一键导入
physical-security
Home office security controls, equipment protection, and environmental security for remote operations
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Home office security controls, equipment protection, and environmental security for remote operations
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
| name | Physical Security |
| description | Home office security controls, equipment protection, and environmental security for remote operations |
| license | Apache-2.0 |
| version | 1.0 |
| author | Hack23 AB |
| tags | ["physical-security","home-office","equipment-protection","environmental-security","clean-desk-policy"] |
| category | security |
| frameworks | ["ISO 27001:2022","NIST CSF 2.0","CIS Controls v8.1"] |
| related_policies | ["Physical_Security_Policy.md","Asset_Register.md","Information_Security_Policy.md"] |
This skill enforces physical security controls for home office environments, equipment protection, and environmental security. Based on Hack23 AB's Physical Security Policy, it demonstrates how enterprise-grade physical security is achievable for remote-first operations.
Key Principle: Physical security isn't just locks and guards—it's layered protection for remote work environments where traditional perimeter security doesn't exist.
This skill covers:
Physical security controls you MUST implement:
🏠 Workspace Security
home_office_requirements:
dedicated_workspace: required
lockable_door: recommended
window_security: blinds_or_curtains_required
visitor_visibility: minimize_screen_visibility
secure_storage: lockable_cabinet_or_drawer
backup_media: fireproof_safe_or_offsite_storage
💻 Equipment Protection
device_security:
laptops:
- physical_lock_cable: when_in_public_spaces
- full_disk_encryption: mandatory
- screen_privacy_filter: recommended_for_sensitive_work
- automatic_screen_lock: 5_minutes_idle_maximum
- boot_password: BIOS/UEFI_password_required
mobile_devices:
- screen_lock: biometric_or_strong_PIN
- device_encryption: mandatory
- remote_wipe_capability: enrolled_in_MDM
- physical_protection: use_protective_case
storage_media:
- encryption: all_removable_media_encrypted
- labeling: classification_labels_applied
- secure_storage: locked_cabinet_when_not_in_use
- disposal: secure_wipe_or_physical_destruction
🌡️ Environmental Controls
environmental_protection:
fire_safety:
- smoke_detectors: installed_and_tested_monthly
- fire_extinguisher: accessible_and_inspected
- evacuation_plan: documented_and_practiced
- electrical_safety: no_overloaded_circuits
water_damage:
- equipment_placement: elevated_off_floor
- leak_detection: water_sensors_near_equipment
- backup_protection: waterproof_bags_for_critical_items
climate_control:
- temperature_range: 15-25°C_optimal
- humidity_control: 30-60%_relative_humidity
- ventilation: adequate_airflow_for_equipment
🧹 Clean Desk/Screen Policy
information_protection:
end_of_day:
- lock_sensitive_documents: secure_cabinet_or_safe
- secure_removable_media: encrypted_and_locked_away
- log_out_of_systems: all_sessions_terminated
- screen_lock: automatic_lock_enabled
- shred_confidential_waste: cross_cut_shredder
during_work:
- minimize_paper: digital_first_approach
- classify_documents: apply_classification_labels
- visitor_awareness: hide_sensitive_information
- screen_positioning: away_from_windows_and_visitors
👥 Visitor Management
home_office_visitors:
before_visit:
- schedule_visitors: avoid_overlap_with_sensitive_work
- prepare_workspace: secure_all_confidential_materials
- screen_positioning: ensure_no_visibility_of_work
during_visit:
- lock_screens: all_devices_locked
- escort_required: visitor_never_left_alone_in_workspace
- conversation_awareness: avoid_discussing_confidential_matters
after_visit:
- verify_security: check_all_devices_and_documents_secure
- access_review: review_system_access_logs_if_visitor_near_devices
Physical security practices you MUST NOT do:
❌ Equipment Exposure
prohibited_practices:
- leave_devices_unlocked: in_public_or_shared_spaces
- work_in_public: with_sensitive_data_visible_to_others
- store_devices_visibly: in_vehicles_or_unsecured_locations
- share_workspace: with_unauthorized_individuals_during_sensitive_work
- leave_doors_unlocked: when_workspace_contains_business_equipment
❌ Information Exposure
prohibited_behaviors:
- print_unnecessary_documents: use_digital_workflows_instead
- leave_documents_unattended: always_secure_or_destroy
- discuss_confidential_matters: in_public_or_with_visitors_present
- dispose_unsecurely: regular_trash_for_sensitive_documents
- store_passwords_physically: written_passwords_in_visible_locations
❌ Unsafe Practices
dangerous_behaviors:
- overload_circuits: multiple_high_power_devices_on_one_outlet
- block_exits: equipment_blocking_emergency_egress
- ignore_alarms: smoke_detector_or_security_system_alerts
- disable_protection: removing_security_cables_or_locks
- unsecured_backup_media: leaving_backup_drives_visible_or_unlocked
Scenario: Setting up a secure home office workspace for cybersecurity consulting work.
