SlideShare a Scribd company logo

Mandatory requirements for physical security 2

Download as PPSX, PDF
Robin Patras
Robin Patras

What are the Mandatory requirements for Physical Security by any organization?

Education
1 of 17
Mandatory requirements Physical Security in your organization BY ROBIN GH PATRAS
What are the Mandatory requirements for Physical Security by any organization?  PHYSEC1 - Understand what you need to protect  PHYSEC2 - Design your physical security  PHYSEC3 - Validate your security measures  PHYSEC4 - Keep your security up to date
What are the Mandatory requirements for Physical Security by any organization? PHYSEC1 - Understand what you need to protect Identify the people, information, and assets that your organisation needs to protect, and where they are. Assess the security risks (threats and vulnerabilities) and the business impact of loss or harm to people, information, or assets. Use your understanding to:  Protect your people from threats of violence, and support them if they experience a harmful event  Protect members of the public who interact with your organisation  Put physical security measures in place to minimize or remove risks to your information assets.
PHYSEC1 - Understand what you need to protect Before you can put the right physical security measures in place, you must understand what you need to protect.  How will your facilities be used?  Are your people working away from the office?  Have you taken health and safety needs into account?  Is your organisation co-locating?
PHYSEC1-Assessing your physical security risks When you assess your organization's unique risks, you can work out which physical security measures you need to reduce those risks to an acceptable level. You need to know where you are vulnerable and how your organisation would be affected by breached security. Here are some questions to answer.  During what hours will be people be arriving, departing, and working at each site?  How many people will be working at each site?  Which third parties have access to your facilities?  What are the risks associated with collections of information and physical assets you hold?  What are the risks associated with higher concentrations of people in certain areas?  Which activities does your organisation undertake at each site?  Are there threats that arise from your activities?  What threats arise from your location and neighbours?
PHYSEC1-Assessing your physical security risks Evaluate the likelihood and impact of each risk to help you understand where you need to take further action. For any risks you can’t accurately assess internally, call on external sources such as local police or other authorities.  If you’re co-locating with other organizations, consider the combined security risks and work together to assess them. Remember to:  Assess the risks of each site you use separately, as you need to develop site- specific security plans  Include physical security risks in your organization's risk register(s).
What are the Mandatory requirements for Physical Security by any organization? PHYSEC2 - Design your physical security Consider physical security early in the process of planning, selecting, designing, and modifying facilities. Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with relevant health and safety obligations.
PHYSEC2 - Design your physical security Since physical security measures can be more expensive and less effective if they’re introduced later, consider your physical security requirements at the earliest stages — preferably during the concept and design stages. Apply this strategy any time you’re:  Planning new sites or buildings  Selecting new sites  Planning alterations to existing buildings.
PHYSEC2 - Design your physical security Evaluate the following factors to work out if a site is suitable:  The neighborhood  The size of the stand-off perimeter  Site access and parking  Building access points  Security zones
PHYSEC2 - Design your physical security While preparing site security plans; Use your site-specific risk assessments to help you:  Prepare site-specific security plans  Include security requirements within other site development plans. Your organisation needs to have a site security plan for all new sites, facilities under construction, and facilities undergoing major refurbishments. This plan should align with any minimum security standards your organisation has agreed for specific types of facility.
PHYSEC2 - Design your physical security For each site security plan, ensure that your physical security measures:  Provide enough delay to allow planned responses to take effect  Meet business needs  Complement and support other operational procedures  Include any necessary measures to protect audio and visual privacy  Do not unreasonably interfere with the public.
PHYSEC2 - Design your physical security If your organisation faces increased threat levels, use your risk assessments to work out what extra measures you need in each affected zone. Increased threat levels can be due to foreign interference, politically motivated violence, criminal activity, or cyber-attacks.  Zone 1: Public Access Area --These are unsecured areas including out-of-office working arrangements. They provide limited access controls to information and physical assets where any loss would result in a low to medium business impact.  Zone 2: Work Area --These are low-security areas with some controls. They provide access controls to information and physical assets where any loss would result in a business impact up to very high. They also provide some protection for people.  Zone 3: Restricted Work Area --These are security areas with high security controls.  Zone 4: Security Area --These are security areas with higher levels of security.  Zone 5: High-Security Area --These are security areas with the highest level of security controls. They provide access controls to information where any loss would result in a business impact up to catastrophic.
PHYSEC2 - Design your physical security Physical security measures aim to protect people, information, and assets from compromise or harm by applying the ‘Deter, Detect, Delay, Respond, Recover’ model. A key concept in physical security is ‘security in depth’ — a multi-layered system in which security measures combine to support and complement each other. You can apply this concept by placing zones within zones. This layering increases total delay times and creates additional barriers. Any unauthorized person trying to access the higher zones will meet increasing levels of controls. The following diagram shows a possible combination of security zones.
What are the Mandatory requirements for Physical Security by any organization? PHYSEC3 - Validate your security measures Confirm that your physical security measures have been correctly implemented and are fit for purpose. Complete the certification and benchmarking process to ensure that security zones have approval to operate.
PHYSEC3 - Validate your security measures Validating your organization's physical security measures means finding out if they’ve been correctly implemented and are fit for purpose. Your CSO decides whether the measures are right for the risks your organisation faces. These risks may vary from site to site. The validation step gives senior executives confidence that physical security is well managed, risks are properly identified and mitigated, and governance responsibilities can be met.
What are the Mandatory requirements for Physical Security by any organization? PHYSEC4 - Keep your security up to date Ensure that you keep up to date with evolving threats and vulnerabilities, and respond appropriately. Ensure that your physical security measures are maintained effectively so they remain fit for purpose.
PHYSEC4 - Keep your security up to date An important part of maintaining security is providing security awareness training and support. Communicate your physical security policies to your people and to the people your organisation works with. Let them know when physical security arrangements change, and, when possible, say why. People should be encouraged to report emerging concerns or near misses, and be seen as good corporate citizens rather than troublemakers. Analyze evolving threats and vulnerabilities Keeping your people, information, and assets secure involves ongoing activity to detect and manage evolving threats and vulnerabilities.

