Non IT Security 319

  • A follow up question on physical access controls:
    It was thought that changing physical locks and access codes periodically would be good controls to have as it relates to securing data center assets. we are in the age where physical locks and access codes are not being used for access to data centers. many places are using magnetic locks that require a card key to be used to gain entrance. The locks are controlled by software that keeps track of doors, door groups, and time frames. for example, by default an employee would be given access to interior doors from 6am to 9pm (this would exclude data center). any other access would require justification and approval.
    My question is that the control used to be ensure that locks or access codes were changed periodically no longer applies. In the new world there is no need for that. so would the new control be ensuring physical access was setup properly in the first place and then monitoring/reviewing who has access to the data center on periodic basis?

  • Yes. But if you are controlling through software, consider who has access to the software too, and what exactly they can do.
    There needs to be control over issuing and recovery of access devices, as well as procedures to deal with ones that are lost or stolen, or left at home for the day.
    You will need to review the access lists periodically to ensure that they continue to have only the right people - typically errors will creep in over time, as perhaps a terminated person was not deleted, or a service engineer was granted temporary access that was not revoked.

  • which control do you think is most important as far as the primary control to ensure physical access is revoked for terminating employees?

    1. collecting the card key/badge of an employee that is terminating employment
    2. deleting badge access out of the system
      Both need to be done, however from a timing perspective deleting badge access from the system may not happen at exactly the precise moment the employee leaves the building.

  • Not a SOX obligation, but a good security issue.
    It depends on the sensitivity of your environment.
    In very sensitive environments we first delete badge access out of the system and change logical access permissions and rights to the system and after that we let the employee learn about the termination 8O
    In most environments: I suggest first to collect the card key/badge of an employee that is terminating employment and then to delete badge access out of the system. Provided that there is a good security team in place, it works efficiently.

Log in to reply