# Home Office Security Configuration
workspace_security:
location:
room: dedicated_home_office
door: lockable_from_inside
windows:
- privacy_film_applied: true
- blinds_installed: true
- desk_positioned: perpendicular_to_window
equipment:
primary_workstation:
device: Ubuntu_22.04_LTS_laptop
security:
- full_disk_encryption: LUKS_enabled
- BIOS_password: configured
- physical_lock_cable: attached_to_desk
- screen_privacy_filter: installed
monitors:
count: 2
positioning: facing_away_from_door_and_windows
privacy: screen_not_visible_from_hallway
mobile_devices:
- iPhone_with_MDM: biometric_lock_enabled
- iPad: encrypted_and_screen_locked
storage:
secure_cabinet:
type: lockable_metal_filing_cabinet
contents:
- backup_drives: encrypted_USB_drives
- client_contracts: physical_copies_locked
- hardware_tokens: YubiKeys_secured
fireproof_safe:
contents:
- critical_backups: offline_encrypted_backups
- emergency_contacts: printed_emergency_procedures
environmental:
fire_protection:
- smoke_detectors: 2_units_tested_monthly
- fire_extinguisher: ABC_rated_inspected_annually
climate_control:
- temperature: thermostat_set_20°C
- humidity: dehumidifier_maintains_45%_RH
power_protection:
- UPS: 1500VA_battery_backup_for_workstation
- surge_protection: all_devices_on_surge_protectors
clean_desk_policy:
daily_routine:
- end_of_day: all_documents_locked_in_cabinet
- screen_lock: automatic_after_5_minutes
- shredding: cross_cut_shredder_for_sensitive_waste
Result: ✅ Compliant - Comprehensive physical security controls for home office
ISO 27001:2022 Mapping:
Scenario: Client visiting home office for project kick-off meeting.
# Visitor Management Procedure
visitor_access_control:
pre_visit_preparation:
schedule:
date: 2026-02-15
time: 10:00-12:00
visitor: client_representative
security_actions:
- review_calendar: no_overlapping_sensitive_work
- secure_materials:
- lock_client_contracts: all_other_clients_secured
- close_applications: client_systems_logged_out
- position_screens: face_away_from_guest_seating
- prepare_meeting_area:
- clean_desk: no_documents_visible
- lock_cabinets: filing_cabinet_secured
- test_screen_lock: automatic_lock_verified
during_visit:
physical_controls:
- workspace_access: visitor_not_allowed_in_office_area
- meeting_location: living_room_separate_from_workspace
- screen_status: all_devices_locked_before_meeting
- door_closed: office_door_closed_and_locked
behavioral_controls:
- conversation_topics: project_scope_only_no_other_clients
- document_handling: only_visitor_specific_materials_shown
- device_access: visitor_devices_not_connected_to_network
- escort_policy: visitor_escorted_if_bathroom_access_needed
post_visit:
verification_checklist:
- physical_security:
- devices_still_locked: verified
- documents_secured: filing_cabinet_still_locked
- no_items_left_behind: workspace_checked
- access_review:
- system_logs: no_unauthorized_access_detected
- network_connections: no_unknown_devices_connected
- follow_up:
- meeting_notes: sensitive_details_encrypted
- next_steps: documented_in_project_tracker
Result: ✅ Compliant - Proper visitor management with information protection
ISO 27001:2022 Mapping:
Scenario: Laptop left unattended in coffee shop while working remotely.
