ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Physical Security

Updated on September 12, 2013

Securing the Physical Environment

Securing the physical environment is a challenge but standards are being created to help with this effort. ISACA's COBIT framework covers the areas of site selection, physical security, controlling physical access, protecting against environmental factors and the proper management of a facility. This lens will provide a checklist of items you should consider when performing a physical environment audit of a location. Remember, you need to be concern with issues that exist outside of the data center.

The nice data center photo is from jaxmac at

Location, Location, Location - Physical Site Selection

It is a good idea to know the risks that exist due to where a building is located and what surrounds it. Can activities at near by businesses affect your operations?

Use Google Earth or a site survey to find out.

  • Where are the nearest fault lines? Have earthquakes ever affected the site?
  • Is the location in a flood zone. What about the 100 year flood zone.
  • What about the frequency of severe weather? Any Tornadoes, frequent lightning or Hurricanes?
  • Can other local business affect your operations, for example a near by stadium might impact your parking.

    Could an accident at one of these companies cause the evacuation of your business?

  • Remember a single location is a single-point-of-failure. Are your critical assets backed up to a geographical separate location which would not affected if a large disaster occurred at the primary location?
  • How far is the location from emergency services (Fire, Hospital, Police)?

Physical Access - Who can get in and how? How do you know? Can you prove it.

The first place to start with physical security is to see who can gain access to the building and is done by performing an site survey.

Is Access to the building/data center controlled?

  • Does the access control provide an access tracking capability (PIN lock, smart card, biometrics)?
  • Can the control be circumvented, for example one person enters code a second person follows the first person inside?
  • Are all entrances controlled by the same mechanism? What methods could be used to bypass this device?
  • If Master Key access exists, does the client know who all has access to the key?
  • Is video surveillance in place? Without video surveillance, master key access will not be tracked. We need to know who accessed the facility if forensic evidence will be collected. Are all entrances monitored by video? Keys might provide a way to avoid video monitoring if all access points are not monitored.
  • Is access by visitors logged? Are escorts required for access by visitors and maintenance?
  • Is all access information controlled by a group external to those accessing the data center? Separation of Duties is a key security concept.
  • Are any foreign nationals on staff? Are extensive background checks run on these employees? Knowing who has physical access is often necessary for government contracts.
  • Are there windows within the Data Center that are accessible from non controlled areas? Is security glass used for windows? Are door handles within reach if a window is compromised? Are windows covered (blinds, curtains, etc.)? Learn what equipment exists. Window Surf.
  • Can an intruder gain access to the data center from under the floor? Can an intruder gain access to the data center from the ceiling? Are there any gaps under the door. A DarkReading article noted that 1/4 inch copper tubing can be molded to fit under a door and used to move the handle from the inside.
  • Are door hinges internal or external to the data center? Could the hinges be popped out and door removed?
  • Is the data center a shared facility? Are locking cabinets used? Does the provider log all center access?
  • How is off hours physical access tracked and does your security posture change during the day?

Equipment - Inventory and configuration

Do you know where your hardware is? Are your hardware assets controlled by an inventory tracking system? Are media devices enabled on servers that might enable data to be taken?

  • Are processes in place to track the addition and removal of equipment? Inventory management is crucial.
  • Do systems contain ports (USB, Firewire) or devices which can be used to created media (USB, DVD/RW) and move data?
  • Are drives wiped before equipment is excised? Is the same process used when drives fail and have to be replaced by vendors?
  • Is backup media secured both on site and at an external location? Are backups encrypted? Are backups transported off site securely? Is access to backup media tracked?

Environmental Concerns

  • Are humidity and temperature controls in place? Is a fail over system in place? Are smoke detectors used? Are they on the ceiling? Are they under the floor?
  • If the suppression system is a sprinkler system, are plastic sheets within the center that could be used to protect equipment if someone was in the data center when the system triggered?
  • Are fire extinguishers available? Are they the appropriate type? Are they expired? Are fire extinguisher location indicators (signs) visible?
  • What is the volume of combustibles within the data center? If a fire started these material might make the situation worse. Could a fire inspection be failed resulting in a order to shutdown the data center or building?
  • Are water sensors in place to warn of flooding by high water levels or an overactive HVAC unit?
  • Are uninterruptible Power Supplies used? How long can they provide support? Do they include alarms for when a battery fails? How often is the system tested and are records kept?
  • Are backup power generators available? How long can the generators provide support? Are generators caged? There has been a string of thefts related to criminals stealing copper and other valuable metals.
  • Are there any other ways for someone to remove power from critical devices (breaker boxes, etc.) that might be external to the data center?
  • Is the data center raised floor of a sufficient height?
  • Is cable management systems used in racks and under floor.

The Most Important Thing to Remember

Your employees are a key asset, keep your data centers safe.

Safety - Employees are an important company assets.

Could the facility be shutdown for failure to comply with health or safety standards?

  • Is a cable management system used and no cables are hanging low or run across the floor?
  • Does emergency lighting exist in case of power loss?
  • Are exits clear and properly marked?
  • Are exits free from obstruction? Note the combustible issue mentioned above.
  • What is the noise level within the data center? If it exceeds OSHA standard 1910.95, are signs posted at entrances?
  • Does the center have emergency power cut off switches available? Are switches available at all exits? Are they clearly marked and of the type which prevents them from being accidental bumped?

Facilities Management - Cobit 4.1 reminds us of this issue.

Management is crucial because we can prevent outages by controlling on site activities.

  1. Manage HVAC/AC services. Know when the are coming, track their visits and ensure preventative maintenance is up to date.
  2. All building work should be scheduled, logged and controlled.
  3. All vendor access must be tracked and scheduled.
  4. Does management require employee security and safety training?

External Considerations

If you already have a data center be sure to consider external influences, some of which you can control.

  • Is the data center building anonymous? Are there signs indicating a data center is on site? Consider whether being anonymous adds security to the data center.
  • Is the building shared with other businesses? How well do they manage risk?
  • How far is the data center from emergency services? Is the building easy to access? what about the data center?
  • What is the crime rate around the data center's location?
  • Is there adequate exterior lighting and surveillance to deter crime?

Other Concerns

  • Is insurance in place to cover equipment losses? Does the policy require any of the above environmental controls?
  • Is a call list of personel who need to respond to physical security issues maintained?

Prevent Social Engineering - protect information

Ensure you have controls in place to prevent social engineering attacks.

  • Shred your documents either on site or hire out for this service.
  • Do not publish phone lists to your web site that is available to the public.
  • Know that when you publish job opportunities, you are most likely disclosing information about the technologies your company uses by listing the skills you require for a position.

Changes in the Threat Landscape - Times are changing

New activities are taking place which might require additional controls if the risk is considered viable.

Let me know if anything else should be added.

Reader Feedback

    0 of 8192 characters used
    Post Comment

    • profile image


      6 years ago

      A very informative lens and this information is vital, specially to people like me.

      software intallation services

    • profile image


      7 years ago

      Great advice for anyone, from the casual user to a security expert.

    • profile image


      8 years ago

      Thank you for the great post. I have a collection of cables from Safety Cables to computer cables.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)