Example of Physical and Environmental Security Policy

1 Policy Statement

To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, to ensure the physical security of all information assets and human assets. Physical security is an essential part of a security plan. It forms the basis for all other security efforts, including personnel and information security. A balanced security program must include a solid physical security foundation. A solid physical security foundation protects and preserves information, physical assets, and human assets.

2 Purpose

The purpose of the Physical Security Policy is to:

  • establish the rules for granting, control, monitoring, and removal of physical access to office premises;
  • to identify sensitive areas within the organization; and
  • to define and restrict access to the same.

3 Scope

3.1 Employees

This applies to all employees, contractual employees, trainees, privileged customers and all other visitors.

3.2 Documentation

The Physical Security Policy documentation shall consist of Physical Security Policy and related procedures & guidelines.

3.3 Document Control

The Physical Security Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.

3.4 Records

Records being generated as part of the Physical Security Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.

3.5 Distribution and Maintenance

The Physical Security Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the Physical Security Policy document will be with the CISO and system administrators.

4. Privacy

The Physical Security Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.

5. Responsibility

The CISO / designated personnel is responsible for the proper implementation of the Physical Security Policy.

6. Policy

Following are the policies defined for maintaining Physical Security:

  1. Physical access to the server rooms/areas shall completely be controlled and servers shall be kept in the server racks under lock and key.
  2. Access to the servers shall be restricted only to designated Systems and Operations Personnel. Besides them, if any other person wants to work on the servers from the development area then he/she shall be able to connect to the servers only through Remote Desktop Connection with a Restricted User Account.
  3. Critical backup media shall be kept in a fireproof off-site location in a vault.
  4. Security perimeters shall be developed to protect areas that contain information systems to prevent unauthorized physical access, damage, and interference.
  5. A list of personnel with authorized access to the facilities where information systems reside shall be maintained with appropriate authorization credentials. The access list and authorization credentials shall be reviewed and approved by authorized personnel periodically.
  6. All physical access points (including designated entry/exit points) to the facilities where information systems reside shall be controlled and access shall be granted to individuals after verification of access authorization.
  7. Physical access to the information systems shall be monitored to detect and respond to physical security incidents.
  8. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural and man-made disasters shall be designed and applied.
  9. Physical protection and guidelines for working in the areas where information systems reside shall be designed and applied.
  10. Information systems and their components shall be positioned within the facility to minimize risks from physical and environmental hazards and opportunities for unauthorized access.
  11. Information systems shall be protected from power failure and other disruptions caused by a failure in supporting utilities.
  12. Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage.
  13. The real-time physical intrusion alarm and surveillance equipment shall be monitored.
  14. Physical access control to information systems shall be independent of the physical access control to the facility. This control can be applicable to server rooms or information systems with a higher impact level than that of the majority of the facility.
  15. Automated mechanisms to recognize potential intrusion shall be employed to initiate appropriate response actions.
  16. Physical access to the information systems shall be granted only after authenticating visitors before authorizing access to the facility where the information systems reside other than areas designated as “publicly accessible”.
  17. The access records of the visitors shall be maintained.
  18. Visitors shall be escorted by the designated personnel and their activities, if required, shall be monitored.
  19. Systems Personnel shall examine laptops of visitors for the latest anti-virus definition, latest patches and updates, and any sort of vulnerability that could be harmful to the network.
  20. Any user who needs to connect to the external network for official work shall be able to do so after an official sanction from the Management and Security Team. This team shall evaluate security risks before issuing any sanction.
  21. A record of all physical accesses by both visitors and authorized individuals shall be maintained.
  22. All policies stated above shall be monitored for any changes from time to time.

6.1 Physical Security Parameter

1.The choice and application of physical access controls shall be made according to the classification of the protected system such as:

  1. Perimeter fences or walls, bounds and checkpoints.
  2. Key locks to be opened with ordinary keys (i.e., non-electronic).
  3. Electronic access control systems:
    • Option 1 – Cipher lock (also known as programmable lock use keypads to control access).
    • Option 2 – Card based access control:
      • Memory card (e.g., magnetic card).
      • Smart card (includes microchip).
    • Option 3 – Biometric systems (e.g., fingerprint, hand geometry and face recognition).
    • Any combination of option 1, 2 or 3 (i.e., a multi-factor authentication method).

2. Sites that host sensitive information and critical systems shall have additional physical security zones to provide additional protection to those assets.

3. Access rights to secure areas shall be regularly reviewed and updated.

4. Main Datacentre area within XXX’s environment:

  • Shall require a much greater level of control than other restricted XXX’s spaces.
  • Individuals who are granted authorization from ICT’s Manager may enter this area.
  • . Access privileges shall only be granted to individuals who have legitimate business needs.
  • Shall be entered only to conduct authorized business works.
  • Employees having access shall familiarize themselves thoroughly with this policy.

