Remember the example about additional layers of control and protection for projects handling bank data? What I was indirectly referring to was access to physical facilities like office building, computers etc.
Information Security Management defines the access control policy, and identifies the necessary physical security measures and who should have access to which site (e.g. the data centre). Facilities Management is responsible for enforcing this policy. The major components of physical access control are:
• The installation, maintenance and management of physical access security controls such as locks and barriers and surveillance equipment
• Monitoring of physical access to protected areas
• Physical security staffing
• Maintenance of floor plans showing areas of restricted access and the relevant security controls.
One of the most common means of breaching physical security is by ‘social engineering’: a rather grandiose term that usually refers simply to talking your way into a secure facility (e.g. by posing as a legitimate contractor, posing as someone else or simply following a legitimate person through an open door). For this reason, security access must not only be controlled appropriately but also continually monitored so that such breaches can be detected and security controls improved. This activity can also be considered a sub-set of the Access Control Management process group.
Prev: Important Concepts
Next: Role of an IT Security Manager