It's actually pretty easy to practice due diligence with physical security. You've just got to be meticulous and consistent, and take it seriously. Pretend that someone could burglarize you personally if you're not careful. It might help to pretend that you live in New York.

In all seriousness, physical security is where the battle can easily be lost—although it can't be totally won with just physical safeguards. Little things like the ability to reboot a server from a floppy, or finding an unused username on a printout—or even finding a tape with a copy of a security database on it—make an intruder's job easier. Let's make it hard.

Here are some "DOs" and "DON'Ts" that will make your job a little easier, an intruder's life a little harder, and your data a little more secure:

DOs

· DO lock every wiring closet—and keep them locked.

· DO use switches rather than hubs, especially for LAN segments that have administrative users on them. (They still must be physically secure to ensure that someone can't access the switch and packet sniff via port mirroring.)

· DO change locks or door passcodes immediately when employees leave.

· DO erase hard drives, flash, and so on, when you take them out of service. Nobody's going to remember to do it before the surplus auction, and all sorts of passwords and/or sensitive data might be on them.

· DO erase old backup tapes before disposing of them.

· DO write nonsense data to magnetic media when you are erasing it. Dropping a partition table is NOT good enough. (Degaussing is okay, though.)

· DO use a paper shredder. Don't laugh. Dumpster diving is more common than you think.

· DO lock your server cabinets when you're not using them.

· DO restrict or forbid the use of modems on desktops; they are the number one method of bypassing your organization's security checkpoints.

· DO make sure that any "road" laptop or PDA has appropriate data protection software and hardware installed before deployment.

· DO consider whether user access to floppy disks or other removable media make sense for your environment; they constitute a possible bypass of your security checkpoints.

· DO consider the use of smart cards/token-based security devices rather than passwords for administrative users or sensitive systems. Many operating systems now support token-based authentication in addition to passwords.

· DO remember that your phone PBXs also must be secured.

DON'Ts

· DON'T send off-site backups to unsecured locations.

· DON'T give keys to vendors. Let them in to do their work, and then politely wave bye-bye when they leave.

· DON'T allow anyone other than key personnel ad hoc access to the data center.

· DON'T share wire closets with user-oriented peripherals such as printers.

· DON'T put servers into unsecured areas.

· DON'T leave server keys attached to the back of a server. Believe it or not, other people will think of this, too.

· DON'T let cleaning people—or other untrusted service people—into secured areas without an escort.

· DON'T store any sensitive data on user hard drives—if you must, think about hard drive encryption products.

· DON'T discuss passwords or other sensitive information over unsecured channels such as cell phones, 800Mhz radios, or instant messaging.

· DON'T put consoles, keypads, or administrative workstations near windows.