Physical access to the IT infrastructure is the most basic level of network security but it is frequently forgotten. Many organizations are very concerned about proprietary data leaking out of the company through the network. Unfortunately for those concerned, a magnetic tape or a stolen hard drive can just as effectively be used to export data.
That is not to say that logical security devices are not important - they are - it is simply vital to remember that such measures are only part of an overall security strategy. Security strategy should include physical security measures as well as logical ones. Physical security is about limiting access to equipment for the purposes of preventing tampering, theft, human error, and the subsequent damage these actions cause.
Physical security measures may include placing servers and other associated equipment in a separate room, away from the prying eyes and wandering fingers of overcurious staff.
If servers cannot be secured by lockable racks, they should be password protected. Removing keyboards and mice is also a reasonable option. A safer and more efficient approach is to have remote monitoring and remote notification in place.
While unauthorized access may be easy to manage by careful server room placement and adequate security measures, authorized access brings its own challenges, such as when visiting contractors need access to the server room.
In a utopian environment, it would be nice to think that the server room contained nothing but computer equipment, but the reality is that there are likely to be telephone systems, wiring closets, air-conditioners, fire detection systems, and a host of other units, many of which will require outside contractors to maintain.
Physical access control using biometric authentication, video surveillance cameras, monitoring of visitors by a member of the IT staff, or even a good old- fashioned door lock may all be part of the solution.