Recommended

Risk based approach
Risk based approach Risk based approach
Risk based approach
Robin Patras
 
Creating a security culture 4
Creating a security culture 4Creating a security culture 4
Creating a security culture 4
Robin Patras
 
An introduction to physical security
An introduction to physical security An introduction to physical security
An introduction to physical security
Robin Patras
 
Corporate security pdf
Corporate security pdfCorporate security pdf
Corporate security pdf
G3 intelligence Ltd
 
Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)
Md Shaifullar Rabbi
 
Assets protection and The Need for Timely Information
Assets protection and The Need for Timely Information Assets protection and The Need for Timely Information
Assets protection and The Need for Timely Information
David Santiago
 
2. Improving an Existing Sec Sys
2. Improving an Existing Sec Sys2. Improving an Existing Sec Sys
2. Improving an Existing Sec Sys
Micheal Isreal
 
Personnel security
Personnel securityPersonnel security
Personnel security
PLN9 Security Services Pvt. Ltd.
 

Recommended

Risk based approach
Risk based approach Risk based approach
Risk based approach
Robin Patras
 
Creating a security culture 4
Creating a security culture 4Creating a security culture 4
Creating a security culture 4
Robin Patras
 
An introduction to physical security
An introduction to physical security An introduction to physical security
An introduction to physical security
Robin Patras
 
Corporate security pdf
Corporate security pdfCorporate security pdf
Corporate security pdf
G3 intelligence Ltd
 
Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)
Md Shaifullar Rabbi
 
Assets protection and The Need for Timely Information
Assets protection and The Need for Timely Information Assets protection and The Need for Timely Information
Assets protection and The Need for Timely Information
David Santiago
 
2. Improving an Existing Sec Sys
2. Improving an Existing Sec Sys2. Improving an Existing Sec Sys
2. Improving an Existing Sec Sys
Micheal Isreal
 
Personnel security
Personnel securityPersonnel security
Personnel security
PLN9 Security Services Pvt. Ltd.
 
