Traditionally, protective security has had three ‘domains’ that combine to make up an organisation’s overall security posture. These three domains are personnel security (mostly relating to the trustworthiness of individuals), information security (generally how information is to be protected from unauthorised access, loss or other harm) and physical security (that assets, sites and facilities are protected from physical harm or (again) unauthorised access). These are known in government circles as PERSEC, INFOSEC and PHYSEC respectively. As protective security has come to the fore, security governance is also a concern, but that’s another article.
PHYSEC has been with us ever since we elected to live in caves or up in trees. Today it has involved into a sophisticated discipline that increasingly uses technology for controls. This is referred to as ‘convergence’ between PHYSEC and INFOSEC domains and is useful to understand as controls can be of benefit to INFOSEC and PHYSEC needs. The use of disk encryption is a classic example of this, disk encryption is very useful should a laptop (for example) be stolen or lost as data is protected, however physical security controls should have prevented this from occurring in the first place.
PHYSEC nevertheless is important beyond INFOSEC needs. PHYSEC is also needed to protect assets beyond information, such as staff (Occupational Safety and Health (OSH)) considerations, equipment and plant, as well as integrity of processes. For example, if your business is food processing, you’ll need good physical security to ensure your product is being manufactured in a safe way and has not been interfered with in any way.
This, like all protective security, is a risk management conversation. Your organisation needs to agree on what needs to be protected (the asset), from what (the threat) and how PHYSEC may reduce the risk through controls. The threat actors can be varied from industrial espionage/sabotage to organised crime, petty thieves and vandals. Each actor will have different objectives and through a risk assessment conversation appropriate PHYSEC controls can be selected. So, when considering the protection of your organisation ensure PHYSEC risks are considered, and for efficiency and effectiveness do this in conjunction with INFOSEC risk assessment.
BY JONATHON BERRY