Submitted:
13 June 2026
Posted:
17 June 2026
You are already at the latest version
Abstract
Keywords:
1. Introduction
2. Operational Context and Assumptions
3. Case Description: Timeline and Evidence
| Milestone | Event | Recorded Evidence |
|---|---|---|
| T0 (D−14) | The technician is admitted to the infrastructure team. Technical onboarding is carried out. Briefing on restricted areas and need-to-know is not documented. | HR record. Absence of briefing record. |
| T1 (D−1) | The line manager asks the technician to “check” some equipment in the technical room. Informal arrangement. | Message exchange, not preserved. |
| T2 (D, 09:12) | The line manager lends his access card to the technician in the administrative corridor. | No record. Reconstructed through the line manager’s later statement. |
| T3 (D, 09:17) | The technician enters the room using the card. The PACS log records the card identifier. The person carrying the card is not identified. | PACS log. |
| T4 (D, 09:21) | The technician finds the metal cabinet unlocked, removes a folder containing documentation marked as CONFIDENCIAL (CONFIDENTIAL), and photographs part of a logical network diagram. | No record at the time. Photograph recovered from the mobile phone on D + 1. |
| T5 (D, 09:26) | The technician leaves the room. The card is returned to the line manager shortly after leaving the room. | PACS exit log. |
| T6 (D, 09:41) | The image is shared in an internal WhatsApp group with 14 members, some of whom have no need-to-know for the asset. | Screenshot obtained on D + 1 at the request of the Security Officer for classified information or equivalent internal officer. |
| T7 (D + 1) | Another member of the group reports the content to the Security Officer for classified information or equivalent internal officer. Incident response begins. | Incident record. |
4. Normative and Procedural Framework
5. Technical-Operational Analysis
5.1. Failure Identification
5.2. Causal Analysis
5.3. Risk Assessment
| Risk | Affected Asset | I | L | RL | Priority | Main Dimension |
|---|---|---|---|---|---|---|
| R1—Unauthorised access to classified information | Technical communications documentation—CONFIDENCIAL (CONFIDENTIAL) | 5 | 4 | 20 | Very high | Confidentiality |
| R2—Unauthorised dissemination of a technical diagram | Logical diagram of the segregated network—CONFIDENCIAL (CONFIDENTIAL) | 5 | 3 | 15 | High | Confidentiality |
| R3—Exposure of technical inventory | Rack and equipment inventory—RESERVADO (RESTRICTED) | 3 | 3 | 9 | Medium | Mission |
| R4—Failure to attribute responsibility | PACS logs and access records—restricted internal evidence | 4 | 4 | 16 | High | Accountability/traceability |
| R5—Compromise of the document chain of custody | Distribution records—RESERVADO (RESTRICTED); technical documentation—CONFIDENCIAL (CONFIDENTIAL) | 5 | 3 | 15 | High | Chain of custody |
| R6—Maintenance of inappropriate physical permissions | Access profiles to the restricted room and need-to-know matrix | 4 | 3 | 12 | High | Mission |
| R7—Exposure of encrypted removable media | Encrypted contingency removable medium—CONFIDENCIAL (CONFIDENTIAL) | 4 | 2 | 8 | Medium | Mission |
| R8—Exposure of sensitive administrative documentation | HR documentation—sensitive/personal data, not classified | 4 | 3 | 12 | High | Reputation/data protection |
6. Corrective and Preventive Measures
6.1. Short-Term Corrective Measures
- Type: corrective.
- Responsible party: PACS manager, in coordination with the Security Officer for classified information, or equivalent internal officer.
- Preconditions: incident record opened; documented decision by the Security Officer for classified information or equivalent internal officer, with CISO involvement where information systems are affected.
- Evidence: PACS log showing revocation/suspension of the card; record of the decision.
- Acceptance criterion: suspension executed within 4 h of the incident being reported, verified by log review.
- Type: corrective.
- Responsible party: PACS manager, with validation by the functional manager and the Security Officer for classified information, or equivalent internal officer.
