Pau Lo
asked on
physical security and governance
We have an on site visit next week with a service provider who collect our redundant IT kit and take it to their base for destruction and/or recycling. We are going to their premises on the other side of our city.
I could do with a thorough checklist of controls that must be in place to ensure our drives cannot go missing. Plus any logs I can go through that should be in place.
If anyone can provide such that would be much appreciated. Or if you have done any assessment on partners/suppliers physical sites for your work any such check list you went through (plus any common weaknesses).
PS - as a bit of a side issue. In your comapnies, aside from when a device is classed as redundant, i.e. scrap this machine and wipe the drive. What other business exampels are there when your data in whatever form goes "offsite" ?
I could do with a thorough checklist of controls that must be in place to ensure our drives cannot go missing. Plus any logs I can go through that should be in place.
If anyone can provide such that would be much appreciated. Or if you have done any assessment on partners/suppliers physical sites for your work any such check list you went through (plus any common weaknesses).
PS - as a bit of a side issue. In your comapnies, aside from when a device is classed as redundant, i.e. scrap this machine and wipe the drive. What other business exampels are there when your data in whatever form goes "offsite" ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Best thing I'd look at is ISO27001 or PCI-DSS, there are plenty of resources about, some free some charge.
For any security, including physical, always look at minimum access -if they don't need to go through that door, their badge shouldn't work
Auditing - CCTV, signatures at security, sign off sheets for shredding machine etc - even go and visit the dump to see they are only dumping shredded material if that's appropriate.
If they have internal or external audit, ask for evidence that they passed audit
For any security, including physical, always look at minimum access -if they don't need to go through that door, their badge shouldn't work
Auditing - CCTV, signatures at security, sign off sheets for shredding machine etc - even go and visit the dump to see they are only dumping shredded material if that's appropriate.
If they have internal or external audit, ask for evidence that they passed audit
ASKER
Is it common for companies to do a risk assessment before sending your data / hardware to a 3rd party for whatever, i.e. recycling, wiping, processing, troubleshooting? Or a BIA?
I would say the "best practice" is to do an Impact Assessment on any change to any system or process. An Impact Assessment such include Risks. In an ideal world, every single changes, goes through a change management procedure, which will include impact and risk assessment.
Certainly changing or engaging a new third party provider constitutes a major change and risks should be assessed, as part of the change or even the initial business case
Certainly changing or engaging a new third party provider constitutes a major change and risks should be assessed, as part of the change or even the initial business case
ASKER
>>For any security, including physical, always look at minimum access -if they don't need to go through that door, their badge shouldn't work
What kind of physical security systems can implement this kind of control? What are they called so I can research further. Its sort of an ACL for humans, if this user only needs access to floor 1 - the dongle shouldnt work trying to access other rooms controlled by the same swipe system.
What kind of physical security systems can implement this kind of control? What are they called so I can research further. Its sort of an ACL for humans, if this user only needs access to floor 1 - the dongle shouldnt work trying to access other rooms controlled by the same swipe system.
https://secure.wikimedia.org/wikipedia/en/wiki/ISO/IEC_14443
is a good place to start.
Yes your card should allow you only access to the rooms that you need to access
is a good place to start.
Yes your card should allow you only access to the rooms that you need to access
ASKER