Viyya Ssms Overview 2009
Viyya Ssms Overview 2009Viyya Ssms Overview 2009
Viyya Ssms Overview 2009
guestee358
 
Security and personnel bp11521
Security and personnel bp11521Security and personnel bp11521
Security and personnel bp11521
Merlin Florrence
 
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
U.S. News Healthcare of Tomorrow
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
Evan Francen
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
Become CISSP Certified
Become CISSP CertifiedBecome CISSP Certified
Become CISSP Certified
Hamed Moghaddam
 
physical security abdullah hassan al alyani
physical security abdullah hassan al alyaniphysical security abdullah hassan al alyani
physical security abdullah hassan al alyani
Aeliani92
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Risk
phanleson
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
Keyaan Williams
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
Robot Mode
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
Security analysis
Security analysisSecurity analysis
Security analysis
Yulisa Rosliana S.Kom
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
Ali Sadhik Shaik
 
News letter May 11
News letter May 11News letter May 11
News letter May 11
captsbtyagi
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
Faheem Ul Hasan
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
charlesgarrett
 
Asset, Threat, Vulnerability, Risk
Asset, Threat, Vulnerability, RiskAsset, Threat, Vulnerability, Risk
Asset, Threat, Vulnerability, Risk
Vinay Attry
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
RossMob1
 
Security Lifecycle Management
Security Lifecycle ManagementSecurity Lifecycle Management
Security Lifecycle Management
Barry Caplin
 
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Polsinelli PC
 
Physical Security - Why Your Business Needs It
Physical Security - Why Your Business Needs ItPhysical Security - Why Your Business Needs It
Physical Security - Why Your Business Needs It
Terra Verde
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 

More Related Content

What's hot

Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
U.S. News Healthcare of Tomorrow
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Risk
phanleson
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
Ali Sadhik Shaik
 
News letter May 11
News letter May 11News letter May 11
News letter May 11
captsbtyagi
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
charlesgarrett
 
Security Lifecycle Management
Security Lifecycle ManagementSecurity Lifecycle Management
Security Lifecycle Management
Barry Caplin
 
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Polsinelli PC
 

What's hot (20)

Viyya Ssms Overview 2009
Viyya Ssms Overview 2009Viyya Ssms Overview 2009
Viyya Ssms Overview 2009
 
Security and personnel bp11521
Security and personnel bp11521Security and personnel bp11521
Security and personnel bp11521
 
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Become CISSP Certified
Become CISSP CertifiedBecome CISSP Certified
Become CISSP Certified
 
physical security abdullah hassan al alyani
physical security abdullah hassan al alyaniphysical security abdullah hassan al alyani
physical security abdullah hassan al alyani
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Risk
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Security analysis
Security analysisSecurity analysis
Security analysis
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
News letter May 11
News letter May 11News letter May 11
News letter May 11
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
 
Asset, Threat, Vulnerability, Risk
Asset, Threat, Vulnerability, RiskAsset, Threat, Vulnerability, Risk
Asset, Threat, Vulnerability, Risk
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
 
Security Lifecycle Management
Security Lifecycle ManagementSecurity Lifecycle Management
Security Lifecycle Management
 
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
Breach Response Matters: Effectively Handling Health Care Cyber Security Inci...
 

Similar to Mandatory requirements for physical security 2

Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxHomework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
adampcarr67227
 
WHO NEEDS SIRA APPROVAL IN DUBAI
WHO NEEDS SIRA APPROVAL IN DUBAIWHO NEEDS SIRA APPROVAL IN DUBAI
WHO NEEDS SIRA APPROVAL IN DUBAI
successdsp
 
WHO NEEDS SECURITY RISK ASSESSMENT IN UAE
WHO NEEDS SECURITY RISK ASSESSMENT IN UAEWHO NEEDS SECURITY RISK ASSESSMENT IN UAE
WHO NEEDS SECURITY RISK ASSESSMENT IN UAE
successdsp
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
Md. Sajjat Hossain
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 

Similar to Mandatory requirements for physical security 2 (20)

