To ensure successful and sustainable digitization in companies and public authorities, it is not only essential to secure technical and organizational measures relating to IT systems and processes, but also to adequately secure buildings and premises.
The BSI’s Management Report 2021 shows that “information security is the prerequisite for successful and sustainable digitization.” BSI President Arne Schönbohm also shared that we have a red alert in the area of information security – at least in some areas.
In recent years, for example, it has been noted that attacks and data theft have not only occurred via IT systems but that data and information have also been stolen physically, i.e., by unauthorized persons penetrating the internal physical area of an organization.
Deficiencies in physical and environmental security can have elementary consequences for a company or government agency. This article does not claim to be a complete list of all possible dangers but is intended to point out the primary dangers and raise awareness of the need to take appropriate measures in good time to avert dangers, especially in the physical IT area. Most of the time, the focus is on securing IT systems and data; unfortunately, access to the premises and risks are usually overshadowed.
Organizational and Technical Measures to Ensure Better Information Protection
So, what organizational and technical measures can organizations implement to ensure better information protection?
To safeguard against an attacker stealing data by entering the building or losing information by other means, various aspects should be considered. Of critical importance is identifying and assessing risks, as well as securing and ensuring physical and environmental security. Security standards such as ISO 27001, BSI IT-Grundschutz, and TISAX help with this safeguarding. It is important not only to use these standards but also to sustainably integrate them into the organization’s culture and processes.
Every building is exposed to various threats, including natural disasters, fires, and power outages. To better assess the impact on the organization when such an event occurs, it is advisable to use a standardized procedure for analysis and evaluation. With the use of e.g., a risk management system in the company, threats are identified and possible weak points are analyzed. An individual evaluation of different scenarios enables targeted protection and adequate use of resources.
In the event of a possible “break-in,” various questions arise, e.g., to what extent can information be stolen if someone gains unauthorized physical access to the building? Can the person access information directly, or are the files locked? What damage would occur if important information in analog or digital form is stolen and/or misused? Does this result in financial damage? Does the organization suffer a loss of reputation?
Risk management provides an effective way to make appropriate assessments and decisions to prevent major damage for all these questions. Damage occurs when information is lost. Since the security of information must be paramount, the building should be physically secured so that unauthorized intrusion or other loss of data cannot occur in the first place. How this protection works in detail is outlined below.
Physical and Environmental Security According to ISO 27001 and BSI IT-Grundschutz
ISO 27001 addresses physical security in Annex A, among other things. The measures listed aim to prevent unauthorized persons from accessing, damaging or impairing the organization’s information and information processing facilities. In practice, there are certainly more points that the standard does not list exhaustively.
The BSI IT-Grundschutz has a similar structure. In layer INF, for example, modules INF.1 and INF.12 describe which physical security requirements must be met to ensure that buildings and rooms are comprehensively secured. The central fields of action and measures relating to physical security in the two frameworks and the resulting opportunities for organizations are explained below by way of example.
1. Definition of The Scope
To be able to plan the safeguarding in concrete terms, the object of consideration must be concretized and delimited. Using the example of the protection of business premises and real estate, the question should be asked as to which locations in Germany and abroad, which buildings, and which rooms with which function should be the protection focus. For example, does the organization want to secure only the leading site or also smaller secondary sites, or only sites that are assigned to a specific area in the organization? In addition, it should be clarified where which assets with which criticality are located to be able to classify the corresponding protection requirements of the site. To succeed, the implementation of BSI IT-Grundschutz or ISO 27001 begins with defining the scope. The organization determines the scope. In BSI IT-Grundschutz, this is referred to as the information network.
2. Site Analysis
Once the scope has been roughly defined, an analysis of the location is recommended. Here, the site’s geographic location and general conditions should be considered. Unfortunately, regions are always affected by natural hazards such as floods or storms, etc. To prevent such damage and threats, which often lead to devastating physical damage to the site, it is advisable to collect and evaluate all available data from the past or forecasts from all possible institutions for this site region accordingly. The greatest threats can be quickly identified in this process.
A site inspection for security purposes is essential. It provides a precise overview of how and where the site can be entered, who is allowed to enter the building, how and when access is regulated, and how many entrances and exits are available. In addition, not only physical threats are identified. It also looks at whether, for example, unauthorized persons can access information in a public area. The handling of meeting rooms is also not unimportant. For example, can strangers enter meeting rooms? Is it possible to connect to the internal company network from the meeting room? Can unauthorized persons dial into the internal company network, etc.?
If the site inspection reveals any anomalies, these are documented in writing. All anomalies (findings) are listed and summarized in a gap analysis. This gives the company a precise overview of the weak points.
Once the site inspection and analysis are complete, the ownership, responsibilities, and accountabilities should be reviewed. Who owns the building? Who is a tenant? Who will pay for damage to the building, for example, if parts of the building have been damaged or destroyed by natural hazards? A list with a corresponding overview makes it easier for employees to immediately find the responsible persons or service providers. It would also make sense to draw up internal guidelines specifying the conditions under which repairs are to be carried out by the company and when external service providers are to be commissioned. This list should also include the name of a contact person in an emergency. This person must be contacted in the event of an emergency, such as a fire. The fire protection officer should also be included in this list, as this person must always be contacted during maintenance work or structural measures. The same applies to an existing security guard in case of corresponding object size and other important responsible persons.
3. Protection Needs Assessment and Security Zones
The corresponding competencies and responsibilities mean that an access control system should be set up for physical access in order to be able to distinguish which persons have access to which areas.
Accordingly, all employees receive an access card that is electronically programmable. The procedure is similar for organizations that do not have an electronic access control system and issue keys. In both cases, a process must be implemented for key management that governs not only the issuance and collection of keys, but also the secure and centralized storage of keys or access cards. Storage should be in a central location that offers appropriate protection against burglary or fire.
