I'm setting up a remote office. All of the staff will be new to us. We will hire a security guard, but realistically he could be easily bribed. The office is in a 2nd world country so no matter how much we pay our employees, the value of the data on our servers and workstations there is worth many, many years of employment. Temptation will be high. The court system does not favour foreign companies.
For physical security, I plan to have the servers locked in a steel bar cage. Desktops will be physically locked, but of course anyone with a torch can get around these restrictions. 24/7 security guard, but again, bribery is an issue.
For software security I plan to use Windows 7 PCs with Bitlocker whole drive encryption and Network Unlock. There will be Windows 2012R2 servers The PCs are Dell T1700 with TPM and UEFI. Servers are Dell T410 with TPM (not sure about UEFI).
There will be no printers. No internet access to the desktop VLAN, only the Server VLAN and the MACs will be linked to the ports with switchpower security. DHCP with static IPs. There will be a site-to-site VPN from the servers to our global network. USB will be disabled from Group Policy. I will run Websense Data Security (DLP). BIOS will be locked, only a single drive will be permitted. No DVDRW.
I'm concerned if the servers get stolen and someone is able to reset the local account. Then take ownership of the Hyper-V servers and grab the files from there. I'd like to encrypt the physical server hard drives with Bitlocker, but I don't think Network Unlock is an option if both servers go down. I cannot trust a local user with a password or USB to unlock the drive.
What should I be doing here? Missing anything? Can you suggest something? I'm open to anyone's thoughts.