Physical Facility Access Policy Best Practices | A SOC 2 Primer

By Blog, SOC 2, SOC 2 Type 1

Physical security is not just a concern for large companies. A small business also needs an established physical security policy to protect their physical assets and provide their employees with a sense of protection and safety.

In this policy, you will define the controls, monitoring, and removal of physical access to your company’s facilities. Here are five practices for writing your office physical security policy:

Create an access control system
You need to have a system in place to control who can enter your office space and how. For most small businesses, a physical key or key card access system will suffice. Keep a log of keys, their owners, and when/where the keys are used. If access cards go lost or stolen, deactivate them immediately to avoid misuse. Additionally, make sure any issued keys are returned as part of employee offboarding/termination procedures.

Secure the office interior/exterior
Before spending too much time and money on information security controls, you need to step back and think about what is practical for your business. If you’re a young company with just a few employees working out of a single room, you probably don’t need a security guard or receptionist. But if you work out of a larger, sprawling complex with many public areas and points of access, more advanced controls such as CCTV cameras around the perimeter might be appropriate.

Inside the structure, additional controls such as alarms, motion and glass-break sensors are common as well. If your office has additional sensitive areas, such as a datacenter, it may make sense to install additional layers of physical security. These layers might include a key card system that provides physical protection by only granting access to member of your IT/security teams. At a minimum, create a sign in/out log to track employees who access these secure areas.

Control staff and contractor access
Your full time staff members will already have access to the building through your determined access system, but you may also need to use this system for part time staff and contractors as well. In these cases, any temporary employees should have access that is pre-configured to expire on the last day of employment. Perhaps better yet, they should be formally off-boarded by a member of HR, who would also take any access keys at that time. Additionally, these part time employees should wear ID badges/passes that clearly indicate their access to the building is temporary.

Guest/visitor access
At your building’s main access points, have a sign-in sheet for all guests and visitors. This sheet should include fields for the visitor’s name and company, as well as check in/out times. Visitors should also wear badges that clearly distinguish themselves from regular staff - that way they stand out clearly to everyone in the office. The badges, if not tracked carefully, can often end up walking right out the door. Consider using temporary sticker badges that expire - either by changing color or by gradually overwriting the badge with a “VOID” message - after about eight hours.

It’s also important that visitors be escorted at all times. This is especially important if they are entering sensitive areas such as your data center or server room. And if the visitor will be exposed to company data while on premise, have them sign an NDA agreement as well. As part of your security awareness training, remind users to ask any unattended visitors for identification or a reason for their visit, and then escort them to the appropriate room or personnel. Also, users should immediately report any suspicion of unauthorized access to physical office spaces.

Logs
Much like technical incidents, where you need as much verbose logging detail as possible to get to the bottom of an investigation, the same holds true for physical security. It’s important to keep detailed access logs, such as keys issued (and when they’re used), as well as visitors entering/exiting the premises. You also need to make some decisions on how long you will retain footage from video cameras. A common retention period is 90 days. All-access logs should be reviewed at least quarterly.

Summary

Many organizations spend much of their time and money on technical protections to guard their most valuable assets and sensitive information. But all those layers of security can be nearly if someone can walk in your front door and plug a rogue device into your network without being noticed. A good physical security policy will make sure you have the appropriate controls deployed around your perimeter and throughout your office interior, as well as solid guidance around how to securely manage temporary employees and visitors. Finally, the policy will ensure you have the necessary logging information to investigate a physical security incident if needed.

New call-to-action