By using access control systems, for example, separating a public area from a non-public area is achieved. This division can be further continued by making the next area accessible only to employees with access rights. The next level, e.g., the server room area, is again accessible only to certain IT employees. In this way, the authorizations are cascaded down as far as required (onion-skin principle) in order to define precisely who has access when and where. These areas with increasingly restricted access are referred to as security zones.
The division of areas into security zones is important for determining which information is available in which area or which zones are to be secured and how. Non-elementary information, such as the cafeteria menu, may be available in a security zone with few restrictions. However, suppose the latest design plans for a component are involved, for example. In that case, a security zone should be selected that is only accessible to a specific group of people because there is an increased need for protection here.
In this context, the basic rule for all external third parties is that they must sign a visitor’s book at the gate or reception. This documents who came and went, who visited, and from which company or institution the visitor came.
4. Building Security
Due to the different levels of protection required for information and data, there are different requirements for securing the building. First of all, the legal requirements must be met. Here, compliance with the fire protection regulations is paramount. This includes regular fire inspections by companies certified for this purpose. They inspect the site and check whether the legal requirements are being met. The functionality of a fire alarm system is also tested. Deficiencies found during the fire inspection are documented and must be eliminated under the responsibility of the fire protection officer.
In order to be able to eliminate these deficiencies, service providers often have to enter the organization’s premises. For this reason, access for external third parties should be precisely regulated, especially as they gain access to information that is only intended for internal employees when they enter the premises.
5. Definition and Tracking of Security Compliance Measures
The identification of security vulnerabilities is of elementary importance. Appropriate internal or external experts can identify these gaps using the aforementioned gap analysis. In this process, all physical security requirements of the respective standard under consideration are examined. For companies, the ISO 27001 standard has emerged as the best practice standard. For federal and some state authorities in Germany, among others, the BSI IT-Grundschutz applies. Companies are free and can also follow the BSI IT-Grundschutz or have it certified. Internal or external experts know which standard is to be applied for the respective company or industry and which procedure will yield the best results in the gap analysis. In this way, it is possible to identify exactly what gaps exist in the organization. These so-called findings are documented in a list of measures. In this list of measures, the corresponding actions for eliminating the security gap are defined for each result so that this gap no longer exists after the steps have been implemented and no longer poses a threat to the company.
Example of the content of a list of measures: During the site inspection, it was discovered that a smaller iron gate in the outdoor area of the company premises is defective and can no longer be closed (weak point). The measure defined for this purpose is to have the door repaired by the local locksmith’s shop by the first of next month. Within the company, facility management is responsible for implementing this measure.
This example shows how risk management works. In the list of measures, not only are the measures for the findings recorded, but also who is responsible for implementing the measure, who implements this measure (locksmith’s shop) and by when this measure is to be implemented. All this is documented in the list of measures, and once a year or at shorter regular intervals, this list of measures is reviewed by audits. These audits provide additional control and check not only the list itself, but also the implementation of the measures. They check whether the applicable standard is being adhered to or whether improvements need to be made in one area or another.
The organization decides which measures are necessary and how much effort is required to implement them, if necessary, with experts’ help.
Industry-Specific Requirements
Depending on the industry and the form of organization, additional legal, regulatory and other external requirements and internal regulations must be complied with and observed. Failure to comply with external and internal requirements can result in significant financial detriment, legal sanctions and reputational damage to the organization, in addition to personal consequences for management, executives and employees. Being compliant in physical security requires adherence to established standards, frameworks, audits and certifications. For example, depending on the industry and size of the organization, industry-specific standards (B3S, Bafin requirements, BSI IT-Grundschutz, ISO standards, TISAX, IDW PS 330, etc.) must be implemented.
Healthcare Sector – Hospital
The §75c SGB V brings with it a tightening for IT security in hospitals from 01.01.2022. There is a particular focus on the digitalization of hospitals. With regard to information security, all hospitals in Germany will be required to establish a so-called information security management system (ISMS) in order to introduce measures in the area of physical security, among other things.
Financial Sector – Banks
On August 16, 2021, the German Federal Financial Supervisory Authority (BaFin) published the new version of its bank regulatory requirements for IT (BAIT). In BAIT, the supervisory authority specifies the framework conditions for secure information processing and information technology.
Chapter 4 Information Security Management in the BAIT requires the organization or the information security management department to specify information security requirements (see AT 7.2 para. 2 MaRisk). Point 4.3 BAIT specifies that the institution must implement organizational measures (e.g., creation of an information security policy for physical security (e.g., perimeter and building protection, access control)). This entails that the institute must shed light on the area of physical security.
Auditing – IT Audit as Part of the Audit of Annual Financial Statements
The audit standard IDW PS 330 developed by the Institute of Public Auditors in Germany (IDW e.V.) requires mandatory IT system audits as part of annual audits.
As part of the annual financial statements audit, the auditor must, among other things, make a statement about the compliance and appropriateness of the information and IT security. In the context of the audit, the IT auditor is usually commissioned by the auditor to audit the organization in the defined audit areas by IDW PS 330 Standard (including IT environment and IT organization, IT infrastructure and IT applications, and IT-supported business processes). The “Checklist for the Audit of Financial Statements with the Use of Information Technology (IDW PH 9.330.1)” prepared by the IDW can serve as a basis for the audit and audit documentation.
In audit field 2 IT infrastructure and IT applications, the physical security measures are audited, among other things. The documentation and the current status of the physical security measures are examined as part of the audit of the structure and effectiveness (functional audit). To check the effectiveness of the measures in the context of the functional test, the IT auditor must, among other things, inspect the sites, buildings, data center, or computer room/distribution room.
