Physical security includes secure and restricted access to your data centres and places of business.
The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.
Physical security is one of the 24 requirements. The CDR takes a "carve-in" approach to third-party service providers. That means in addition to any physical security that you manage, we also need to review the physical security of your vendors that support the CDR environment. In a typical cloud software business, that's the data centre security by AWS, Google Cloud or Azure, and sometimes your office space that's usually managed by a third party.
It's easy to verify data centre security, as almost all providers these days have their own SOC 2 reports that include physical security. We review those as a formality to confirm the data centre security. Places of business is where it can get more tricky; many businesses now apply a remote-first approach, use co-working space, or otherwise don't enforce strict security of their premises.
Enter zero-trust security!
The physical security of your offices is losing relevance over time. The concept of zero-trust security is the way forward. That is, if you trust nobody and authenticate everybody regardless of their location, then the physical location of your team is less relevant from a security standpoint. That's combined with the reduction or elimination of physical documents, and acceptable use policies that require secure behaviours regardless of work location.
The result of these practices is that there's a low risk associated with the physical security of the office location and in many cases no different to how remote working is managed. In these cases, the physical security of places of business may be de-scoped or reduced scope accordingly.
What if your vendor doesn't have a SOC 2 report?
If your data centre or office provider doesn't have a SOC 2 report, the CDR still requires that you consider their physical security practices. This can be done through security questionnaires, site visits, your own audits and leveraging other certifications or evidence of their physical security being effective. SOC reports like ASAE 3150, SOC 1/2, follow a risk-based approach. The level of risk associated with the physical location (eg. data centre > office location), should inform the level of rigour in your assessment.
What's included in physical security?
Whether you're assessing a third-party provider, or your own physical security practices if you manage it yourself, the following practices should be considered.
- Access card readers and restrictions at all access points to the premises;
- Access should be approved, then removed when no longer required;
- Periodic (eg. quarterly) reviewed of access to ensure it remains appropriate;
- CCTV / Security personnel to monitor the premises;
- Visitor check-in logbook / reception staff;
- Acceptable Use Policy setting out required behaviors; preventing tailgating, closing access point doors, reporting lost/stolen access cards, not sharing access passes, etc.
- Restricted administrator access for provisioning new access
This list can go on for data centers that have more rigorous security practices like segmented access rooms, alarms on doors, and temporary access practices.
The CDR Perspective
Physical access to facilities where CDR data is stored, hosted or accessed (including server rooms, communications rooms, and premises of business operation) is restricted to authorised individuals. This will often be covered by third parties, which requires an assessment of their physical security practices through SOC 2 reports or a combination of other assessment activities.
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.