Governance & Compliance
Physical security
Physical security protects people, facilities, devices, media, and infrastructure from unauthorized physical access, theft, tampering, damage, and disruption.
In plain terms
Physical security protects the buildings, devices, and media themselves - locks, badges, cameras. All the digital defenses mean little if someone can simply walk in and carry off a server or plug into a port.
Because the strongest encryption and firewalls are useless if an attacker can simply walk away with a server or plug directly into a sensitive network switch, physical security forms the essential foundation for all digital protection efforts. It is part of cybersecurity because physical access can bypass many digital controls.
Physical security applies to offices, data centers, network closets, server rooms, laptops, mobile devices, backup media, badges, cameras, locks, visitor processes, and environmental controls.
NIST SP 800-53 Rev. 5 includes Physical and Environmental Protection controls covering facility access, visitor control, monitoring, delivery handling, power, fire, temperature, and water damage protections.
Risk assessment should decide control strength. A public lobby, employee office, server room, and data center cage need different controls because the assets, threats, and impact differ.
Access control is foundational. Badges, keys, guards, locks, turnstiles, mantraps, visitor logs, and escort procedures help ensure only authorized people enter sensitive areas.
Physical access to devices can enable data theft, malware installation, hardware implants, boot attacks, network tapping, or removal of storage media. Full disk encryption and secure boot reduce some device-loss risk.
USB security is related. Uncontrolled removable media can introduce malware or remove data. Policies and technical controls should cover ports, storage devices, and approved transfer workflows.
Network closets and cabling need protection. An attacker with access to switches, patch panels, or rogue devices may bypass wireless controls, capture traffic, or create persistence on the network.
Environmental controls support availability. Power, cooling, fire suppression, water detection, and physical resilience protect systems from disruption that has nothing to do with malware.
Visitor management should be practical and enforced. Sign-in records, badges, escort rules, restricted areas, and contractor oversight help reduce unauthorized access and support investigations. Asset handling matters during repair, shipping, storage, and disposal. Devices may leave normal custody, and media sanitization or encryption evidence may be required.
Monitoring can include cameras, door logs, alarms, badge analytics, rack access logs, and security patrols. These records should be retained and protected according to risk.
Business continuity depends on physical security. A damaged facility, stolen laptop fleet, inaccessible office, or power failure can interrupt operations even when digital systems are otherwise secure.
In practice, physical security is the physical layer of trust. It protects the places and objects that digital controls depend on, and it should be coordinated with IT, facilities, HR, legal, and security.
The explicit failure mode is assuming cybersecurity starts only after a user logs in. If attackers can enter a server room, steal unencrypted devices, plug into network ports, tamper with backups, or disrupt power and cooling, they can create cyber impact through physical means. Mature programs test physical access paths, protect critical assets, and include physical events in incident response planning. Operational evidence should include badge logs, visitor records, camera retention, access reviews for restricted areas, device custody records, media sanitization certificates, and environmental monitoring alerts. Physical security should be aligned with asset criticality: a network closet serving sensitive systems deserves different controls than a general office closet. Incident playbooks should cover lost devices, unauthorized facility access, suspected hardware tampering, and outages caused by physical conditions. These events should trigger both facilities response and cybersecurity review because the impacts often overlap. Physical access reviews should include badge permissions, visitor exceptions, terminated users, contractors, shared spaces, and sensitive rooms.
Controls should be tested with realistic scenarios such as tailgating, lost badges, unattended devices, after-hours access, and emergency repairs. Device-loss response should connect physical facts to encryption state, data classification, and credential exposure. Physical security is strongest when treated as part of the same risk system as identity, endpoint security, and business continuity. Physical controls should also protect recovery assets. Backup media, recovery workstations, spare hardware, printed emergency procedures, and network out-of-band equipment may be essential during an incident. If attackers or disasters affect those assets, digital recovery plans can fail. Facilities teams and security teams should therefore coordinate testing, evidence retention, and incident escalation. A physical event should not be dismissed as separate from cybersecurity until impact on systems, data, and credentials is assessed. Remote and hybrid work extend physical security into homes, travel, and shared spaces. Policies should address device storage, privacy screens where needed, lost equipment, removable media, and secure disposal outside traditional offices. Those controls should be risk-based so highly sensitive roles receive stronger expectations than ordinary low-risk work.