Protecting employees and members of the public who visit your facility is a complex and challenging responsibility. It’s also one of your company’s top priorities.
Recognize the importance of securing your company’s facilities. The physical security of a facility depends on a number of security decisions that can be identified through a comprehensive risk-management process. The objective of risk management is to identify an achievable level of protection for your company that corresponds as closely as possible to the level of risk without exceeding the risk. It is easy to think about the physical security of your company’s facility as merely an exercise in maintaining control of access points and ensuring there is complete visibility in areas that are determined to be of high risk – either because of the threat of easy public access or because of the value of information located nearby. However, maintaining the security of your company’s facility also includes the physical environment of public spaces. For instance.
- Employees whose computers have access to sensitive information should not have their computer monitors oriented toward publicly accessible spaces such as reception areas, check-in desks and waiting rooms. Employees should be trained to not write out logins and passwords on small pieces of paper affixed to computer equipment viewable in public spaces.
- Easy-to-grab equipment that could contain sensitive or personally identifiable information – such as laptops, electronic tablets and cell phones – should be located away from public areas. If you have an environment where employees are working in a waiting room or reception area, train them to not leave these types of devices out on their desks unsecured.
- Consider using cable locks as an easy way to increase security for laptop computers. Most laptops feature a lock port for a cable which can be connected to the user’s desk. Be sure to store the key to the cable lock in a secure location away from the desk the computer is locked to.
- In cases that extremely sensitive information is stored on a laptop, consider adding a LoJack software system. The software runs unnoticed and allows law enforcement to locate stolen computers more easily and also allows an administrator to wipe the hard drive remotely if necessary.
- Consider implementing a badge identification system for all employees, and train employees to stop and question anyone in the operational business area without a badge or who appears to be an unescorted visitor.
Minimize and safeguard printed materials with sensitive information. Probably the most effective way to minimize the risk of losing control of sensitive information from printed materials is to minimize the number of printed materials that contain sensitive information. Management procedures should limit how many instances and copies of printed reports memoranda and other material containing personally identifiable information exist. Safeguard copies of material containing sensitive information by providing employees with locking file cabinets or safes. Make it a standard operating procedure to lock up important information. Train employees to understand that simply leaving the wrong printed material on a desk, in view of the general public, can result in consequences that impact the entire company and your customers.
Ensure mail security. Your mail center can introduce a wide range of potential threats to your business. Your center’s screening and handling processes must be able to identify threats and hoaxes and eliminate or mitigate the risk they pose to facilities, employees, and daily operations. Your company should ensure that mail managers understand the range of screening procedures and evaluate them in terms of your specific operational requirements.
Dispose of trash securely. Too often, sensitive information – including customers’ personally identifiable information, business financial and other data, and company system access information – is available for anyone to find in the trash. Invest in business-grade shredders and buy enough of them to make it convenient for employees. Alternatively, subscribe to a trusted shredding company that will provide locked containers for storage until documents are shredded. Develop standard procedures and employee training programs to ensure that everyone in your company is aware of what types of information need to be shredded.
Dispose of electronic equipment securely. Be aware that emptying the recycle bin on your desktop or deleting documents from folders on your computer or another electronic device may not delete information forever. Those with advanced computer skills can still access your information even after you think you’ve destroyed it. Disposing of electronic equipment requires skilled specialists in order to ensure the security of sensitive information contained within that equipment. If outside help, such as an experienced electronic equipment recycler and data security vendor, is not available or too expensive, you should at a minimum remove computer hard drives and have them shredded. Also, be mindful of risks with other types of equipment associated with computer equipment, including CDs and thumb drives.