Use this checklist to evaluate your physical security risk, and what you can do to prevent break-ins, harm to employees, legal liability, and security breaches.
Building is surrounded by intact fence (no holes, gaps, streams under fence, etc.)
Clear zone of at least 20’ exists both inside and outside of entire fence
Fence is monitored by security cameras and/or guards
Fence is inspected regularly (how often _____________)
No vegetation (where someone could hide) grows within 20’ of building perimeter
Area within 20’ of building perimeter is well lit at night with lights that (1) have auxiliary power source and (2) turn on automatically at dusk
Parking area is monitored by security cameras and/or guards
Parking area is well lit at night
Electricity received from two separate substations or, better, two separate power plants
Phone/network connectivity is available from multiple providers
Power/phone/network lines are underground, if possible
Water is available from multiple sources (including well)
Dumpsters contain no sensitive trash and are monitored by cameras
Alarm system is monitored, regularly tested, and has auxiliary power source
Alarm panel is secured behind locked door
Alarm panel offers a duress code
Generator(s) are alarmed
Building is protected by fire alarm and sprinkler system.
Fire detection equipment is inspected and regularly tested.
Contact information for fire / burglar alarm companies is easily accessible
For Each Exterior Door or Gate
Closes securely and does not need repair
Outside hinges hidden/protected from vandalism
Ideally requires automated unique identifier to open (swipe card, badge, retina, fingerprint).
Less ideal: key access, shared code access
If keys exist, they’re all stamped with “Do Not Duplicate”
Access is disabled when an employee leaves the company. If key-based, locks are changed
Automatically locks when closed, but still able to open from the inside.
Will sound alarm if propped open or if employees should not be using during business hours
Alarmed during non-business hours
Monitored by a receptionist, security guard, etc. during business hours
Monitored by a monitored/recorded security camera
If regularly left open, secured from the inside with a locked gate
Well lit from the outside at night
All exterior windows (esp. on first floor) alarmed and protected with locks/mesh.
Roof access (doors, skylights) securely locked from the inside and alarmed.
Basement doors / man-sized ducts are securely locked from the inside and alarmed.
Each Work Area
Visitors are controlled through a combination of visitor badges, visitor logs, and constantly being escorted. Visitors cannot access work areas without these measures.
Employees are trained to greet any unknown visitors
Computers are marked with clear asset tags and/or engravings
Computers provide information before login about who to contact if lost or stolen
Computers are physically locked to work areas
Computers are not visible from first floor windows and monitors are turned off overnight (to suppress monitor glow)
Computer are plugged into surge protection devices
Sensitive paper records are either kept in locked file cabinets or are shredded
Areas with key paper records are protected by fire detection and sprinkler systems
Cleaning staff always work in groups of two
Each work area has fire extinguishers which are periodically inspected/tested
Fire alarm systems are tested periodically through live drills
Building is equipped with multiple staircases, fire stairwells and/or fire escapes
Any areas with drop ceilings prevent access to sensitive areas (e.g., wire mesh)
Sensitive areas don’t allow access (e.g., air ducts, drop ceilings) from public areas
Emergency lighting exists in the event of a power outage
Floors are clear of wiring, or wiring is permanently attached to floor
Outlets are not overloaded with cords
The key controls listed in this checklist are explained in employee training and policy
Each Computer Room
No window to the outside (unless required for fire laws)
No more than two doors, all fireproof, all close securely and not in need of repair
Doors are controlled by automatic authentication with limited number of people who access.
Door hinge pins are concealed or welded to prevent removal from outside.
Doors have signage indicating restricted access, food/drink/smoking not allowed
Room has access to redundant power, network, and cooling
The temperature is kept between 55-75% and humidity is between 20-80% and is automatically monitored
Protected by total flooding agent (e.g., halon) sprinkler system (NOT wet sprinkler system)
Room has sufficient fire extinguishers
Room has emergency power off switches
Systems are protected by UPS and/or generator for no less than 24 hours.
Contract is in place for a week’s worth of fuel on demand.
Emergency power is regularly tested.
Cleaning staff are never left unattended in room.
Room is alarmed after hours.
Computer room is not located under any plumbing or rooms with water.
Smoke and heat alarms are installed inside and directly outside computer room.
Computer room has manual fire alarms.
Emergency lighting in the event of a power outage
Servers are physically locked within the computer room.
Computers are marked with clear asset tags and/or engraving
Still feeling a bit overwhelmed?
Get some free help! Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.
Talk to us!
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!