Appropriate device locks SHALL be implemented for all critical systems and for all workstations located in publicly accessible areas, and SHOULD be issued to employees for use with mobile company assets.

Control Type: Physical

Control Function: Preventive

When people hear the word "cybersecurity," they tend to think mainly of operations that protect networks and digital information. While this is true, many forget that physical security is just as important for thorough cyber defense. Theft and unauthorized tampering of assets are major threat that needs to be addressed in an information security program. Physical security is also important for developing legitimate Defense in Depth capabilities.

One of the simplest yet most effective physical security controls is the device lock. These are specific locks that are used to physically secure devices like servers and workstations. Attackers can still often find ways to bypass device locks, yet they will significantly slow down their progress, allowing law enforcement and incident response teams to go into action and hopefully thwart their activity.

There are several different formats of cable locks, with different ones existing for different types of hardware and components. Below are some specific categories of device lock:

  • Switch Controls: Cover power switches/buttons on devices to prevent unauthorized shutdown attempts.
  • Slot Locks: A bracket physically mounted to the device is connected to a cable, which is then connected to a stationary component.
  • Port Controls: Block access to unused device ports to prevent malicious tampering.
  • Peripheral switch controls: Add an extra layer of security by placing an ON/OFF switch between a system and the keyboard/mouse input slot.
  • Cable Traps: Prevent the disconnection of external components by running their cables through a locked unit.

At a minimum, you should consider implementing device locks for critical network infrastructure devices, such as servers, routers, and firewalls. These systems can easily be secured to racks or cabinets within server rooms. Since their external components should rarely be configured or tampered with, cable traps can be a good addition. It is also heavily recommended that you implement device locks on all systems located in publicly accessible areas, such as kiosks and front desk workstations. Specific device locks, such as Slot Locks and Switch Controls, are heavily recommended for mobile devices such as laptops that will be utilized in various unsecured areas, such as airports, libraries, and coffee shops. If your business conducts the majority of its work remotely, you should consider issuing appropriate slot locks to remote workers and setting a policy for their use in unsecured areas. The Kensington Lock is a popular solution for mobile device locking.