What are good resources for the physical security questions that IT organizations face? Like best practices for locks and seals on servers and kiosks, personnel access mechanisms and policies, disaster recovery plans.
I'm looking for conferences, journals, books, blogs, etc.
Check out The Core Group http://enterthecore.net/
They offer training sessions at the Black Hat conference (and other conferences):
"PHYSICAL PENETRATION TESTING"
https://www.blackhat.com/html/bh-us-11/training/core-pentest-intro.html
https://www.blackhat.com/html/bh-us-11/training/core-pentest-advanced.html
Those who attend this session will leave with a full awareness of how to best protect buildings and grounds from unauthorized access, as well as how to compromise most existing physical security in order to gain access themselves. Attendees will not only learn how to distinguish good locks and access control from poor ones, but will also become well-versed in picking and bypassing many of the most common locks used in North America in order to assess their own company's security posture or to augment their career as a penetration tester
Videos by Deviant Ollam: http://deviating.net/lockpicking/videos.html
(and his book: http://www.amazon.com/Practical-Lock-Picking-Physical-Penetration/dp/1597496111/)
The german BSI has got some resources too. The download is a whooping 24MB in size, but has got a fairly good overview re best practices, also for physical security.
The Journal of Physical Security (JPS) is "The first scholarly, peer-review journal devoted to physical security R&D". It was started by the Los Alamos National Laboratory in 2004, and now operates under the auspices of the Argonne National Laboratory. It is online and free, though some papers are not peer-reviewed. It compares very well to the plethora of trade magazines on security which tend to not critically review claims of their writers and advertisers.
I particularly like their work on Defeating Existing Tamper-Indicating Seals - Nuclear Engineering Division (Argonne), and their recommendations for “anti-evidence” seals: Developing Novel Approaches to Tamper & Intrusion Detection.
Roger Johnston is the editor of APS, and his presentation at USENIX Security '10 was excellent: Security blunders 'dumber than dog snot' - CSO Online - Security and Risk. Some great examples of "security theater" there.
Another resource is TOOOL: The Open Organisation Of Lockpickers
A lot of the holistic security work I have done does try to work out where organisations are relative to peers in industry across all security disciplines. Physical security is often a finger in the air, do we look better than the building next door, kind of thing.
Documented best practice does not appear to be as common as in other areas of security. I think it is because people feel like they understand physical security better than some of the more esoteric branches.
Social engineering / breaking and entering are my two tools to try and persuade organisations to improve here.
I hadn't seen the German BSI docs before, though - worth adding to the list.
The CISSP course material has one CBK on physical security.
Though I wouldn't necessarily recommend it (much as any other mile-wide topic from CISSP...), there is a lot of information there wrt placement of guards, locks, gates, etc... and also HVAC and such.
I would say that I found the quality of information therein mixed - I had the advantage of comparing this to the real-world practices of a certain national police force, which by any measure can be considered "relatively secure"... - some of the CISSP material compared favorably, some did not...
As @Rory mentioned, social engineering still trumps all.
