This is a phrase I have heard more than once when discussing security. It shouldn't come as a surprise -- it's why banks have vaults and secure facilities have fences. Technology security is no different -- physical access to a PC trumps all. What does that mean when you're considering IT security measures? It means that step 1 in any good security plan is making sure that your machines are stored safely. If, for instance, you have a server hosting sensitive data (like customer information, trade secrets, financial data, etc.), make sure that physical access to the server is limited. You may have firewalls, encryption, passwords, etc., but do you have a locked door to your server room? Does a janitor equipped with a screwdriver have the opportunity to open that server and pull out its hard drives? If he did, would you know? Of course, security doesn't just apply to servers. What about laptops and desktops? Are they secured? Are they physically connected to users' desks so that they can't "walk away"? Who else has access to the facility? Do you allow vendors in? What is the policy on access? Do you use sign-in sheets? Have multiple doors? Cameras? Alarms on all the external windows and doors?
I realized (in my third draft of this post) that a lot of security items relate directly to "physical access." Trying to include them all in one post would've made this quite long. Instead, I'm going to break this up into several posts. To get started, let me ask some questions relating to physical security:
The point of this is not to frighten you, but to get you to think about security in a holistic way. It's more than alarms and passwords -- it needs to be a comprehensive plan to cover all aspects of security in order to keep your data safe while allowing access to those who require it.
Watch for more posts on security-related topics. In the meantime, think about potential holes in your current security scheme.