You spend all of your time carefully configuring all of your technology and network to make it as difficult as possible for an attacker to compromise you… only for your penetration tester to walk in your front door and walk out with three laptops and a hard drive filled with your confidential data.
This is more likely than you might think:
Your hard-fought cybersecurity efforts are worth very little if an attacker can physically get their hands on your environment.
First, why does physical security matter for cybersecurity?
Physical security is a deeply important element for cybersecurity because data is ultimately stored on physical devices such as hardware and other equipment. Physical security is required to protect that data.
If an attacker is able to physically gain access to any of this equipment, they may be able to steal or damage it, compromising the information or disrupting normal system operations. An attacker with physical access to a system can also install malware or perform other malicious actions to compromise the network or system.
SOC 2 Physical Security Requirements
SOC 2 requires that measures are taken to protect the physical access to the organization’s systems and facilities. Physical security is specifically addressed in CC6.4 of the AICPA’s official documentation.
“The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.”
Other SOC 2 requirements that are not necessarily addressed in CC6.4’s physical access control but are still related to physical security are:
Environmental controls: Maintain appropriate temperature, humidity, and power levels to protect equipment from damage.
Backup and disaster recovery: Implement backup and disaster recovery procedures to protect data and systems in the event of a physical incident.
Maintenance and repair: Perform regular maintenance and repair of equipment and facilities to ensure they are in good working condition.
You must meet these specific objectives to be in compliance with SOC 2’s physical security requirements. Because of
SOC 2’s customizability, there is no specific mix of controls you have to use, as long as you prove to the auditor that you are meeting these objectives relative to your needs.
Rented or coworking office spaces will require different protections than companies who own their space or companies that are entirely remote. In-house data centers require extra attention too. Ultimately, the controls a company picks will be based on what is needed to pick their mix of physical space but there are some commonly-seen controls used to meet the SOC 2 physical security requirements. They include:
Secure facility design and construction, such as perimeter fencing, secure entrances, and surveillance cameras
Access controls to limit who can enter the facility and specific areas within it, such as security badges or biometric authentication
Surveillance and monitoring systems to detect and respond to unauthorized access or suspicious activity
Physical security incident response procedures to handle security breaches or other physical security incidents
Regular security assessments and testing to identify vulnerabilities and ensure that physical security controls are effective
A clean desk policy that requires employees to clear their desk at the end of each work day to ensure all workstations are locked and any other physical devices or paper containing sensitive information is stored in a secure area.
Regular security training for employees to ensure they understand and follow physical security policies and procedures
How these controls are implemented is, again, entirely up to each business.
How to meet the SOC 2 physical security requirements.
Let’s take a look at a couple different companies and the control mix they use to meet the SOC 2 physical security requirements.
Sydney’s SaaS Startup
Sydney’s SaaS Startup employs 45 people. It has a physical office space, but all of the employees use laptops. They also use a lot of cloud services and don’t host any of their own servers.
In this situation, a large portion of the physical security risks are transferred to the cloud vendors. Physical security of the office space is less critical, but still needs to be considered. Sydney’s startup should:
Have a solid vendor management program in place to ensure their cloud vendors have appropriate physical security practices.
Emphasize laptop security controls, such as an MDM solution with remote wipe capabilities and centralized management to enforce logical controls.
Access to the office space should be monitored and controlled.
There should be a clean desk policy in place.
A guest network should be provided and segregated from any internal networks.
Any networking equipment should be in a secured area.
Employee security training and incident response should include physical security components – like not holding the office door open for people you do not recognize or do not have a badge!
Carl’s Consulting Company
Carl’s Consulting Company employs 15 people and is an entirely remote business. It is a Bring Your Own Device (BYOD) company, so all employees use their own computers to work. There is no physical office, but they do use AWS and Google Workspace.
In this case, CC6.4’s physical security requirements are most likely not applicable. Physical facility and hardware security responsibility is transferred to AWS and Google and the employees. The focus shifts to how the business manages and secures its remote employees.
Employee security training should still include physical security components such as a clean desk policy.
Ernie’s Enterprise has approximately 750 employees who use company-issued desktops and laptops. They work in three office spaces in three cities: Boston, Austin, and San Francisco. Ernie’s Enterprise also has its own physical data center in Austin.
Ernie’s enterprise would want to do the following to comply with SOC 2:
Perimeter security such as fencing and gates for at least the Austin location with the data center.
Access controls to limit who can enter each facility and specific areas within it, such as security badges or biometric authentication
The data center, as well as any other server rooms or networking equipment should be in secure areas, using the more robust access control mechanisms
Surveillance and monitoring systems should be used to detect and respond to unauthorized access or suspicious activity
Appropriate environmental controls should be in place for each location, particularly the data center in Austin
Maintenance and repair plans for all equipment should be addressed
A business continuity and disaster recovery plan should be in place for all locations, with emphasis on areas that are business-critical such as the data center
A guest network should be provided and segregated from any internal networks. Any networking equipment should be in a secured area
A Clean Desk policy should be in place
Employee security training and incident response should include physical security components
Physical Security Best Practices
No matter what your specific situation is, it’s worth following some physical security best practices:
Perimeter security: Use physical barriers such as fencing and gates to limit access to the facility and deter intruders.
Physical security monitoring: Use security measures such as security cameras, alarms, and locks to control and monitor access to the facility.
Protect sensitive data: Layer additional access control measures to protect areas within the facility containing servers and other equipment storing sensitive data.
Physical security incident response: Create procedures for dealing with natural disasters, fires, and other emergencies.
Physical security control testing: Regularly test the effectiveness of the physical security controls and address any identified issues or vulnerabilities.
Foster a security-minded culture: Educate employees about the importance of physical security.
If you’re a smaller business renting an office space, you should evaluate the office building’s physical security practices. Do they require badges to access the building? Do they have security cameras and a guard to watch them? Is their networking equipment in a secured area? You should not pick an office space that obviously does not care about its own, and by extension your, physical security!
The word “cyber” makes people think of another, digital world hardly connected to our own. But ultimately, all of the data that we work to protect every day is physically stored somewhere.
To ignore physical security is to overlook a very serious attack vector, so it makes sense that SOC 2 pays attention to it.
Thankfully, meeting the objective isn’t that hard for most organizations. Control access to your physical spaces, and train employees well, and you’re well on your way to complying with the standard.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.