We help IT Professionals succeed at work.

physical security and governance

We have an on site visit next week with  a service provider who collect our redundant IT kit and take it to their base for destruction and/or recycling. We are going to their premises on the other side of our city.

I could do with a thorough checklist of controls that must be in place to ensure our drives cannot go missing. Plus any logs I can go through that should be in place.

If anyone can provide such that would be much appreciated. Or if you have done any assessment on partners/suppliers physical sites for your work any such check list you went through (plus any common weaknesses).

PS - as a bit of a side issue. In your comapnies, aside from when a device is classed as redundant, i.e. scrap this machine and wipe the drive. What other business exampels are there when your data in whatever form goes "offsite" ?
Watch Question

It's actually quite hard to be certain any thirds party does what they say, the important thing is trust.  But you should back this up.  Going on site visit to ensure they do what they say is an excellent start point.  If they use a full vehicle or container(s) to take away your devices you might consider using one time tags on the boxes (something like http://www.novavisioninc.com/pages/prd_plastic_seals.html) so you know the box isn't tampered with between leaving you and arriving at the destruction place.
Certification is important- see if the organisation has any relevant WEE or ISO certification.
Retain the right to site visit at any time (with reasonable notice)


Thanks liddler - is there any good checklists of all physical security you are aware of that we can  run through with them and try and get some evidence to see they are sticking to what they say

Best thing I'd look at is ISO27001 or PCI-DSS, there are plenty of resources about, some free some charge.

For any security, including physical, always look at minimum access -if they don't need to go through that door, their badge shouldn't work
Auditing - CCTV, signatures at security, sign off sheets for shredding machine etc - even go and visit the dump to see they are only dumping shredded material if that's appropriate.
If they have internal or external audit, ask for evidence that they passed audit


Is it common  for companies to do a risk assessment before sending your data / hardware to a 3rd party for whatever, i.e. recycling, wiping, processing, troubleshooting? Or a BIA?

I would say the "best practice" is to do an Impact Assessment on any change to any system or process.  An Impact Assessment such include Risks.  In an ideal world, every single changes, goes through a change management procedure, which will include impact and risk assessment.
Certainly changing or engaging a new third party provider constitutes a major change and risks should be assessed, as part of the change or even the initial business case


>>For any security, including physical, always look at minimum access -if they don't need to go through that door, their badge shouldn't work

What kind of physical security systems can implement this kind of control? What are they called so I can research further. Its sort of an ACL for humans, if this user only needs access to floor 1 - the dongle shouldnt work trying to access other rooms controlled by the same swipe system.

is a good place to start.

Yes your card should allow you only access to the rooms that you need to access

Explore More ContentExplore courses, solutions, and other research materials related to this topic.