Physical and Environmental Security (PEN)

Physical and Environmental Security is an important aspect of an organization’s security—many security mechanisms can be defeated if a bad guy has physical access to them. In the overall risk management strategy of an organization, physically security is generally overlooked or the responsibilities are handed over to a function that operates in silos. There has been increasing realization of the fact that gaps in physical security provide easy options to an attacker or intruder for compromising security of the information assets, with little or no technical knowledge. This realization has been transformed to the facilities that are coming up or implementing physical protection systems like barriers, locks, access controls, monitoring cameras, alarms, intrusion detectors etc. With more solutions and techniques hitting the market, physical security concepts are also evolving to help establish it as an important discipline of an organization’s security. Along with physical security, environmental security elements like facility power and power backup management, Heating, Ventilation and Air Conditioning systems (HVAC) systems, and fire detection also play an important role in continuity of operations and security of data residing on the system in a particular facility. Environmental security elements require a close attention as their capacity, operation and performance seriously affects the overall security of an organization. DSCI believes that the goal of securing data may not be achieved without dedicating sufficient resources and efforts on physical and environmental security.


Physical security is no different from the core principles of computer security; it requires assessing threats, then designing a protection mechanism that involves equipment and procedures, and testing it from time to time for improvements. Basically aimed at deterrence to physical intrusion, it also provides means for intrusion detection, alarming security managers, making it difficult for intruders to defeat the security system and quickly respond to successful intrusions. With the advent of technology solutions, these mechanisms help in effective management of physical security of facilities. Along with these solutions common sense plays an important role in securing the facilities, especially measures such as deploying security guards, implementing precautionary measures at perimeters, checking of movements within or around the facilities and proactively handling instances that may introduce security vulnerabilities. The management Physical and Environmental Security (PEN) capabilities of the environmental support equipments like fire alarms, power supply system and HVAC systems have also matured to help manage incidents that can compromise the security. It has been observed that in most of the cases, physical and environment security also are managed by silo functions, and there is a serious lack of coordination between it and IT security. This leaves many of the physical vulnerabilities and issues in environmental elements unaddressed. These problems have been debated in recent years, driving the concept of converging physical and logical security. Different technology options are evolving in the
market that promise convergence, and provide means for building a common incident management platform where physical security events are duly addressed. DSF emphasizes that the role of Physical and Environmental Security (PEN) is very important to its end goal of securing data residing at the facilities of an organization.

