The Physical Protection family is the ninth family in the NIST 800-171 standard. This family focuses on who has physical access to your equipment and storage.
Why is Physical Protection important?
A true cybersecurity plan must also include a physical element. Firewalls, anti-virus programs, password protections, two-factor authentication and other policies and procedures are entirely ineffective if someone can just walk into your server room and access your controls. A person who can gain direct access to either your server or a connected device, can use keyloggers, encryption devices, malicious code on a flash drive, and more to get access to your data or lock you out. If they can get into the server room, they can even take your drives right out the door with them. So, it is not enough to block attackers on the digital front, you must also be prepared with a physical protection plan.
What is Physical Protection about in NIST 800-171?
The Physical Protection family contains six controls. The primary focus of this family is on controlling access to the physical locations of your equipment and storage. Some of the areas addressed include:
- Limit access to IT equipment and backups to authorized personnel—Maintain a list of personnel who are authorized to access your equipment and make sure that list is accessible to anyone is able to grant access.
- Monitor physical access to servers and network controls—Anyone working in the server area should have authorization. In the case of third party contractors, authorization and direct supervision by an authorized employee is needed.
- Escort visitors and monitor visitor activity—All guests and visitors should be escorted while on site. Ensure that their movements are monitored and known.
- Secure keys, combinations, badges and other methods of physical access—Make sure to keep access points secure by also securing access to keys, employee badges, and passcodes. Make all employees aware of their responsibilities in securing their badges and keys as a part of your physical security plan.
Check back for our next blog post and learn more about the Personnel Security family. You may also be interested in reading our last post on Media Protection.
Katherine Bennett leads the Instructional Design team for NCMEP partner NC State Industry Expansion Solutions. She also serves as project manager for instructional design services. Katherine plays a key leadership role in supporting the IES goal of providing instructional design and development expertise that complements the field-specific expertise of IES partners, while meeting the learning needs of target audiences. Katherine holds a bachelor’s degree in Computer Science from the University of North Carolina at Charlotte and a master’s degree in Instructional Technology from East Carolina University.