Physical and Environmental Security
It is important to understand that the objectives of
physical access controls may be in conflict with
Simply stated, life safety
focuses on providing easy exit from a facility,
particularly in an emergency, while physical
security strives to control entry.
In general, life
safety must be given first consideration, but it is
usually possible to achieve an effective balance
between the two goals.
For example, it is often possible to equip
emergency exit doors with a time delay.
one pushes on the panic bar, a loud alarm sounds,
and the door is released after a brief delay.
expectation is that people will be deterred from
using such exits improperly, but will not be
significantly endangered during an emergency
There are many types of physical access controls,
including badges, memory cards, guards, keys,
true-floor-to-true-ceiling wall construction, fences,
Physical Access Controls
Physical access controls restrict the entry and
exit of personnel (and often equipment and
media) from an area, such as an office
building, suite, data center, or room
containing a LAN server.
The controls over physical access to the
elements of a system can include controlled
areas, barriers that isolate each area, entry
points in the barriers, and screening measures
at each of the entry points.
In addition, staff
members who work in a restricted area serve
an important role in providing physical
security, as they can be trained to challenge
people they do not recognize.
Physical access controls should address not
only the area containing system hardware, but
also locations of wiring used to connect
elements of the system, the electric power
service, the air conditioning and heating plant,
telephone and data lines, backup media and source documents, and any other elements required
This means that all the areas in the building(s) that contain system elements
must be identified.
It is also important to review the effectiveness
of physical access controls in each area, both
during normal business hours, and at other
particularly when an area may be
Effectiveness depends on both
the characteristics of the control devices used
(e.g., keycard-controlled doors) and the
implementation and operation.
Statements to the effect that "only authorized persons may enter
this area" are not particularly effective.
Organizations should determine whether intruders can
easily defeat the controls, the extent to which strangers are challenged, and the effectiveness of
other control procedures.
Factors like these modify the effectiveness of physical controls.
The feasibility of surreptitious entry also needs to be considered.