if one tried. High barb wire fences, security guards, dogs all provide a signal of security with real bite. CCTV, man traps, locked doors and electronic systems all provide a measure of control. The issue is who has access and to where?
I was recently we are discussing with a sub-contractor the issues around implementing an electronic fob system to control access to main entry point to the building. Once we began to think about who requires access to various areas things started to get a bit tricky. There where visitors, maintenance staff, sub-contractors, IT staff and different personnel each with different clearance levels. The identification of where sensitive was stored or processed became the map upon which we laid our entry clearances. Only IT staff could access to the server room and certain staff could not access certain departments, not because they weren’t trusted, but because there was no reason for them to be there.
Other aspects had to be considered such as fire drills. It was OK to think about ingress, but in the in case of fire all doors would need to open automatically to allow quick and easy escape from the building. That then becomes a bit more tricky as if you had a fire at the same time as a terror attack then having all the doors open to allow everyone out could also allow an opportunity for unwanted elements to come in.
This, is the first step towards data protection as it is people that will always be the weakest link.
Next in the series: There in, now what?