❌ Non-Compliant Practice:
# INCORRECT - Physical Security Violation
coffee_shop_work:
laptop_security:
- screen_lock: disabled_for_convenience
- physical_security: left_on_table_while_ordering_coffee
- confidential_work: client_contract_visible_on_screen
- location: public_coffee_shop_with_high_traffic
Problems:
✅ Corrected Approach:
# CORRECT - Secure Remote Work Practices
remote_work_policy:
location_assessment:
- evaluate_sensitivity: client_contract_work_is_HIGH_classification
- decision: work_from_home_office_only_for_sensitive_tasks
public_space_work:
allowed_activities:
- general_research: non_client_specific_industry_research
- email_review: non_confidential_communications_only
- code_review: public_open_source_projects_only
required_controls:
- screen_privacy_filter: prevents_shoulder_surfing
- VPN_connection: always_enabled_for_business_access
- screen_lock: automatic_after_2_minutes_in_public
- physical_security: laptop_never_left_unattended
- positioning: back_to_wall_screen_not_visible_to_others
prohibited_activities:
- client_contracts: no_confidential_documents_in_public
- sensitive_data: no_HIGH_or_CRITICAL_data_access
- production_systems: no_administrative_access_from_public_wifi
device_protection:
- physical_lock_cable: attached_when_in_public_spaces
- screen_lock: automatic_and_immediate_when_leaving_seat
- backup_awareness: work_saved_to_cloud_before_leaving_home
Result: ✅ Corrected - Appropriate controls for remote work based on data sensitivity
Classification Impact:
This skill implements controls from:
ISO 27001:2022 Controls:
NIST CSF 2.0 Functions:
CIS Controls v8.1:
## Daily Security Routine
**Start of Day:**
- [ ] Verify workspace door is locked
- [ ] Check environmental controls (smoke detector, temperature)
- [ ] Boot devices with BIOS password
- [ ] Verify screen privacy filter is clean and positioned correctly
- [ ] Check UPS battery status
**During Work:**
- [ ] Lock screen when leaving workspace
- [ ] Position screens away from windows and hallways
- [ ] Secure documents immediately after use
- [ ] Shred sensitive waste in cross-cut shredder
- [ ] Escort visitors if they need access to home during work hours
**End of Day:**
- [ ] Log out of all systems
- [ ] Lock all devices with cable locks or in secure storage
- [ ] Secure all documents in lockable cabinet
- [ ] Secure backup media in fireproof safe
- [ ] Verify all windows and doors locked
- [ ] Set alarm system if available
| Device Type | Physical Security | Encryption | Access Control | Backup |
|---|---|---|---|---|
| 💻 Laptop | Cable lock + locked office | LUKS full disk | BIOS password + screen lock | Daily to AWS S3 |
| 📱 Mobile | Physical case + MDM | Device encryption | Biometric + PIN | iCloud/Google backup |
| 💾 USB Drive | Locked cabinet | BitLocker/LUKS | Password protected | Not primary storage |
| 🖥️ Desktop | Locked office + bolted desk | LUKS full disk | BIOS password + screen lock | Daily to AWS S3 |
| ⌚ Smart Watch | Physical security + MDM | Device encryption | PIN/Biometric | Synced to phone |
# Recommended Environmental Sensors
home_office_monitoring:
fire_detection:
- smoke_detectors: 2_units_interconnected
- heat_detectors: 1_unit_above_equipment
- testing_schedule: monthly_button_test
water_damage:
- water_sensors: under_AC_units_and_near_windows
- leak_detection: near_water_heater_if_adjacent
- alert_method: SMS_notification_to_phone
climate:
- temperature_sensor: smart_thermostat_with_alerts
- humidity_sensor: standalone_hygrometer
- alert_thresholds:
- temperature: below_15°C_or_above_30°C
- humidity: below_25%_or_above_70%
power:
- UPS_monitoring: software_alerts_for_power_events
- surge_protection: LED_indicators_on_surge_protectors
- generator: optional_for_critical_infrastructure
| Threat | Impact | Likelihood | Risk Level | Mitigation |
|---|---|---|---|---|
| Device Theft | 🔴 Critical | 🟡 Medium | 🔴 High | Cable locks, locked office, encryption |
| Fire Damage | 🔴 Critical | 🟢 Low | 🟡 Medium | Smoke detectors, fire extinguisher, offsite backups |
| Water Damage | 🟠 High | 🟡 Medium | 🟠 High | Elevated equipment, water sensors, waterproof bags |
| Visitor Snooping | 🟠 High | 🟡 Medium | 🟠 High | Clean desk policy, screen positioning, visitor escort |
| Environmental | 🟡 Medium | 🟡 Medium | 🟡 Medium | Climate control, humidity monitoring, UPS |
| Power Loss | 🟡 Medium | 🟠 High | 🟡 Medium | UPS backup, surge protection, saved work |
| Shoulder Surfing | 🟡 Medium | 🟠 High | 🟠 High | Screen privacy filters, positioning, awareness |
Device Loss/Theft:
Fire/Water Damage:
#!/bin/bash
# Physical Security Self-Assessment Script
echo "🏠 Hack23 AB - Physical Security Audit"
echo "========================================"
echo ""
# Workspace Security
echo "📋 Workspace Security Checklist:"
read -p "Is workspace in a lockable room? (yes/no): " lockable_room
