1. Information Security and Data Privacy Bulletin
March 19, 2015
INTEGRATING PHYSICAL SECURITY INTO YOUR CYBERSECURITY PLAN
When contemplating cybersecurity defenses,
organizations predictably focus on technological
issues and solutions. This attention flows
naturally from storing substantial amounts of
sensitive client or proprietary data on
information technology systems, as well as the
legitimate cyber-threats to those systems.
However, this may leave organizations
vulnerable to non-technical attacks facilitated
by lapses in physical security. To prevent the
loss or misappropriation of data from espionage,
sabotage, damage, or theft, organizations should
conduct security assessments that consider the
threats posed by unauthorized physical access to
their offices, equipment, and documents. Based
on the outcome of these assessments,
organizations should address any gaps in their
policies and procedures.
Maintaining Access Control to Office
Spaces
The most critical step in ensuring physical
security is establishing and maintaining access
control to facilities and office spaces. For
organizations that occupy space in large urban
office buildings, this is typically accomplished
using key cards and turnstiles monitored by
security persons. Key card systems should be
configured to permit organizations to know when
employees are entering and exiting the building.
For organizations situated in suburban
campuses, physical security will be more
elaborate, and extend out from buildings, with
access control features such as fences, gates,
cameras, and security personnel.
Receptionists and employees should be
provided training on maintaining a secure office
environment. Receptionists should be tasked
with keeping a record of visitors to the office,
which should include, in addition to the visitor’s
name, the date, start time and end time of the
visit, and the employee who was visited.
Visitors should be required to wear identifying
badges that clearly identify such persons as
visitors and state the floor to which they have
been granted access. To ensure visitors do not
attempt unauthorized access to computer
systems, or obtain or record information from
hardcopy documents, employees should be
trained to escort visitors throughout the office
at all times, and be aware of unescorted
individuals. Employees at larger
organizations typically will be issued
identifying credentials, and employees should
be trained to ask unfamiliar individuals to
produce their identification cards.
Organizations should make certain that
employees who leave voluntarily or are
terminated return any access cards and
identification credentials, and that these
credentials are revoked in access control
systems.
Employees, vendors, and consultants
should be vetted with a background check
whose detail is commensurate with the
sensitivity of the information these employees
may access. Non-disclosure agreements
should also be routine for employees, vendors,
and consultants hired by organizations,
particularly those individuals who will be
granted access to information technology
networks and systems. Landlords and their
agents, such as facilities workers and cleaning
staff, also have access to tenants’ office space.
Consequently, leases should include non-
disclosure agreements that cover the landlord
and its agents.
WOLLMUTHMAHER&DEUTSCHLLP
500FIFTHAVENUE,12THFLOOR,NEWYORK,NEWYORK10110212-382-3300

2. 2 | P a g e
Limiting Physical Access to Servers and
Computers
Given physical access to organizations’
servers and computers, a malicious actor could
infect the information technology environments,
download client or proprietary information,
install unauthorized wireless routers, or steal
computer hard drives. Therefore, access to
computers and servers by employees, vendors, or
consultants should be carefully monitored. To
prevent unauthorized access, server rooms
should be locked at all times. While access may
be controlled with key cards or regular keys, key
card systems have the advantage of being able
both to grant authorization and permit
identification, allowing organizations to
maintain records of which employees have
accessed the server room.
Although telecommunications equipment
and corporate servers are often co-located in the
same room, organizations should consider,
where possible, separating this equipment so
that vendors or employees may only access that
equipment for which they have a need.
Alternatively, or for added security,
organizations may consider using locking server
racks, which add a layer of defense by preventing
unauthorized access to computer hard drives,
ports, and cables.
Proper Handling and Disposal of Used
Hardware and Storage Media
All hardware equipment should be tagged
and inventoried when initially configured so that
it can be tracked throughout its life cycle. This
includes periodically inventorying all hardware
to ensure that nothing is unaccounted for.
Before a computer is removed from a facility for
disposal, hard drives should be securely wiped or
physically destroyed. Storage media with
sensitive client data or confidential proprietary
information should be clearly labeled and
secured. Organizations should treat any
unlabeled media as confidential, until it is
determined otherwise. Storage media should be
rendered unreadable before disposal. This
requires degaussing of magnet storage media,
and grinding or shredding optical storage media.
Upon disposal, inventory records of hardware
and storage media should be updated to reflect
their disposal.
Protecting Hardcopies of Client Data and
Proprietary Information
Even in today’s increasingly digital
environment, organizations produce and
maintain substantial volumes of hardcopy
documents containing sensitive client data or
confidential proprietary information. The loss of
this information is no less significant when
accomplished through the misappropriation of
hardcopy documents, than when exfiltrated from
the corporate network. Therefore, organizations
should incorporate policies that require
hardcopy documents be properly secured from
printing through disposal.
If sensitive or confidential information is
printed to a shared network printer, documents
should not be left unattended. Organizations
should consider adopting clean desk policies,
which require employees to remove documents
with sensitive client or corporate data from their
desk at the end of the day or when leaving for
extended periods of time. Hardcopy documents
should be locked in desks and/or in filing
cabinets when not being used, and keys to these
draws or cabinets should not be left unattended.
When a document with sensitive or confidential
information is no longer needed, the document
should be deposited in a locked bin for disposal
by shredding. Vendors hired to collect and shred
documents should be vetted for compliance with
auditable standards of practice, such as those
issued by the National Association of
Information Destruction. For compliance

3. 3 | P a g e
purposes, organizations should obtain
confirmation reports that the documents were
properly destroyed, particularly if the document
destruction occurs offsite.
Conclusion
Employees, vendors, consultants, and
visitors all have access to organizations’ offices,
which provides the opportunity to collect,
review, or record hardcopy documents, or access
information technology equipment in an
unauthorized manner. The issues presented
herein are among the physical threats and
possible responses that should be considered
when drafting information security and data
privacy policies and procedures. As with all
information security and data privacy measures,
organizations should design corresponding
compliance documentation to ensure that
policies and procedures are being carried out.
For further information, please contact:
Jason E. Glass
(212) 382-3300
jglass@wmd-law.com
Frederick R. Kessler
(212) 382-3300
fkessler@wmd-law.com
Steven S. Fitzgerald
(212) 382-3300
sfitzgerald@wmd-law.com
William F. Dahill
(212) 382-3300
wdahill@wmd-law.com
Ryan A. Kane
(212) 382-3300
rkane@wmd-law.com
David H. Wollmuth
(212) 382-3300
dwollmuth@wmd-law.com
This memorandum is for general informational purposes and should not be regarded as legal advice.
Furthermore, the information contained in this memorandum does not represent, and should not be
regarded as, the view of any particular client of Wollmuth Maher & Deutsch LLP. Please contact your
relationship partner if we can be of assistance regarding these important developments. The names and
office locations of all of our partners, as well as additional memoranda, can be obtained from our website,
www.wmd-law.com. The contents of this publication are for informational purposes only. Neither this
publication nor the lawyers who authored it are rendering legal or other professional advice or opinions
on specific facts or matters, nor does the distribution of this publication to any person constitute the
establishment of an attorney-client relationship. Wollmuth Maher & Deutsch LLP assumes no liability
in connection with the use of this publication.