Physical Security - Why Your Business Needs It
Physical Security - Why Your Business Needs ItPhysical Security - Why Your Business Needs It
Physical Security - Why Your Business Needs It
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
The Importance of Physical Security Safeguarding Your Assets.pdf
The Importance of Physical Security Safeguarding Your Assets.pdfThe Importance of Physical Security Safeguarding Your Assets.pdf
The Importance of Physical Security Safeguarding Your Assets.pdf
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
BLE 1213 MUST.pptx- basics principles of Physical Security
BLE 1213 MUST.pptx- basics principles of Physical SecurityBLE 1213 MUST.pptx- basics principles of Physical Security
BLE 1213 MUST.pptx- basics principles of Physical Security
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxHomework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
 
WHO NEEDS SIRA APPROVAL IN DUBAI
WHO NEEDS SIRA APPROVAL IN DUBAIWHO NEEDS SIRA APPROVAL IN DUBAI
WHO NEEDS SIRA APPROVAL IN DUBAI
 
WHO NEEDS SECURITY RISK ASSESSMENT IN UAE
WHO NEEDS SECURITY RISK ASSESSMENT IN UAEWHO NEEDS SECURITY RISK ASSESSMENT IN UAE
WHO NEEDS SECURITY RISK ASSESSMENT IN UAE
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
 
security jobs
security jobssecurity jobs
security jobs
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
 
Cybersecurity
Cybersecurity Cybersecurity
Cybersecurity
 
Grupo 4 - TEMA II.pptx
Grupo 4 - TEMA II.pptxGrupo 4 - TEMA II.pptx
Grupo 4 - TEMA II.pptx
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 

More from Robin Patras

More from Robin Patras (9)

OutdoorElectricalSafety.pdf
OutdoorElectricalSafety.pdfOutdoorElectricalSafety.pdf
OutdoorElectricalSafety.pdf
 
Electrical_Safety_Tips.pdf
Electrical_Safety_Tips.pdfElectrical_Safety_Tips.pdf
Electrical_Safety_Tips.pdf
 
Fire prevention & use of fire extinguishers
Fire prevention & use of fire extinguishersFire prevention & use of fire extinguishers
Fire prevention & use of fire extinguishers
 
Congo virus alert
Congo virus alertCongo virus alert
Congo virus alert
 
Five common reasons for the road accident
Five common reasons for the road accidentFive common reasons for the road accident
Five common reasons for the road accident
 
Security awareness by robin
Security awareness by robinSecurity awareness by robin
Security awareness by robin
 
Untold story of karachi
Untold story of karachiUntold story of karachi
Untold story of karachi
 
Security presentation
Security presentationSecurity presentation
Security presentation
 
Defensive drivers training
Defensive drivers trainingDefensive drivers training
Defensive drivers training
 

Recently uploaded

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
SanaAli374401
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
 

Recently uploaded (20)

Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 

Mandatory requirements for physical security 2

  • 1. Mandatory requirements Physical Security in your organization BY ROBIN GH PATRAS
  • 2. What are the Mandatory requirements for Physical Security by any organization?  PHYSEC1 - Understand what you need to protect  PHYSEC2 - Design your physical security  PHYSEC3 - Validate your security measures  PHYSEC4 - Keep your security up to date
  • 3. What are the Mandatory requirements for Physical Security by any organization? PHYSEC1 - Understand what you need to protect Identify the people, information, and assets that your organisation needs to protect, and where they are. Assess the security risks (threats and vulnerabilities) and the business impact of loss or harm to people, information, or assets. Use your understanding to:  Protect your people from threats of violence, and support them if they experience a harmful event  Protect members of the public who interact with your organisation  Put physical security measures in place to minimize or remove risks to your information assets.
  • 4. PHYSEC1 - Understand what you need to protect Before you can put the right physical security measures in place, you must understand what you need to protect.  How will your facilities be used?  Are your people working away from the office?  Have you taken health and safety needs into account?  Is your organisation co-locating?
  • 5. PHYSEC1-Assessing your physical security risks When you assess your organization's unique risks, you can work out which physical security measures you need to reduce those risks to an acceptable level. You need to know where you are vulnerable and how your organisation would be affected by breached security. Here are some questions to answer.  During what hours will be people be arriving, departing, and working at each site?  How many people will be working at each site?  Which third parties have access to your facilities?  What are the risks associated with collections of information and physical assets you hold?  What are the risks associated with higher concentrations of people in certain areas?  Which activities does your organisation undertake at each site?  Are there threats that arise from your activities?  What threats arise from your location and neighbours?
  • 6. PHYSEC1-Assessing your physical security risks Evaluate the likelihood and impact of each risk to help you understand where you need to take further action. For any risks you can’t accurately assess internally, call on external sources such as local police or other authorities.  If you’re co-locating with other organizations, consider the combined security risks and work together to assess them. Remember to:  Assess the risks of each site you use separately, as you need to develop site- specific security plans  Include physical security risks in your organization's risk register(s).
  • 7. What are the Mandatory requirements for Physical Security by any organization? PHYSEC2 - Design your physical security Consider physical security early in the process of planning, selecting, designing, and modifying facilities. Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with relevant health and safety obligations.
  • 8. PHYSEC2 - Design your physical security Since physical security measures can be more expensive and less effective if they’re introduced later, consider your physical security requirements at the earliest stages — preferably during the concept and design stages. Apply this strategy any time you’re:  Planning new sites or buildings  Selecting new sites  Planning alterations to existing buildings.
  • 9. PHYSEC2 - Design your physical security Evaluate the following factors to work out if a site is suitable:  The neighborhood  The size of the stand-off perimeter  Site access and parking  Building access points  Security zones
  • 10. PHYSEC2 - Design your physical security While preparing site security plans; Use your site-specific risk assessments to help you:  Prepare site-specific security plans  Include security requirements within other site development plans. Your organisation needs to have a site security plan for all new sites, facilities under construction, and facilities undergoing major refurbishments. This plan should align with any minimum security standards your organisation has agreed for specific types of facility.
  • 11. PHYSEC2 - Design your physical security For each site security plan, ensure that your physical security measures:  Provide enough delay to allow planned responses to take effect  Meet business needs  Complement and support other operational procedures  Include any necessary measures to protect audio and visual privacy  Do not unreasonably interfere with the public.
  • 12. PHYSEC2 - Design your physical security If your organisation faces increased threat levels, use your risk assessments to work out what extra measures you need in each affected zone. Increased threat levels can be due to foreign interference, politically motivated violence, criminal activity, or cyber-attacks.  Zone 1: Public Access Area --These are unsecured areas including out-of-office working arrangements. They provide limited access controls to information and physical assets where any loss would result in a low to medium business impact.  Zone 2: Work Area --These are low-security areas with some controls. They provide access controls to information and physical assets where any loss would result in a business impact up to very high. They also provide some protection for people.  Zone 3: Restricted Work Area --These are security areas with high security controls.  Zone 4: Security Area --These are security areas with higher levels of security.  Zone 5: High-Security Area --These are security areas with the highest level of security controls. They provide access controls to information where any loss would result in a business impact up to catastrophic.
  • 13. PHYSEC2 - Design your physical security Physical security measures aim to protect people, information, and assets from compromise or harm by applying the ‘Deter, Detect, Delay, Respond, Recover’ model. A key concept in physical security is ‘security in depth’ — a multi-layered system in which security measures combine to support and complement each other. You can apply this concept by placing zones within zones. This layering increases total delay times and creates additional barriers. Any unauthorized person trying to access the higher zones will meet increasing levels of controls. The following diagram shows a possible combination of security zones.
  • 14. What are the Mandatory requirements for Physical Security by any organization? PHYSEC3 - Validate your security measures Confirm that your physical security measures have been correctly implemented and are fit for purpose. Complete the certification and benchmarking process to ensure that security zones have approval to operate.
  • 15. PHYSEC3 - Validate your security measures Validating your organization's physical security measures means finding out if they’ve been correctly implemented and are fit for purpose. Your CSO decides whether the measures are right for the risks your organisation faces. These risks may vary from site to site. The validation step gives senior executives confidence that physical security is well managed, risks are properly identified and mitigated, and governance responsibilities can be met.
  • 16. What are the Mandatory requirements for Physical Security by any organization? PHYSEC4 - Keep your security up to date Ensure that you keep up to date with evolving threats and vulnerabilities, and respond appropriately. Ensure that your physical security measures are maintained effectively so they remain fit for purpose.
  • 17. PHYSEC4 - Keep your security up to date An important part of maintaining security is providing security awareness training and support. Communicate your physical security policies to your people and to the people your organisation works with. Let them know when physical security arrangements change, and, when possible, say why. People should be encouraged to report emerging concerns or near misses, and be seen as good corporate citizens rather than troublemakers. Analyze evolving threats and vulnerabilities Keeping your people, information, and assets secure involves ongoing activity to detect and manage evolving threats and vulnerabilities.