5. All doors to Datacentre shall remain locked at all times; and may only be temporarily opened for periods not to exceed that is minimally necessary in order to:

  • Allow officially approved and logged entrance and exit of authorized individuals.
  • Permit the transfer of supplies / equipment as directly supervised by a person with controlling access to the area.
  • Prop open a door to Datacentre only if it is necessary to increase airflow into it if an air conditioning fails.

6.2 Physical Entry Controls

  1. Information Security Department in cooperation with ICT manager and Information Security Officer shall be responsible for defining the necessary policies and procedures regarding physical access to buildings and areas where XXX’s systems are sited (e.g., Datacentre), according to the classification of the protected systems.
  2. The entry and exit of visitors shall be controlled. Before a visitor enters a building, the security guards at the reception desk or gate shall verify the visitor identity using generally accepted credential (e.g., an Identity Card or Passport). Entry shall be allowed only after notifying the employee to whom the visitor is visiting and verifying the purpose of the visit.
  3. Supporting services contractors’ personnel shall be granted a restricted access to secure areas or Datacentre’s facilities only when required; and it shall be monitored.
  4. For employee’s identification, the followings shall be considered:
  • All XXX’s employees shall wear visible identification (e.g., ID badge).
  • Persons who are not XXX’s employees shall wear a “Visitor” badge.
  • ID badges shall only contain names, photographs and badge numbers.
  • Access cards shall not contain any description of access privilege levels granted to that card.
  1. ICT Manager in cooperation with Information Security Department shall be responsible for managing and monitoring CCTV cameras and access doors systems within Datacenter.
  2. All entries to Datacenter shall be recorded and maintained for at least 6 months. All access logs shall record the following details:
    • The date and time of the access attempt.
    • Whether the attempt was successful or not.
    • Where access was granted (which door for example).
    • Who attempted the access.
    • Who modified the access privileges at the supervisor level.
  1. Personnel who do not require continuing access to Datacenter shall be escorted by an authorized employee at all times and shall be required to sign a visitor control log.
  2. A facility-wide access card control system shall be deployed with the following features:
    • Employee identification and/or access card with picture.
    • Logging activity associated with each computerized card.
    • Assign access rights based upon job requirements.
    • Ability to disable lost or stolen cards.

6.3 Securing Offices, Rooms and Facilities

  1. Facilities security shall be provided at all XXX’s departments, units and offices. This shall include, but not be limited to:
  • Site perimeter protection (e.g., smart cards).
  • Facility management.
  • Parking lot security.

2. The facilities where sensitive information and critical systems are stored or processed shall be constructed and arranged in a way that they are adequately protected from physical and environmental threats.

3. Intrusion detection alarms shall be in place to cover external doors and accessible windows and other access points to XXX’s buildings.

4. Hazardous or combustible materials shall be stored securely at a safe distance from a secure area.

6.4 Protecting against External and Environmental Threats

  1. Information security Safety Department shall observe personnel safety as a high priority and take the necessary steps to ensure a safe workplace.
  2. Proper procedures regarding the safe evacuation of areas or building in case of fire, flood, earthquake or other disasters shall be developed and documented in order to protect XXX’s employees and systems.
  3. Environmental controls shall be designed and applied to minimize the damage resulting from fire, flood, earthquake, explosion, civil unrest and other forms of natural or human-caused disasters.
  4. XXX’s facilities shall contain emergency equipment (e.g., emergency lighting, and fire extinguishers) to establish an adequate level of safety for those working within a facility. This equipment shall be inspected in annual basis in order to ensure their operational capabilities.
  5. Areas where Datacenter is located shall have appropriate external and environmental controls in place (e.g., temperature, humidity, dust particle content, atmospheric pressure, electromagnetic radiation, or static electricity) according to the manufacturer’s recommendations.
  6. ICT Manager shall be responsible for the physical monitoring of Datacenter. In particular, the following assets shall be centrally monitored:
    • Physical access control.
    • Ventilation and Air-Conditioning.
    • Emergency power supply (i.e. power generator) and UPS.
    • Fire detection and suppression systems.
    • Water detection system.
    • CCTV.
    • Racks.

