We’ve frequently discussed how technical safeguards — such as whole disc encryption, strong passwords, and anti-virus software — are a critical part of information security. But it is also worth noting that protecting sensitive data also involves a variety of physical safeguards as well.
SECURE STORAGE
Paper records should be stored in locked cabinets, or in a segregated file room with appropriate access controls (e.g., a badge access system or lockable doors to which only appropriate team members are given keys).
Media — including flash drives, external hard drives, and DVDs — should be kept in locked cabinets or drawers.
Laptops should always be stored in secure areas. When traveling, keep laptops in the trunk, out of sight. Never leave laptop bags unattended in airports or other public facilities, and always use the hotel safe to secure equipment when you’re not in the room.
Servers should be physically isolated in tightly controlled and monitored facilities which provide a climate-controlled environment. Server rooms should be equipped with appropriate fire suppression equipment, which should be tested regularly. Only those technical team members whose jobs require it should be able to access the server room.
Backup tapes should be stored in a fireproof safe, ideally in a secure, offsite location. Only those technical team members whose jobs require it should be given access to the backup drives and tape libraries.
DESTRUCTION PRACTICES
As noted in the section on Administrative Safeguards, policies governing data retention and destruction are critical for information security.
Paper documents that contain confidential, sensitive or personal information should be shredded according to the schedule prescribed by policy, or as soon as they are no longer needed.
Electronically stored information, including data stored on backup tapes, should also be deleted according to the schedule described by the policy. Since deleted data can be recovered using specialized software, data should be destroyed using methods detailed in the National Institute for Standards and Technology's (NIST) Special Publication 800-88: Guidelines for Media Sanitization.
EMERGENCY PROCEDURES
As mentioned above, servers should be maintained in a secure server room equipped with appropriate fire suppression equipment, heating, and cooling. More generally, offices should be properly outfitted with fire extinguishers and first aid kits, and evacuation routes should be clearly posted. Employees should be trained and routinely tested on emergency response procedures, which should include measures for securing and protecting sensitive information during an emergency, evacuation, or other exigent circumstance.
Reprinted from ePlace Solutions.