I am looking to test how the robustness of security through our employees onsite. I was hoping to attend a location and see if employees allow me into protected areas and if I am able to perform actions (such as take a computer, get access to the server room, put in a USB etc) to prove that employees need more cyber security awareness training.
Does anyone have an audit plan/framework for this sort of testing they could possibly share?
Thanks
Do not even think about doing this until you have received formal written permission detailing the actions permitted and that is on file with your personal lawyer. What you are proposing could easily be viewed as a disgruntled employee attacking their employer, potentially quickly escalating into involvement from law enforcement and corporate lawyers.
To protect our own staff, pen testing is an activity my employer hires out to a 3rd party experienced in the task and that understands which legal agreements are required.
@thecloseman wrote:I was hoping to attend a location and see if employees allow me into protected areas and if I am able to perform actions (such as take a computer, get access to the server room, put in a USB etc) to prove that employees need more cyber security awareness training.
When in doubt, refer to NIST. They have a special publication (SP 800-12) that might help you out. That said, the nature of testing physical security is very site-specific, as is the degree to which management or even a board may be OK with this. Personally, I wouldn't test it. I would demonstrate it as part of a security awareness program and make certain points of emphasis. There are a whole host of issues that could arise, not the least of which is your own safety or the inherent risk that someone calls the cops. The mantra that was passed on to me once was "Test systems; teach people." As effective as a test against people may seem, it can trigger embarrassment or paranoia and any number of negative or counterproductive human responses. Showing people how to defeat a lock, clone a card system, etc. is neat, but saying "hey the front desk person just let me walk right in," could trigger some distracting negatives.