Locking Down Physical Access Is Key (or Badge) to Security

So much of IT's focus on security is devoted to encrypting data and locking down the perimeter that it's easy to forget that if somebody can just walk into your server room, they can do enough damage to your network to make the Sasser outbreak look like a forgotten password help desk ticket.


Physical security - controlling access to computer rooms and other sensitive areas of your business - is where IT and facilities management meet. Administering ID badges, still the default method for monitoring physical access, clearly falls under the facilities umbrella. However, IT may well be asked to implement IP video monitoring equipment and other biometric identification measures.



If your business is looking to implement or improve its physical security measures, be sure to check out the Physical Access Policy, from our partners at Toolkit Cafe. The modifiable Word template is available for free download to IT Business Edge members here in the IT Downloads library.


The 16-point policy assumes your company is serious enough about physical security that 1) you have or will soon implement a global badge system and 2) the same is true for video surveillance, at least in critical areas such as the server room.


Some of the policy's guidelines are pretty common-sense - e.g., don't loan your badge to anybody. Then again, if employees used common sense on a regular basis, you would not need to have so many policies. The template's guidelines do allow for some flexibility; they state that a badge-holder can open the door for someone who they know also has badge access, so long as they stay with that person while they are in the protected area. You may want to evaluate such provisions on a case-by-case basis, depending on how meticulously you want to log coming and goings in your computer rooms.


Other bases covered by the policy include:


  • The Identification Badge System access list must be reviewed at least quarterly.
  • Long-term access to computer rooms must be approved by the IT Department. The request must include the following information at a minimum: name of requestor, name of person needing access, facility, area(s) where access is needed, and explanation of why the access is needed.
  • Physical keys are OK in some circumstances, but be sure to use key templates that cannot be legally duplicated.


While you are in physical security mode, you also might want to check out our Paul Mah's recent post about measures to keep your laptops and mobile data safe.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.