The protection of the physical environment is one of the most obvious yet most important tasks within the area of information security. A lack of physical access control can undo the most careful technical precautions and potentially put lives at risk. XXX is committed to ensuring the safety of its employees, contractors and assets and takes the issue of physical security very seriously. This policy sets out the main precautions that must be taken and, together with the supporting documented listed, forms a significant part of our Information Security Management System (ISMS). This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to XXX systems.
1.1 Secure areas
Information must be stored securely according to its classification. A risk assessment must be conducted to identify the appropriate level of protection to be implemented to secure the information being stored. Physical security must begin with the building itself and an assessment of perimeter vulnerability must be conducted. A building must have appropriate control mechanisms in place for the classification of information and equipment that is stored within it. These may include, but are not restricted to, the following:
- Alarms fitted and activated outside working hours
- Window and door locks
- Window bars on lower floor levels
Access control mechanisms fitted to all accessible doors (where codes are utilized they should be regularly changed and known only to those people authorized to access the area/building)
- CCTV cameras
- Staffed reception area
- Protection against damage – e.g. fire, flood, vandalism
- Staff working in secure areas must challenge anyone not wearing a badge.
Identification and access tools/passes (for example badges, keys, entry codes etc.) must only be held by persons authorized to access those areas and must not be loaned/provided to anyone else. Visitors to secure areas are required to sign in and out with arrival and departure times and are required to wear an identification badge. An organization employee must always monitor all visitors accessing secure areas. Keys to all secure areas housing IT equipment and lockable IT cabinets are held centrally by the Service Provider as appropriate. Where breaches do occur, or an employee leaves outside normal termination circumstances, all identification and access tools/passes (for example badges, keys etc.) must be recovered from the employee and any door/access codes should be changed immediately.
1.3 Paper and equipment security
Paper based (or similar non-electronic) information must be assigned an owner and a classification. Appropriate information security controls must be put in place to protect it according to the provisions in the Asset Handling Procedure. Paper in an open office must be protected by the controls for the building and via appropriate measures that could include, but are not restricted to, the following:
- Filing cabinets that are locked with the keys stored away from the cabinet
- Locked safes
- Stored in a secure area protected by access controls
All general computer equipment must be located in suitable physical locations that:
- Limit the risks from environmental hazards – for example heat, fire, smoke, water, dust and vibration
- Limit the risk of theft-e.g. if necessary, items such as laptops should be physically attached to the desk
- Allow workstations handling sensitive data to be positioned so as to eliminate the risk of the data being seen by unauthorised people.
Data must be stored on network file servers or approved cloud locations where available. This ensures that information lost, stolen or damaged via unauthorized access can be restored and its integrity maintained. All servers located outside of the data centre in XXX’s premises must be sited in a physically secure environment. All servers located outside of the data centre in XXX’s premises must be sited in a physically secure environment. Business critical systems must be protected by an Un-interruptible Power Supply (UPS) to reduce the operating system and data corruption risk from power failures. All items of equipment must be recorded in the Service Provider inventory. Procedures must be in place to ensure the inventory is updated as soon as assets are received or disposed of. All equipment must be security marked and have a unique asset number allocated to it. This asset number must be recorded in the Service Provider inventory. Cables that carry data or support key information services must be protected from interception or damage. Power cables must be separated from network cables to prevent interference. Network cables must be protected by conduit and where possible avoid routes through public areas.
1.4 Equipment life cycle management
Service Provider and third-party suppliers must ensure that all of XXX’s IT equipment is maintained in accordance with the manufacturer’s instructions and any documented internal procedures to ensure it remains in effective working order. Staff involved with maintenance must:
- Retain all copies of manufacturer’s instructions
- Identify recommended service intervals and specifications
- Enable a call-out process in event of failure
- Ensure only authorised technicians complete any work on the equipment
- Record details of all remedial work carried out
- Identify any insurance requirements
- Record details of faults incurred and actions required
A service history record of equipment must be maintained so that decisions can be made regarding the appropriate time for it to be replaced. Manufacturer’s maintenance instructions must be documented and available for support staff to use when arranging repairs. The use of equipment off-site must be formally approved by the user’s line manager. Equipment that is to be reused or disposed of must have all its data and software erased / destroyed. If the equipment is to be passed onto another organization (for example returned under a leasing agreement) data removal must be achieved by using approved, appropriately secure software tools. Equipment deliveries must be signed for by an authorised individual using an auditable formal process. This process must confirm that the delivered items correspond fully to the list on the delivery note. Actual assets received must be recorded. Loading areas and holding facilities must be adequately secured against unauthorised access and all access must be auditable. Subsequent removal of equipment must be via a formal, auditable process. Information security arrangements must be subject to regular independent audit and security improvements recommended where necessary.
2.1 Secure Areas
2.1.1 Physical Security Perimeter
(a) University information processing facilities must be protected by a physical security perimeter.