6.5 Working in Secure Areas

  1. Information Security Department in cooperation with ICT Manager and Information Security Officer shall define what areas are (e.g., Datacenter) to be treated as secure areas in order to minimize unauthorized access, damage and interference to assets.
  2. Areas that host sensitive information, critical information systems and infrastructure shall be continuously monitored via security guards, Closed Circuit TV (CCTV), intrusion detection systems or a combination of them.
  3. All storage media (e.g., hard disk drives, CD-ROMs or DVDs), printouts, manuals and generally information in printed form containing sensitive information shall be physically secured in locked drawers and cabinets when not in use.
  4. Controls for individuals working in secure areas shall include, but not be limited to:
    • Un-staffed secure areas are physically locked and periodically monitored.
    • No photographic, video, audio, smart phones or other recording equipment is allowed unless specifically authorized.
    • Third party support services personnel are granted access to secure areas only when required, authorized and supervised.

6.6 Delivery and Loading Areas

  1. Delivery and loading areas shall be controlled and, if possible, isolated from ICT facilities to avoid unauthorized access or causing destruction to sensitive areas. Security requirements that control delivery and loading area shall include, but not be limited to:
    • Access to a loading area from outside of XXX’s premises shall be restricted to identified and authorized personnel.
    • The loading area shall be designed in which supplies can be unloaded without delivery staff gaining access to other areas of XXX’s premises.
  2. All incoming packages to XXX’s premises shall be received by reception staff to be inspected. Also, they shall be recorded in a register.

6.7 Equipment Siting and Protection

  1. Based on information and/or systems classification, equipment shall be protected to reduce risks from environmental threats and hazards; and to reduce the risk of unauthorized access to information.
  2. The followings controls shall be considered to secure all critical systems:
    • Equipment is located in a physically secure location to minimize unauthorized access.
    • Environmental conditions are monitored for conditions that could adversely affect the operation of computer systems.
    • System owners need to consider potential impact of a disaster happening in nearby premises (e.g., a fire in a neighbouring building or water leaking from the roof or in floors below ground level or an explosion in the street).
  1. ICT facilities shall be located based on the following, but not be limited to:
    • Not at locations accessible by public.
    • Not at locations prone to natural disasters or damage caused by individuals such as vandalism, fires and accidents (e.g., from water supply system failures or water entering from external windows).
  1. All ICT equipment (e.g., servers and network devices) shall be physically located within the protected confines of Datacentre.
  2. Unauthorized system access via bypass booting of the device (to defeat password authentication) shall be prevented.
  3. Security measures shall be implemented to minimize the risk of information leakage from equipment processing sensitive information.

6.8 Supporting Utilities

  1. ICT Manager in cooperation with Operation and Maintenance Department shall provide power protection to ensure the availability of XXX’s systems.
  2. To achieve continuity of power supplies, the followings shall be considered, but not be limited to:
    • Multiple feeds to avoid a single point of failure in the power supply.
    • Uninterruptable Power Supply (UPS) to support orderly close down or continuous running is recommended for equipment supporting critical systems and business operations. UPS shall be regularly tested, as per vendor’s instructions, to ensure reliable functionality.
    • A backup generator is considered when processing and business continuity is required.
  1. All critical systems shall be configured to switchover to an alternate power source immediately upon loss of power.
  2. Equipment shall be protected from power failures and other electrical anomalies. A suitable electrical supply shall be provided in accordance with equipment manufacturer’s specifications.
  3. Supporting infrastructure (e.g., air conditioning systems and security alarm systems), where applicable, shall have a dependable and consistent electrical power supply that is free from surges and interference that shall affect operation of the equipment (e.g., power-conditioning strips could reduce the threat of power surges).
  4. UPS shall be regularly tested, as per vendor’s instructions, to ensure reliable functionality.

6.9 Cabling Security

  1. Power, voice and telecommunication cables shall be protected against physical damage and destruction.
  2. Cabling protection shall include, but not be limited to:
    • Telecommunication cabling is protected against wiretapping.
    • Telecommunication cabling is not passed through areas where third parties have access.
    • Data network cabling is adequately isolated and protected from unauthorized interception or damage via routing them through protected areas.
    • Power supply cabling is adequately isolated.
    • Installation of armoured conduit and locked rooms or boxes at inspection and termination points.
    • Use of alternative routings or transmission media.
    • Use of fiber optic cabling.
    • Initiation of sweeps for unauthorized devices being attached to the cables.
  1. Where possible, cabling shall be run underground, avoid public areas, and use conduit protective shielding.