Editor's Notes

  1. Zone 1: Public Access Area These are unsecured areas including out-of-office working arrangements. They provide limited access controls to information and physical assets where any loss would result in a low to medium business impact. They also provide limited protection for people. Examples of public access areas are: building perimeters and public foyers interview and front-desk areas temporary out-of-office work areas where the agency has no control over access field work, including most vehicle-based work public access parts within multi-building facilities. Zone 2: Work Area These are low-security areas with some controls. They provide access controls to information and physical assets where any loss would result in a business impact up to very high. They also provide some protection for people. These areas allow unrestricted access for your people and contractors. Public or visitor access is restricted. Examples of work areas are: normal office environments normal out-of-office or home-based worksites where you can control access to areas used for your business interview and front-desk areas where your people are separated from clients and the public military bases and airside work areas with a security fence around the perimeter and controlled entry points vehicle-based work where the vehicle is fitted with a security container, alarm, and immobiliser exhibition areas with security controls and controlled public access. Zone 3: Restricted Work Area These are security areas with high security controls. They provide access controls to information and physical assets where any loss would result in a business impact up to extreme. They also provide protection for people. Access for your people and contractors is limited to those with a need to access the area. People with ongoing access must hold an appropriate security clearance. Visitors must be escorted, or closely controlled, and have a business need to access the area. Examples of restricted areas are: secure areas within your building that have extra access controls for your people (such as IT server rooms) exhibition areas with very valuable assets areas with high-value items or items of cultural significance when not on display. Zone 4: Security Area These are security areas with higher levels of security. They provide access controls to information where any loss would result in a business impact up to extreme, and physical assets where any loss would result in a business impact up to catastrophic. They also provide protection for people. Access for your people is strictly controlled with ID verification and card access. People with ongoing access must hold an appropriate security clearance. Visitors and contractors must be closely controlled and have a business need to access the area. Examples of security areas are: secure areas within your building that have extra access controls for your people exhibition areas with very valuable assets, with specific item asset protection controls and closely controlled public access areas used to store high-value items or items of cultural significance when not on display. Zone 5: High-Security Area These are security areas with the highest level of security controls. They provide access controls to information where any loss would result in a business impact up to catastrophic. Access for your people is strictly controlled with ID verification and card access. People with ongoing access must hold an appropriate security clearance. Visitors and contractors must be closely controlled and have a business need to access the area. Examples of high-security areas are: areas storing top secret, sensitive, compartmented information
  2. Review your physical security measures regularly Undertake regular reviews to ensure your security measures remain fit for purpose. Identify changes in your use of facilities, in your organisation, or your threat environment. Use this information to inform improvements. Conduct periodic reviews and assure compliance Regularly monitor, review, and audit your physical security measures. You need to know if: your physical security policies are being followed your physical security controls are working as planned any changes or improvements are necessary. Identify changes in your security environment Be prepared to restart your physical security lifecycle whenever your security environment changes. Consider these questions to inform changes and improvements. Are you using your information and assets in a different way? Are you using your facilities in a different way? Are your people working in a different way? Are you planning improvements to internal or external security services? Have you identified new security threats and vulnerabilities? Retire securely When your building, facilities, information, or assets are no longer needed, make sure you consider the security implications during the decommissioning phase. Have a plan for destroying, redeploying, or disposing of your facilities, information, or assets securely. For example: safes or filing cabinets containing classified information printers / multi-function devices. Destroy protectively-marked information and equipment properly You must use NZSIS-approved destruction equipment or an NZSIS-approved destruction service to destroy protectively-marked information and equipment, so that the waste can’t be reconstructed or used.