(b) Information Owners must ensure appropriate controls are in place to establish secure areas. Sensitive information and assets must be protected while considering the safety of personnel. Control selection must be supported by an appropriate Risk Assessment.
(c) Controls that must be applied are:
- security perimeters must be clearly defined, and the siting and strength of each of the perimeters must depend on the security requirements of the assets within the perimeter and the results of a risk assessment;
- perimeters of a building or site containing information processing facilities must be physically sound (i.e. there must be no gaps in the perimeter or areas where a break-in could easily occur); the external walls of the site must be of solid construction and all external doors must be suitably protected against unauthorised access with control mechanisms, e.g. bars, alarms, locks, etc.; doors and windows must be locked when unattended and external protection must be considered for windows, particularly at ground level;
- a manned reception area or other means to control physical access to the site or building must be in place; access to sites and buildings must be restricted to authorised personnel only;
- physical barriers must, where applicable, be built to prevent unauthorised physical access and environmental contamination;
- all fire doors on a security perimeter must be alarmed, monitored, and tested in conjunction with the walls to establish the required level of resistance in accordance to suitable regional, national, and international standards;
- suitable intruder detection systems must be installed to national, regional or international standards and regularly tested to cover all external doors and accessible windows; unoccupied areas must be alarmed at all times; cover must also be provided for other areas, e.g. computer room or communications rooms.
(d) A secure area may be a lockable office, or several rooms surrounded by a continuous internal physical security barrier. Additional barriers and perimeters to control physical access may be needed between areas with different security requirements inside the security perimeter.
(e) Special consideration must be given towards physical access security when the facility houses multiple organisations or business units
2.1.2 Physical Entry Controls
(a) Secure areas must be protected by appropriate entry controls to ensure that only authorised personnel are allowed access.
(b) The following controls must be implemented:
- access to areas where sensitive information is processed or stored must be restricted to authorised personnel only;
- authentication controls, e.g. access control card system, must be used to authorise and validate such access;
- an audit trail of all access must be maintained;
- visitors must be escorted by authorised personnel;
- visitors must only be allowed access for specific and authorised purposes;
- the date and time of entry and departure of visitors must be recorded;
- all employees and other authorised personnel must wear visible identification;
- visitors must be issued badges or tags of a different colour than employees;
- employees must notify security personnel when they encounter unescorted visitors or anyone not wearing visible identification;
- third-party support personnel may be granted restricted access only when required; their access must be authorised and monitored; and
- access rights must be regularly reviewed
2.1.3 Securing Offices, Rooms and Facilities
(a) Controls to ensure security of information and information systems located in University offices, rooms and other facilities must be designed, applied and documented.
(b) Information Owners and IT Security Officers must regularly assess the security of areas where sensitive information is processed and/or stored. Controls that may be implemented to reduce associated risks are:
- physical entry controls ;
- ensure sensitive information is stored properly when not in use; and
- directories that identify the locations of data centres and other areas where sensitive information is stored must not be made public
2.1.4 Protecting Against External and Environmental Threats
2.1.5 Physical protection against natural disasters, malicious attack or accidents must be designed and applied.
2.1.6 Information Owners, Data Center Managers, IT Security staff, planners and architects must incorporate – to the extent possible – physical security controls that protect against damage from fire, flood, earthquake, explosion, civil unrest and other forms of natural and man-made disaster. Consideration must be given to any security threats presented by neighbouring premises or streets. In addition to building code and fire regulations:
(a) combustible or hazardous materials must be stored at a safe distance from the secure area;
(b) bulk supplies, e.g. stationary, must not be stored in a secure area;
(c) backup equipment and backup media must be located at a safe distance to avoid damage from a disaster affecting the main site; and
(d) environmental alarm systems, fire suppression and firefighting systems must be installed
2.1.7 Working in Secure Areas
(a) Additional security controls and procedures must be used by personnel when working in secure areas.
(b) Information Owners and IT Security Officers must identify and document requirements that apply to personnel who have been authorised to work in secure areas. Authorised personnel must be informed that:
- sensitive information cannot be discussed in a non-secure area;
- sensitive information cannot be disclosed to personnel who do not have a need-to-know;
- no type of photographic, smartphone, video, audio or other recording equipment can be brought into a secure area unless specifically authorised;
- maintenance staff, cleaners and others who require periodic access to the secure area must be screened and their names added to an access list; and
- visitors must be authorised, logged and escorted
2.1.8 Delivery and Loading Areas
(a) Access points such as reception, delivery and loading areas and other points where unauthorised persons may enter the premises must be controlled and, if possible, isolated from secure areas or offices to avoid unauthorised access.