6.10 Equipment Maintenance

  1. ICT Manager in cooperation with Operations and Maintenance Department shall properly maintain technical equipment (e.g., hardware servers, network devices, racks, patch panels, communication devices, cables, etc.) to ensure their continued availability and integrity. Equipment maintenance controls shall include, but not be limited to:
    • Maintaining equipment in accordance with the manufacture’s recommended service intervals and specifications.
    • Permitting only authorized maintenance personnel to carry out repairs and service.
    • Recording and updating all suspected or actual equipment faults and all preventive and corrective maintenance.
  1. Any preventive and corrective maintenance conducted by the manufacture’s personnel to ICT equipment shall be supervised and a formal approval shall be obtained.
  2. The followings shall be considered for ICT equipment:
    • All ICT equipment, if possible, shall have a mandatory maintenance contracts to ensure availability and continuity of business.
    • Maintenance contracts shall cover regular and emergency checks.
    • ICT equipment shall have a valid maintenance contracts which covers regular checks, support and spare parts.
    • Maintenance activities shall be supervised by respective personnel.
    • Vendors shall provide XXX with maintenance reports on monthly basis to ensure proper health status of the equipment.
    • Data centre maintenance schedule and a log shall be maintained by ICT Manager to ensure on time maintenance and tracking of any related issues.

6.11 Removal of Assets

  1. ICT equipment, assets or software shall not to be taken off-site XXX without a proper authorization. Where necessary and appropriate, the followings shall be considered:
    • Personal shall obtain a proper authorization to take equipment off-site XXX.
    • Equipment is logged out.
    • Time limits are set.
    • When returned, equipment is logged back in.

6.12 Security of Equipment and Assets Off-Premises

  1. ICT Manager shall implement appropriate controls when sending ICT equipment off XXX’s premises for maintenance. Appropriate controls shall include, but not be limited to:
    • Proper packaging and sealing of containers.
    • Storage in safe and secure places.
    • Clear and complete shipping and tracking instructions.
  1. Assets shall not be moved off XXX’s premises for use maintenance or repair purpose unless authorization has been obtained from the relevant owner of the information asset. All movement of such asset shall be recorded.
  2. All portable ICT equipment (e.g., laptops and mobile phones):
    • Shall be secured by means of a locked cabinet, credenza, vinyl-covered steel cable or office.
    • Shall be physically secured via an appropriate security device during any period that the unit is left unattended in XXX’s offices.
  1. Portable ICT equipment connected to the network shall store sensitive information on file server drives as much as possible. Information stored on floppy disks, CD-Rooms, external drives or tapes shall be physically secured in a manner appropriate to its sensitivity level.

6.13 Secure Disposal or Re-use of Equipment

  1. ICT Manager shall develop appropriate procedures for the followings:
    • a. Disposal of confidential documents.
    • b. Destruction of computer equipment that may contain sensitive information.
    • c. Sanitization (i.e., object reuse) of equipment that might be sold or transferred to other organization.
    • d. Destruction of various types of media.
  1. Storage media (e.g., CD-ROMs, tapes and flash memories) that contains sensitive information that no longer needs to be kept shall be physically destroyed as follows:
    • a. Rewriteable media is erased using a secure procedure (e.g., through multiple overwrites, may be three or more times) to prevents the data from later being scavenged.
    • b. Paper document is destroyed using paper shredders.
  2. ICT Manager shall maintain disposal records which include the information owner’s disposal request and the corresponding department director’s approval.
  3. ICT equipment and storage media shall be checked prior to disposal or re-use to ensure that sensitive information and licensed software has been removed or securely overwritten.
  4. Destruction of sensitive information captured on storage media shall only be performed after approval has been obtained for the method of destruction.

6.14 Unattended User Equipment

  1. ICT Manager shall enable screen saver password on all servers and workstations to prevent unauthorized access. The screen saver timer shall be set to 10 minutes of inactivity or less.
  2. Each user shall terminate active sessions when activities are finished.
  3. Each user shall lock his equipment before leaving his desk.

6.15 Clear Desk and Clear Screen Policy

  1. At a minimum, the following guidelines shall be followed and implemented by all users to promote clear desk and clear screen policy:
    • Paper and information media shall be stored in suitable locked cabinets and/or other forms of security furniture when not in use, especially outside normal working hours.
    • Sensitive or critical business documentations shall be locked away (ideally in a fire- resistant safe or cabinet) when not required, especially when the office is vacated.
    • Workstations and printers shall not be left logged on when unattended; and shall be protected by password protected screen savers.
    • Photocopiers and faxes shall be locked (e.g., protected from unauthorized use through PIN code function) outside normal working hours.
    • Confidential information, when printed, shall be immediately cleared from printers.
  2. Department Managers shall communicate the clear desk and clear screen policy to the employees in their own areas; and shall periodically monitor their activities to ensure users compliance.
  3. Information Security Officer in cooperation with Personnel Affairs Department shall ensure that proper awareness training addresses clear desk and clear screen policy is delivered to all XXX’s employees.

7. Enforcement

Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.

Back to Home

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Leave a Reply