9.4. Gentle Reminder
It does not so much matter which technology is used to authenticate users to access facilities and computers if the correct steps are not taken in other areas. For example, consider the situation where physical access to certain areas is typically denied, but after 5:00 p.m., janitors can roam freely.
Proper disposal of documents would be another classic example. As has been demonstrated from several embarrassing incidents, mere shredding is often not enough. Unless a cross-cut shredder is used, software can detect which pieces join together by noticing the perforations and patterns left by the shredder cutting wheels. Computer graphics allows researchers to manipulate the bits of paper with a mouse. Sophisticated algorithms can reassemble sentences, performing trial fits that archivists can use to detect how a torn page might be reassembled. And all of this assumes that the document was even shredded, not merely ripped or folded. Physical security must be augmented by coaching users to destroy sensitive documents (with a cross-cut shredder). And everybody must keep an eye out for dumpster divers.
Similarly, access systems that cannot easily be fooled can usually be evaded and talked around. Would it take more than acquiring a pair of coveralls in the color of an overnight delivery firm? Or wandering in with a telephone communications test set on the belt and holding a clipboard? Also, what good is it if every employee is given a background check, equipped with a fancy token and prohibited from entering certain areas, while transient employees and vendors wander freely with their pails, vacuums, and clipboards? To be effective, physical security must apply to all hands.