We often evaluate our compliance to different security standards and use them as guidelines to make sure we are minimizing privacy risk in our organizations – this is common practice. If your organization is bound by regulations, this may be required. Despite this, we’ve observed a lack of commitment to fully understand all potential data loss vulnerabilities, mainly in the area of physical security.
With cybersecurity breaches stealing the headlines, it’s easy to place less focus on physical security aspects of data protection. However, to be protected from data loss, these aspects are just as important and require just as much attention. The importance of physical security can be illustrated by the fact that many regulations that primarily cover information security also have physical security requirements. Some examples include HIPAA, FFIEC, and PCI DSS
HIPAA Physical Security
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation that mandates data privacy and security provisions for specified medical information. Physical security is a necessary component of the HIPAA Security Rule and will vary depending on your organization and budget. The regulation requires you physically protect workstations that contain or are able to access ePHI, ensuring there are policies and procedures in place to protect and limit access to such systems and facilities. Along with this, steps must be made to deter tampering and theft to equipment or systems, as well as access by non-essential personnel and visitors. This encompasses not only stationary device, but also mobile devices such as phones or tablets that have access. Read more here on the HIPAA Security Rule.
Example “ 164.310(a)(1) (Required) Organizations should implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”
Physical controls can vary for meeting compliance, such as a guard or ID scanner can serve the same purpose of limiting access to a restricted area or system. Many low-cost measures exist for physical security, such as requiring employees to lock their computers when they’re away from workstations or locking access to unstaffed offices. In 2019, breach numbers have risen steeply from previous years with more than 25 million patient records breached. Don’t leave anything to chance.
FFIEC Physical Security
The Federal Financial Institutions Examination Council (FFIEC) is responsible for establishing reliable guidelines and uniform practices for financial institutions and expectations for compliance. Among other requirements, they urge and regulate physical security for detective, preventative, and corrective controls. One of the requirements is to utilize multifactor authentication over single factor authentication. This requirement encompasses physical security by allowing biometric verification methods such as fingerprint scanning, iris recognition, or facial recognition, and protecting these access controls. In addition, there is a focus on security zone requirements, such as making sure they are not identified by any signs or other indicators.
Example “The selection process should include a review of the surrounding area to determine if it is relatively safe from exposure to fire, flood, explosion, or similar environmental hazards. Risks from environmental threats can be addressed through devices such as halon gas and halon replacements, smoke alarms, raised flooring, and heat sensors.”
In order to prove compliance with these requirements, in-depth assessments must be performed to identify security gaps and threats. Mitigation tasks and solutions must be implemented to reduce security risk and meet all aspects of FFIEC requirements.
Read more here on FFIEC Physical Security.
Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that is designed to guarantee that any company that accepts, processes, or stores credit card information is actively maintaining a secure environment. While this largely covers information security, Requirement 9 mandates restricted physical access to cardholder data. These compliance requirements ensure a secure area, such as requiring visitor authorization, escorting visitors at all times, and ensuring visitor access expires or is taken away upon completion of their time there.
Example “9.1.3 Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.”
These precautions prevent malicious intent and protect sensitive data. If you don’t have video camera surveillance on necessary entrances/exits or appropriate access controls for both staff and visitors, it may be time to perform a risk assessment. Read more here on PCI DSS compliance requirements from Stanford University.
Assessing Your Data Security Risk
When assessing your risk, your organization must ask itself…
• What physical security controls do you already have in place, do they meet requirements, and what other controls are you able to add or upgrade?
• Are all policies and procedures regarding physical security controls up to date?
• Are all systems and devices documented? Are they secure? What are your security gaps?
RiskWatch applications allow you to assess your security vulnerabilities and compliance to best practices. You can select from existing RiskWatch content libraries to assist you in meeting established best practices and industry standards including the three regulations mentioned above. Through automation, the platform effectively aids you in reducing exposure to liability, managing risk, monitoring and maintaining security, and tracking continuous improvement. RiskWatch applications also store a record of your compliance in case it’s needed for audits or third-party requirements. You can use SecureWatch to assess your physical security posture to ensure that your data is being effectively protected from a physical perspective. Alternatively, use our ComplianceWatch application to ensure that your organization is meeting all its regulatory or internal policy requirements. Take a free trial today and select one of the content libraries discussed above.