Classification of information and segmented/layered security is best practice within logical and physical access procedures. Also, it is mandatory when you need to be compliant to ISO 27001 and it helps to comply with privacy regulations. Information classification and layered security are mostly well implemented, its implemented without a common policy. These two forms of access management, physical and logical, should be complimentary. Let us have a closer look at both implementations and how to implement it as one.
Logical access security
Logical access mostly embraces information classification principles. Within ISO 27001 and the Trust Service Principals of AICPA Information classification is a standard. Based on the value, criticality, sensitivity and legal requirements (like the privacy regulations), the information should be classified. Access to information is restricted to appropriate individuals and in accordance with the defined classification scheme when authorizations are properly defined. Documentation can be publicly displayed, password protected, encrypted, or protected by multi-factor authentication to enforce appropriate controls to safeguard information.
Physical access security
Both AICPA and ISO 27001 mention physical security and that appropriate controls need be implemented to ensure only authorized personnel have access specific rooms, offices, and facilities. Physical security can be set up with segmentation (a different segment per group), layered security (fewer individuals authorized per layer) or a hybrid form. Mostly the implementation of authorization is based on the need to access a room (principle of least privilege). It is always interesting to see that a cleaning company often are people with most authorizations. As an example, the cleaning company needs to be able to clean a director’s office, however a manager of operations is not able to access that room.
A powerful combination, physical access complementary to logical access
Information like documentation is often classified if information classification is implemented. E-mail and other documentation (like whiteboards, hardcopy contracts, written notes) are not always classified. Therefore, physical access security should be complementary to the logical access security based on information classification. If a room can have highly classified information, you do not want a cleaning company to access that room without supervision (you also do not give the cleaning company network access to highly classified information). Implementing physical access controls based on information classification should be in synchronization with logical access.
When two-factor authentication is needed to access certain folders or applications, printed information that contains the same level of information also needs two-factor authentication. For example, if you need a password and a token to access a company’s financial application, the closets that contain financial administration must also use two factor authentications, a key and a cipher lock.
The strength of the security of information is as strong as the weakest link. To oversee the complete picture, risk managers and compliance officers must be triggered.