  • Strategy for Physical Security
    • Create a map of all physical facilities to systems housed in the facilities, physical security operations handled from the facilities and their criticality to the business.
    • Ensure that a significant level of centralized visibility exists over physical security initiatives, activities, functions, solutions, processes and current state of maturity of all locations
    • Create a map of physical security solutions, techniques and architectural elements deployed across all the facilities
    • Create an inventory of compliance regulations in regard to physical security and map them into in-scope facilities and systems
    • Ensure that the physical security requirements are defined and documented considering facts such as the threat landscape of an organization, vicinity and compliance requirements
    • Ensure that the physical security measures are derived out of a well defined framework or structure for physical security.
    • Ensure that the selection of physical protection measures is derived from thorough threat analysis of facilities and zones within the facilities.
    • Establish an enterprise level standards or guidelines for physical security — site selection, perimeter controls, entry & interior controls, access provisioning and revocation, intrusion detection, incident management, monitoring and policy exceptions — for all selfowned and leased facilities
    • Define the roles and responsibilities of physical security organization at the corporate and regional facility level.
    • Ensure that a strategy exists for integrating physical security function with other security initiatives of the organization
    • Develop a strategic roadmap for physical security for adoption of emerging technical solutions
  • Strategy for Environmental Security
    • Create an inventory of electric supply arrangements, power back up arrangements, fire safety provisions, fire detection mechanisms, fire exits, Heating Ventilating and Air- Conditioning (HVAC) equipment systems across all the facilities
    • Ensure that there exists a complete visibility over adequacy of measures deployed for environment security, their current state against geographical and local conditions and historical incidents pertaining to environmental measures
    • Ensure that a significant level of resources and efforts are dedicated for continual operation of facilities, protection of environment at facilities, deterring fire incidents at facilities and protecting human life at facilities in case of incidents
    • Ensure that an enterprise wide standards and guidelines are established for environmental protection
    • Ensure that a strategy exists for availing services in facility management, adoption of emerging technical solutions, tracking the state of equipments and devices and integrating them with incident management system to address environmental devices specific events
  • Physical Security
    • Create a map of physical security activities, processes, technologies and operations at geographical vicinity, campus perimeter, work area entry and interior.
    • Create a visibility over all access points, their criticality and access control measures deployed at all these points
    • Ensure that the facility is divided into security zones, based on the criticality of each function, project or task being carried out. Derive a map of access requirements for each zone and user groups that require access to these zones
    • Ensure that the physical security processes are established for all physical security elements such as campus entry, zone entry, interior operations, access granting & revocation, visitors access, physical security monitoring, incident management and emergency operations
    • Ensure that the entry to a facility is restricted to only those users who provide proof of their organizational identity.
    • Ensure that a mechanism exists to identify, authenticate and authorize access to users.
    • Ensure that a physical access process is integrated with user life cycle management of the organization that entails physical access provisioning, access management and revocation
    • Ensure that a process exists for allowing and revoking access of visitors, partners, third party service providers and support services
    • Create an inventory of instances that may introduce security vulnerabilities.
    • Ensure that a security authorization is performed for all changes pertaining to physical security, instances that may introduce security vulnerabilities and exception to the policy
    • Ensure that an adequate number of security guards are deployed at the facilities. Ensure that background checks and credibility of contractor organization they belong to, has been considered while sourcing or recruiting guards
    • Ensure that an adequate level of security measures are implemented for vehicle entry & exit, vehicle parking areas, loading/unloading docks, storage areas, and any other area that may provide easy passage for physical intrusion
    • Ensure that the incoming data and telecom lines, Customer Premises Equipments (CPEs) from service providers and electric distribution systems are protected from physical intrusion
    • Create an inventory of alarm system installations across the facilities, external and internal installations. Map the inventory with the detection requirements of an organization
    • Ensure that a mechanism exists to facilitate detection of physical intrusion, confirmation of the incident, escalation to respective officials, tracking of the corrective actions and recording of the incidents
    • Ensure that the physical security function is integrated with information security team
    • Ensure that a mechanism exists for reporting the physical security incident.
    • Ensure that a significant level of efforts are dedicated to assess the vulnerability of organization’s facilities and conduct a routine survey or audit to review and test preparedness of physical security function
    • Ensure that a significant level of coordination exists with local law enforcement bodies for handling physical security breaches
  • Environmental Security
    • Create a map of fire safety provisions in the facility – fire sensor or smoke detector map of the facility, fire alarming and command control system and fire protection measures
    • Ensure that a sufficient amount of efforts are dedicated for routine fire safety operations that include testing of fire detectors, routine maintenance of equipments and fire safety drills
    • Ensure that the responsibilities are defined for fire drills, emergency operations and routine training is conducted for the designated people
    • Ensure that a significant level of efforts are dedicated for training and awareness of the employees, with proper signages and direction maps provided for guidance in emergency
    • Ensure that a significant level of capacity of power systems, standby power supply and HVAC is available to withstand current load of the facility and its likely expansion
    • Ensure that a significant level of resources are dedicated for maintenance of all supporting equipments to keep their capacity intact and avoid any failures thereof
    • Ensure that a mechanism exists to monitor the performance of power and HVAC system
    • Ensure that the incident management system is capable enough to address the incidents detected by environmental security devices
  • Coverage and accuracy of background checks
  • Coverage and adequacy of training and awareness
  • Involvement of HR function
  • Integration of security with HR Processes
  • Ease of access to security policies
  • Adequacy of administrative rules and procedures
  • Enforcement of acceptable use policy
  • Responsiveness to noncompliance issues

Please allow pop-up in your internet browser to download DSF


DSCI Security Framework