- Preconditions: confirmation by HR of the technician’s functional position; validation by the functional manager that the profile includes neither authorisation nor need-to-know regarding the assets in the room; incident record opened. Internal disciplinary proceedings to be initiated in parallel, where applicable.
- Evidence: PACS configuration excluding the room from the technician’s profile; record in the identity management system or access matrix.
- Acceptance criterion: subsequent entry attempt refused and logged; monthly audit confirms exclusion from the access profile.
- Type: corrective, with evidentiary purpose.
- Responsible party: Security Officer for classified information, or equivalent internal officer, with support from the IT team and coordination with HR, legal, or the Data Protection Officer (DPO), where applicable.
- Preconditions: incident record opened; internal evidence management policy; segregated and controlled medium for preserving records; designation of the person responsible for collection.
- Evidence: copy of the PACS logs and adjacent systems logs; recovered photograph; screenshot or export of the WhatsApp message; identification of the group, recipients, and date of sharing; integrity hash whenever technically possible; chain-of-custody record.
- Acceptance criterion: evidence preserved within 24 h of the incident being reported, validated by a second person, and archived on a controlled medium; any collection involving personal devices, personal data, or identifiable internal communications must be coordinated with HR, legal, or the DPO, where applicable, respecting proportionality and data minimisation.
- Type: corrective.
- Responsible party: Security Officer for classified information, or equivalent internal officer, together with the technical officer responsible for the room.
- Preconditions: updated asset list; two-person presence during verification.
- Evidence: inventory report indicating the documents, media, and equipment verified, as well as any discrepancies against the reference list.
- Acceptance criterion: inventory completed within 48 h and reviewed by the Security Officer for classified information or equivalent internal officer.
- Controls: ISO/IEC 27002:2022 5.9—Inventory of information and other associated assets and 7.10—Storage media [5].
- Type: corrective.
- Responsible party: Security Officer for classified information or equivalent internal officer, in coordination with senior management and the CISO where information systems are affected and, where applicable, with notification to the ANS through the GNS.
- Preconditions: preliminary impact analysis; identification of the recipients of the WhatsApp sharing; initial preservation of evidence.
- Evidence: compromise assessment report; list of identified recipients; documented decision on notification; formal notification to the competent authority, where applicable.
- Acceptance criterion: report approved and archived by the Security Officer for classified information or equivalent internal officer; decision on notification documented; notification sent within the applicable internal or regulatory deadlines.
6.2. Preventive Measures
- Type: preventive.
- Responsible party: Security Officer for classified information, or equivalent internal officer, with CISO input where relevant.
- Preconditions: review by the legal and HR teams; alignment with the access control policy and internal regulations.
- Evidence: approved and signed formal policy; dissemination record; record of reading or acceptance by the covered employees.
- Acceptance criterion: 100% of employees with access to restricted areas confirm reading/acceptance of the policy within 30 days.
- Type: preventive.
- Responsible party: PACS manager, with validation by the functional managers and the Security Officer for classified information, or equivalent internal officer.
- Preconditions: updated list of restricted areas; approved need-to-know matrix by function; nominal list of users with physical access to the room.
- Evidence: semi-annual review report, with accesses maintained, removed, and functionally justified; validation signed by the functional manager.
- Acceptance criterion: semi-annual review cycle completed for two consecutive cycles; 100% of access rights to the restricted room supported by current, documented, and validated need-to-know.
- Type: preventive.
- Responsible party: PACS manager and IT team, with validation by the Security Officer for classified information and involvement of the DPO if biometric authentication is considered.
- Preconditions: approved budget, technical feasibility analysis of the reader, and data protection impact assessment with DPO opinion if biometrics are used.
- Evidence: reader configuration with PIN, biometrics, or another second factor; hardware acceptance minutes; access test report.
- Acceptance criterion: 100% of entries recorded with two factors within 30 days after installation; quarterly audit confirms absence of unapproved exceptions.
- Type: preventive.
- Responsible party: Security Officer for classified information, or equivalent internal officer, in coordination with the DPO.
