PPPR-15

Does your organization have physical security controls and policies in place?

Explanation

This question is asking whether your organization has implemented physical security measures and documented policies to protect physical assets, facilities, and data from unauthorized access, theft, damage, or other physical threats. Physical security controls refer to tangible measures like access control systems (key cards, biometric scanners), security cameras, guards, locks, mantrap doors, visitor management systems, and physical barriers that restrict access to sensitive areas where data or systems are housed. Physical security policies are the documented rules and procedures that govern how these controls are implemented, maintained, and enforced. These typically include visitor policies, access authorization procedures, physical access reviews, and incident response plans for physical security breaches. This question is asked in security assessments because physical security is a fundamental layer of defense. Even with robust digital security measures, an organization remains vulnerable if unauthorized individuals can physically access servers, network equipment, or workstations. Physical breaches can lead to data theft, hardware tampering, installation of malicious devices, or system sabotage. To best answer this question: 1. Describe your physical security controls comprehensively 2. Reference formal documented policies that govern these controls 3. Mention any compliance standards you follow (e.g., ISO 27001, NIST) 4. Include details about how you monitor and enforce these controls 5. Note any regular assessments or audits of physical security measures

Example Responses

Example Response 1

Yes, our organization maintains comprehensive physical security controls and formal policies Our data centers implement multi-layered physical security including badge access systems, biometric authentication, 24/7 security personnel, CCTV monitoring, and mantrap entries Our corporate offices utilize electronic access control systems with role-based permissions, visitor management systems requiring escort for all guests, and security cameras at all entry points These controls are governed by our Physical Security Policy (PS-001) which defines access authorization procedures, visitor management requirements, physical security incident response, and regular access reviews We conduct quarterly physical security assessments and annual penetration tests against our physical controls Our physical security program aligns with ISO 27001 and NIST 800-53 frameworks, and undergoes annual third-party audits.

Example Response 2

Yes, our organization has implemented physical security controls and maintains formal policies governing these controls As a cloud-based SaaS provider, we operate exclusively in Tier III certified co-location facilities that provide 24/7 security staff, biometric access controls, video surveillance, and environmental monitoring We maintain a documented Physical Access Control Policy that requires multi-factor authentication for all data center access, maintains access logs for a minimum of 12 months, and mandates quarterly access reviews to verify only authorized personnel maintain access rights For our corporate offices, we employ electronic badge readers, reception check-in procedures, and security cameras All visitors must be pre-registered, show identification, sign our visitor agreement, and be escorted at all times We conduct annual physical security risk assessments and maintain incident response procedures specifically for physical security events.

Example Response 3

No, our organization currently has limited physical security controls and no formal documented policies As a small startup with 15 employees working from a shared office space, we rely primarily on the building's main entrance security (keycard access during business hours and locked doors after hours) We do not have dedicated security personnel, surveillance systems, or formal visitor management processes specific to our office space While we do keep our server closet locked with restricted key access, we recognize this is an area for improvement We are currently developing formal physical security policies and evaluating additional controls like security cameras and electronic access systems for sensitive areas as part of our security roadmap for the next fiscal year In the interim, we've implemented compensating controls including full-disk encryption on all devices and multi-factor authentication for all systems to mitigate risks from potential physical access.

Context

Tab
Organization
Category
Policies, Processes, and Procedures

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron