Policies, Procedures & Physical Security
The most sophisticated firewall in the world won't stop someone walking out the door with a hard drive. This lesson covers the organisational and physical side of security - access control, policies, physical measures, penetration testing, and backups.
Every password was strong. Every port was locked down. The firewall hadn't let a single unauthorised packet through in three years. Then a contractor walked into the server room - which was unlocked, as it often was - plugged in a USB drive, copied the entire customer database, and walked out. The door was never even on anyone's radar as a security risk.
Technical measures are essential - but they protect the digital layer. Policies, procedures and physical security protect the human and physical layer. A complete security strategy needs both.
Scenario questions often ask you to identify security weaknesses. If the scenario involves someone being in the wrong place, accessing things they shouldn't, or a disaster destroying data - think physical security, access control, and backups. These aren't just background topics - they're full mark opportunities.
User access levels and acceptable use policies
The principle of least privilege: every user should have only the minimum access rights needed to perform their role. A teacher needs access to mark books and registers. They should not have access to the payroll system, other teachers' personal files, or system administration tools.
Access levels are typically managed through user accounts and permissions. An administrator account has the highest access; a guest account the lowest. Strictly enforcing these limits means that if an account is compromised, the attacker can only access what that account can access - not the whole system.
An Acceptable Use Policy is a document that sets out the rules governing how an organisation's IT systems may be used. It defines what is permitted, what is prohibited, and what the consequences of violations are.
A typical school AUP might prohibit accessing social media on school devices, downloading files without authorisation, attempting to bypass content filters, or sharing account credentials. An employee AUP might restrict personal use of company devices, prohibit installing unlicensed software, and require reporting of suspicious activity.
Physical security, penetration testing and backups
Physical security restricts who can physically access hardware, servers, and sensitive areas. No amount of software security prevents an attacker who can physically sit at an unlocked server.
Physical measures include: locked server rooms with keycard or biometric access; CCTV monitoring to deter and record unauthorised access; cable locks to prevent device theft; visitor sign-in procedures; and secure disposal of old hardware (destroying hard drives before disposal).
Penetration testing (pen testing) is authorised, ethical hacking. An organisation hires security professionals to simulate real attacks on their systems - attempting to break in using the same techniques malicious attackers would use.
The goal is to find and fix vulnerabilities before attackers discover them. A successful pen test might find an unpatched server, a poorly configured firewall, staff who respond to simulated phishing emails, or a server room with weak physical access controls.
A backup is a copy of data stored separately from the original, enabling recovery if data is lost, corrupted, or encrypted by ransomware. Regular backups are one of the most critical security measures for business continuity.
Backup best practice (the 3-2-1 rule): keep 3 copies of data, on 2 different types of media, with 1 stored off-site (or in the cloud). This ensures that a single disaster - fire, flood, ransomware - cannot destroy all copies.
Security audit challenge
Read the scenario below and tick the security measures that would directly address the weaknesses described. Select all that apply, then check your answers.
Penetration testing identifies security vulnerabilities. However, some people argue that it creates risks because the testers learn how to break into the system. Evaluate whether the benefits of penetration testing outweigh the risks.
Risks: The pen testers gain detailed knowledge of the system's weaknesses. If a tester later becomes malicious or their findings are leaked, this information could be exploited. There is also a risk of disruption during the testing process itself.
Evaluation: On balance, the benefits significantly outweigh the risks. The vulnerabilities exist whether or not they are tested - a pen test simply finds them first. Reputable pen testing firms operate under strict legal agreements (non-disclosure, indemnity clauses), and the alternative - discovering vulnerabilities only after a real breach - is far more damaging. The risks are manageable; the consequences of ignoring vulnerabilities are not.
Practice what you have learned
Three levels of worksheet for this lesson. Download, print and complete offline.