Work area security must be designed in response to a risk assessment (including threat modeling) and in accordance with security principles and the appropriate controls to mitigate risk. The considerations to be addressed include least privilege, need-to-know, separation of duties, dual control, defense in depth, and compliance obligations. This is especially important in the context of implementing facility security controls. No other facet of site security controls more directly affects the people of an organization.
Least Privilege and Need-to-Know
Access to restricted and secure areas must be granted only to the extent necessary for individuals to carry out their responsibilities, in accordance with formally approved policies and procedures. Access also must be periodically reviewed to ensure that the justification for access has not changed. Furthermore, detailed auditable records attesting to the above must be maintained.
Separation of Duties and/or Dual Control
Depending on the risk assessment, it may be appropriate to require more than one authenticated staff member to be present in order to obtain access to the secure work area. This can be an administrative control, verified through guard records or CCTV surveillance, or it can be enforced through multiple locks or electronic access controls.
Defense in Depth
The facility ought to be designed with layers of security controls supporting a hierarchy of security levels, from public on the exterior of the building (and possibly including common entrance areas), to low security areas such as reception, all the way to the highest security zones where the most sensitive or high-risk assets or work are located.
Passing from an area of lower security to an area of higher security ought to be obvious to the knowledgeable insider, and must require successfully authenticating with an access control system (be it a receptionist/guard, door lock, card reader, biometric scanner, or other device for identifying the individual transitioning the security boundary). The appropriate rigor and tolerable rate of false positives depend on the security level of the area being protected.
Furthermore, different types of security controls ought to be considered for the higher security zones. For example, in addition to preventive controls such as door locks, detective controls such as CCTV monitoring, corrective controls such as motion detectors and alarms can be used as compensating controls should the primary preventive control (e.g. the door lock) fail or be compromised.
Multifactor authentication techniques are as valuable for physical access as for logical (e.g. login) access. Requiring a user to have an access card as well as enter a PIN to unlock the door to higher security zones protects against loss of the access card and its use by an impostor. Requiring the card (and not the PIN alone) protects against shoulder- surfing by a threat actor observing staff enter their PINs.
Compliance Obligations
Organizations handling government or military classified data will have to institute such security controls as required to meet the obligations of their facility security clearance. The organization responsible for certifying compliance will provide detailed documentation on the controls that are necessary for the level of security clearance being sought, including requirements for:
- Guards
- Electronic access control
- Electronic intrusion detection
- CCTV
- Interior access controls
One solution for having confidential discussions is the Sensitive Compartmented Information Facility (SCIF). SCIF is a common term among U.S. and British military and governmental agencies with a need for isolated space to preserve confidentiality. Typically, at least a room, if not a secured, hardened building, the SCIF can be temporary or permanent. If you watch any movie where the military leaders are briefing the president on an important and sensitive situation, they are in a SCIF.
GDPR, HIPAA, PCI DSS, and other regulations or contractual obligations may impose security requirements which may affect the design of your physical work area security controls.
For related concerns, see the section “Control Physical and Logical Access to Assets” in Chapter 5.