- Preconditions: proportionality assessment and DPO opinion; documented purpose; visible signage; defined retention period.
- Evidence: installation contract or record; coverage map; retention policy; record of image testing and access to recordings.
- Acceptance criterion: effective coverage of the door verified by testing. Compliance with data protection confirmed by audit.
- Type: preventive.
- Responsible party: PACS manager, in coordination with the security operations team.
- Preconditions: anomaly rules defined, including door held open beyond the permitted time, after-hours entry, atypical frequency, refused entry attempt, and entry by an incompatible profile.
- Evidence: documented configuration of the rules; record of events triggered during testing; history of processed alerts.
- Acceptance criterion: 100% of anomalous event simulations generate an alert and are processed by the identified team within 15 min.
- Type: preventive.
- Responsible party: Security Officer for classified information, or equivalent internal officer, with support from the technical officer responsible for the room and review of the physical space design.
- Preconditions: analysis of circulation flows; identification of the types of documentation present; redesign of storage by classification level and nature of the information.
- Evidence: updated room layout with distinct zones or cabinets; published anti-tailgating procedure; signage next to the access point; audit record of document segregation.
- Acceptance criterion: semi-annual audit confirms physical separation between classified documentation, removable media, and administrative documentation; no classified document stored outside the appropriate container.
- Type: preventive.
- Responsible party: Security Officer for classified information, or equivalent internal officer, with support from facilities/security operations and CISO input where electronic media or information systems are affected.
- Preconditions: identification of documents by classification level; definition of the container required for the highest classification level; approved budget.
- Evidence: container installed and identified; record of documents stored; record of keys, combinations, or authorised persons.
- Acceptance criterion: 100% of documents marked as CONFIDENCIAL (CONFIDENTIAL) stored in the appropriate container; review of keys, combinations, or authorisations every six months.
- Type: preventive.
- Responsible party: Security Officer for classified information, or equivalent internal officer, together with HR.
- Preconditions: approved training programme; minimum content defined on restricted areas, prohibition of access card sharing, need-to-know, handling of classified information, and authorised sharing channels; knowledge assessment defined.
- Evidence: attendance record; completed assessment; training materials archived; record of onboarding for new employees.
- Acceptance criterion: 100% of new employees with potential access to restricted areas complete the training within 30 days of admission; annual refresher cycle completed for employees with authorised access.
- Type: preventive.
- Responsible party: Security Officer for classified information, or equivalent internal officer, with sponsorship from senior management and CISO involvement where information systems are affected.
- Preconditions: documented plan; defined escalation criteria; roles for containment, evidence preservation, compromise assessment, and notification to the ANS through the GNS, where applicable; exercises scheduled.
- Evidence: published plan; exercise records; post-incident review reports; lessons learned archived.
- Acceptance criterion: at least one annual exercise; post-incident review performed for all confirmed incidents; lessons learned integrated into the plan within 60 days.
- Controls: ISO/IEC 27002:2022 5.24—Information security incident management planning and preparation, 5.26—Response to information security incidents, and 5.27—Learning from information security incidents [5]; NIST SP 800-53 Rev. 5, IR-3—Incident Response Testing, IR-4—Incident Handling, and IR-8—Incident Response Plan [9]; ENISA, Post-incident reviews [14].
- Type: preventive.
- Responsible party: Security Officer for classified information, or equivalent internal officer, in coordination with IT, HR, and the DPO, where applicable.
- Preconditions: updated restricted areas policy; identification of authorised procedures and channels for technical documentation, and formal Sub-Registry or Control Post procedures for classified documentation, where applicable; definition of formally approved operational exceptions.
- Evidence: revised internal policy; signage at the entrance to the mixed-use restricted technical room; briefing or acknowledgement records; record of authorised exceptions for the use of image or sound capture devices.
- Acceptance criterion: 100% of employees with access to the restricted room confirm awareness of the prohibition on photographing, copying, or sharing documentation through unauthorised channels; sample-based audit confirms the absence of undocumented exceptions.
