- 1. Identify your sensitive information and assets
- 2. Review your Access Control measures
- 3. Ensure a robust visitor entry and exit process
- 4. Consider a zoning policy
- 5. Implement a clear desk policy
- 6. Consider obscuration products
- 7. Utilise Tamper Indication products & ensure secure destruction
- 8. Secure your data when travelling
- 9. Follow CPNI’s CAPSS Guidance
- 10. Utilise CPNI’s Catalogue of Security Equipment (CSE)
1. Identify your sensitive information and assets
All organisational assets and systems that are necessary for the delivery of effective operations, or are of specific organisational value (e.g. commercially sensitive information or classified government material), should be identified. These may be: physical items, data stored or transmitted, personnel with specific knowledge/skills, or crowded places requiring protection. Once identified, suitable mitigation methods can be implemented to address the risk of compromise from hostile actors.
Further guidance can be found on the pages relating to Protect sensitive information and assets from creation to verified destruction. | CPNI and Protective Security Risk Management | CPNI.
2. Review your Access Control measures
Access control systems and locks can physically control and audit access to sensitive information and key assets. These systems should be integrated with physical barriers to detect and delay a variety of attacks. Taking the time to monitor and review access rights will provide an up-to-date picture of who has access to your site, uncover employees or visitors that no longer require access (physical and IT account access rights can then be removed), and help identify potential hostile actors.
3. Ensure a robust visitor entry and exit process
This will help to prevent unauthorised personnel accessing your site, reducing the risk of illicit access to sensitive assets and information. The implementation of a search and screening procedure could also identify unauthorised devices (e.g. recordable digital media), mitigate against potential sabotage activities and prevent the removal of sensitive information (hardcopy and/or device) by visitors and/or employees.
The focus of CPNI’s search and screening guidance is on detecting explosives and weapons threats, however the principles of designing and delivering search processes can equally be applied to detect items associated with state actor activity. After personnel have passed through any search and screening procedure, those identified as visitor should be escorted where necessary.
4. Consider a zoning policy
State actors may have the capability to gather information and intelligence by the deployment of technical equipment or surveillance. This may include the installation of eavesdropping devices and interception of mobile telephones. A zoning policy could be implemented in particularly sensitive areas within a building to exclude mobile technologies. Sensitive conversations may also be restricted to certain zones, ensuring they are not overheard by unauthorised personnel.
Organisations should also consider working on a “need to know basis”, physically separating general teams from those undertaking work of a particularly sensitive nature. A similar model can be adopted when considering the level of access staff and visitors may have to data stored on IT systems.
5. Implement a clear desk policy
Implementing something as simple as a clear desk policy can help to secure sensitive information. Ensuring proportionate policies, standards, guidelines and procedures are in place that are understood and consistently enforced can be a simple but effective way to combat the insider threat risk.
6. Consider obscuration products
Obscuration prevents hostile surveillance into a well-lit building, minimising the obstruction to outward visibility, without the need to block windows, or fit opaque shutters.
7. Utilise Tamper Indication products & ensure secure destruction
Tamper indication products can provide physical evidence of unauthorised access to a secure area or object. There are a variety of adhesive and mechanical products available that can be installed to enhance the security of a building, room or container in a variety of scenarios; acting as an overt deterrent and method of detecting access to sensitive information.
Sensitive information should also be destroyed correctly, if not, it could be at risk from insider attack, theft, espionage, and accidental loss. CPNI has produced guidance detailing how the destruction of sensitive items should be undertaken via a secure process.
8. Secure your data when travelling
Organisations should ensure staff are aware that modern cars and other vehicles increasingly make use of external connectivity. Connecting your mobile phone to a car (via USB, Bluetooth or WiFi) can, for example, leads to the phone’s address book data being copied to the vehicle’s system. Consider the potential security implications before connecting your personal and/or work mobile devices to vehicles, particularly hire cars, especially when overseas.
Also consider how sensitive assets and information will be securely stored when travelling. An individual’s communications, hardcopy information and data storage devices in their possession, could be vulnerable to interception or theft by hostile actors.
9. Follow CPNI’s CAPSS Guidance
Cyber Assurance of Physical Security Systems (CAPSS), is about gaining confidence in the "cyber" components of electronic security products which, while robust in the physical security domain, could potentially be compromised by a hacker. CAPSS has been jointly written by NCSC and CPNI leveraging the expertise of both technical authorities. By utilising CAPSS assured products, sites can ensure that their systems are not the "low hanging fruit" within a corporate IT system, allowing a hostile actor to gain entry to the wider corporate network or manipulate and circumvent the physical security systems.
In addition to CAPSS, organisations should ensure staff are aware of the potential vulnerabilities relating to increasingly connected Building Management Systems and Security Systems. Access rights should be regularly reviewed and tightly controlled, with particular attention being paid to remote access (e.g., to allow remote service engineer monitoring or maintenance). All systems should be regularly checked to ensure they are patched.
10. Utilise CPNI’s Catalogue of Security Equipment (CSE)
The CSE is available to help security practitioners identify appropriate physical security equipment, it provides a range of products that have been evaluated against specific CPNI security standards.