read -p "Are windows covered with blinds/film? (yes/no): " window_privacy
read -p "Is secure storage (cabinet/safe) available? (yes/no): " secure_storage
read -p "Are screens positioned away from windows/doors? (yes/no): " screen_position
# Equipment Protection
echo ""
echo "💻 Equipment Protection Checklist:"
read -p "Are laptops using full disk encryption? (yes/no): " disk_encryption
read -p "Are cable locks used for equipment? (yes/no): " cable_locks
read -p "Are mobile devices enrolled in MDM? (yes/no): " mdm_enrolled
read -p "Is automatic screen lock enabled (<5 min)? (yes/no): " screen_lock
# Environmental Controls
echo ""
echo "🌡️ Environmental Controls Checklist:"
read -p "Are smoke detectors installed and tested? (yes/no): " smoke_detectors
read -p "Is fire extinguisher accessible and inspected? (yes/no): " fire_extinguisher
read -p "Is equipment elevated off floor? (yes/no): " elevated_equipment
read -p "Is UPS/surge protection installed? (yes/no): " power_protection
# Clean Desk Policy
echo ""
echo "🧹 Clean Desk Policy Checklist:"
read -p "Are documents locked at end of day? (yes/no): " documents_secured
read -p "Is cross-cut shredder available? (yes/no): " shredder_available
read -p "Are backup media secured in safe/cabinet? (yes/no): " backup_secured
# Calculate compliance score
score=0
total=13
[[ "$lockable_room" == "yes" ]] && ((score++))
[[ "$window_privacy" == "yes" ]] && ((score++))
[[ "$secure_storage" == "yes" ]] && ((score++))
[[ "$screen_position" == "yes" ]] && ((score++))
[[ "$disk_encryption" == "yes" ]] && ((score++))
[[ "$cable_locks" == "yes" ]] && ((score++))
[[ "$mdm_enrolled" == "yes" ]] && ((score++))
[[ "$screen_lock" == "yes" ]] && ((score++))
[[ "$smoke_detectors" == "yes" ]] && ((score++))
[[ "$fire_extinguisher" == "yes" ]] && ((score++))
[[ "$elevated_equipment" == "yes" ]] && ((score++))
[[ "$power_protection" == "yes" ]] && ((score++))
[[ "$documents_secured" == "yes" ]] && ((score++))
[[ "$backup_secured" == "yes" ]] && ((score++))
compliance_percentage=$((score * 100 / total))
echo ""
echo "========================================"
echo "📊 Compliance Score: $score/$total ($compliance_percentage%)"
echo ""
if [ $compliance_percentage -ge 90 ]; then
echo "✅ EXCELLENT - Physical security controls are comprehensive"
elif [ $compliance_percentage -ge 70 ]; then
echo "⚠️ GOOD - Minor improvements needed"
elif [ $compliance_percentage -ge 50 ]; then
echo "⚠️ FAIR - Significant gaps exist, immediate action required"
else
echo "❌ POOR - Critical physical security deficiencies"
fi
echo ""
echo "📝 Document findings in Security Metrics and Asset Register"
echo "🔄 Schedule remediation for any 'no' responses"
## Physical Security Monthly Review Checklist
**Date:** [YYYY-MM-DD]
**Reviewer:** CEO
### Equipment Inventory
- [ ] Verify all devices in Asset Register are accounted for
- [ ] Check encryption status on all laptops and storage media
- [ ] Test screen locks and BIOS passwords
- [ ] Inspect cable locks for damage or tampering
- [ ] Verify mobile device MDM enrollment status
### Environmental Systems
- [ ] Test smoke detectors (button test)
- [ ] Inspect fire extinguisher pressure gauge
- [ ] Check UPS battery status and runtime test
- [ ] Test water sensors if installed
- [ ] Review climate control (temperature/humidity logs)
### Workspace Security
- [ ] Verify lockable cabinet is functional
- [ ] Inspect fireproof safe for damage
- [ ] Check window coverings for damage or gaps
- [ ] Assess screen positioning for visitor visibility
- [ ] Review clean desk policy compliance
### Visitor Management
- [ ] Review visitor log (if any visits occurred)
- [ ] Assess visitor access procedures effectiveness
- [ ] Update visitor management procedures if needed
### Remediation Actions
- [ ] Document any deficiencies found
- [ ] Assign remediation tasks with deadlines
- [ ] Update Asset Register with any changes
- [ ] Schedule next monthly review
Layered Protection Approach:
Security Culture:
Skill Metadata:
Framework Compliance:
License: Apache-2.0
Repository: https://github.com/Hack23/homepage
GitHub Agentic Workflows (gh-aw) - markdown-based AI automation with 5-layer security, safe outputs, and Continuous AI patterns
gh-aw CLI usage, compilation, testing, debugging, add-wizard, and CI/CD practices for GitHub Agentic Workflows
Multi-agent coordination, orchestrator-worker patterns, /plan decomposition, and project coordination for GitHub Agentic Workflows
5-layer defense-in-depth security for GitHub Agentic Workflows - safe outputs, threat detection, AWF firewall, and zero-trust patterns
Continuous AI patterns from Agent Factory - issue triage, documentation sync, code quality, security scanning, and project coordination
GDPR compliance including privacy by design, data protection requirements, consent management, right to be forgotten, and data breach response