7. Lessons Learned and Applicability
8. Conclusion
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Gabinete Nacional de Segurança. Questões Sobre Informação Classificada; v. 4.2; Gabinete Nacional de Segurança: Lisboa, Portugal, 2024; Available online: https://www.gns.gov.pt/docs/questoes-sobre-informacao-classificada-2024-v42.pdf (accessed on 17 May 2026).
- Resolução do Conselho de Ministros n.º 50/88, de 3 de dezembro, alterada pela Resolução do Conselho de Ministros n.º 13/93, de 6 de março. In Instruções para a Segurança Nacional, Salvaguarda e Defesa das Matérias Classificadas—SEGNAC 1; Diário da República: Lisboa, Portugal, 1988; Available online: https://www.gns.gov.pt/docs/segnac1.pdf (accessed on 17 May 2026).
- Smith, C.L.; Brooks, D.J. Security Science: The Theory and Practice of Security; Butterworth-Heinemann: Oxford, UK, 2013. [Google Scholar]
- Garcia, M.L. The Design and Evaluation of Physical Protection Systems, 2nd ed.; Butterworth-Heinemann: Oxford, UK, 2008. [Google Scholar]
- ISO/IEC 27002:2022; Information Security, Cybersecurity and Privacy Protection—Information Security Controls. 3rd ed. ISO: Geneva, Switzerland, 2022.
- CERT National Insider Threat Center. Common Sense Guide to Mitigating Insider Threats, 7th ed.; Software Engineering Institute, Carnegie Mellon University: Pittsburgh, PA, USA, 2022. [Google Scholar]
- ISO/IEC 27005:2022; Information Security, Cybersecurity and Privacy Protection—Guidance on Managing Information Security Risks, 4th ed. ISO: Geneva, Switzerland, 2022.
- Resolução do Conselho de Ministros n.º 37/89, de 24 de outubro. In Normas para a Segurança Nacional, Salvaguarda e Defesa das Matérias Classificadas, Segurança Industrial, Tecnológica e de Investigação—SEGNAC 2; Diário da República: Lisboa, Portugal, 1989; Available online: https://www.gns.gov.pt/docs/segnac2.pdf (accessed on 17 May 2026).
- Joint Task Force. Security and Privacy Controls for Information Systems and Organizations; NIST Special Publication 800-53, Rev. 5; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. [Google Scholar] [CrossRef]
- Gigliotti, R.; Jason, R. Approaches to physical security. In Effective Physical Security, 5th ed.; Fennelly, L.J., Ed.; Butterworth-Heinemann: Oxford, UK, 2017; pp. 67–84. [Google Scholar]
- ISO/IEC 27001:2022; Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements, 3rd ed. ISO: Geneva, Switzerland, 2022.
- Centro Nacional de Cibersegurança. Guia para Gestão dos Riscos em Matérias de Segurança da Informação e Cibersegurança; v. 1.1; Centro Nacional de Cibersegurança: Lisboa, Portugal, 2022; Available online: https://www.cncs.gov.pt/docs/guia-de-gestao-dos-riscos11.pdf (accessed on 17 May 2026).
- Ferraiolo, H.; Mehta, K.; Ghadiali, N.; Mohler, J.; Johnson, V.; Brady, S. Guidelines for the Use of PIV Credentials in Facility Access; NIST Special Publication 800-116, Rev. 1; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2018. [Google Scholar] [CrossRef]
- Moulinos, K.; Theocharidou, M. Technical Implementation Guidance on Cybersecurity Risk-Management Measures: On Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 Laying Down Rules for the Application of NIS2 Directive as Regards Technical and Methodological Requirements of Cybersecurity Risk-Management Measures; Version 1.0; European Union Agency for Cybersecurity: Athens, Greece, 2025; Available online: https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance (accessed on 17 May 2026).
- Sinai, J. Access control systems and identification badges. In Effective Physical Security, 5th ed.; Fennelly, L.J., Ed.; Butterworth-Heinemann: Oxford, UK, 2017; pp. 255–264. [Google Scholar]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).