(b) Information Owners, University IT Security Officers, planners and architects must ensure that:
- access to a delivery and loading area from outside of the building must be restricted to identified and authorised personnel;
- the delivery and loading area must be designed so that supplies can be unloaded without delivery personnel gaining access to other parts of the building;
- the external doors of a delivery and loading area must be secured when the internal doors are opened;
- loading docks and delivery areas must be regularly inspected and actively monitored;
- incoming material must be inspected for potential threats before this material is moved from the delivery and loading area to the point of use;
- incoming material must be registered in accordance with asset management procedures on entry to the site; and
- incoming and outgoing shipments must be physically segregated where possible
2.2.1 Equipment Siting and Protection
(a) Equipment must be protected to reduce the risks from unauthorised access, environmental threats and hazards.
(b) Information Owners, IT Security Officers, planners and architects must ensure that facilities are designed in a way that safeguards sensitive information and assets.
(c) Servers, routers, switches and other centralised computing equipment must be located in a room with access restricted to only those personnel who require it.
(d) Workstations, laptops, digital media and storage devices should be located and used in an area that is not accessible to the public.
(e) Equipment must be located, and monitors angled, in such a way that unauthorised persons cannot observe the display.
(f) Shared printers, scanners, copiers and fax machines should not be located in an area that is accessible to the public.
(g) Kiosks and other devices that are intended for public use must be clearly labelled and placed in a publicly accessible area
2.2.2 Supporting Utilities
(a) Equipment must be protected from power supply interruption and other disruptions caused by failures in supporting utilities.
(b) The following controls must be implemented to help ensure availability of critical services.
(c) All supporting utilities such as electricity, water supply, sewage, heating/ventilation and air conditioning must be adequate for the systems they are supporting. Support utilities must be regularly inspected and as appropriate tested to ensure their proper functioning and to reduce any risk from their malfunction or failure. A suitable electrical supply must be provided that conforms to the equipment manufacturer’s specifications.
(d) An uninterruptible power supply (UPS) to support orderly close down or continuous running is recommended for equipment supporting critical business operations. Power contingency plans must cover the action to be taken on failure of the UPS. A back-up generator must be considered if processing is required to continue in case of a prolonged power failure. An adequate supply of fuel must be available to ensure that the generator can perform for a prolonged period. UPS equipment and generators must be regularly checked to ensure it has adequate capacity and is tested in accordance with the manufacturer’s recommendations. In addition, consideration could be given to using multiple power sources or, if the site is large, a separate power substation.
(e) Emergency power off switches must be located near emergency exits in equipment rooms to facilitate rapid power down in case of an emergency. Emergency lighting must be provided in case of main power failure.
(f) The water supply must be stable and adequate to supply air conditioning, humidification equipment and fire suppression systems (where used). Malfunctions in the water supply system may damage equipment or prevent fire suppression from acting effectively. An alarm system to detect malfunctions in the supporting utilities must be evaluated and installed if required.
(g) Telecommunications equipment must be connected to the utility provider by at least two diverse routes to prevent failure in one connection path removing voice services. Voice services must be adequate to meet local legal requirements for emergency communications
2.2.3 Cabling Security
(a) Power and telecommunications cabling carrying data or supporting information services must be protected from interception or damage.
(b) Power and telecommunications lines into information processing facilities must be underground, where possible, or subject to adequate alternative protection.
(c) When identified in a Risk Assessment, network cabling must be protected from unauthorised interception or damage by using a conduit and by avoiding routes through public areas.
(d) Power cables should be segregated from communications cables to prevent interference.
(e) Cables and equipment must be clearly marked to minimise handling errors such as accidental patching of wrong network cables. A documented patch list must be used to reduce the possibility of errors.
(f) When a Risk Assessment finds a need for more safeguards, consider:
- installation of rigid conduit and locked rooms or boxes at inspection and termination points;
- use of alternative routings and/or transmission media providing appropriate security;
- use of fibre optic cabling;
- use of electromagnetic shielding to protect the cables;
- initiation of technical sweeps and physical inspections for unauthorised devices being attached to the cables; and
- controlled access to patch panels and cable rooms
2.2.4 Equipment Maintenance
(a) Equipment must be correctly maintained to help ensure availability and integrity of sensitive information and assets.
(b) When equipment is serviced Information Owners must consider the sensitivity of the information it holds and the value of the assets. The following controls must be applied:
- equipment must be maintained in accordance with the supplier’s recommended schedule and specifications;
- only authorised maintenance personnel may carry out repairs and service equipment;
- records must be kept of all suspected faults and all preventive and corrective maintenance;
- maintenance must be scheduled at a time of day that limits interference with services or operations;
- users must be notified before equipment is taken off-line for maintenance.
(c) If off-site maintenance is required then the asset must be cleared of all sensitive information. If it’s not possible to de-sensitise assets before sending for maintenance then the CISO and Information Owner must consider destruction of the asset
2.2.5 Removal of Assets
(a) XXX-owned equipment, information and software must not be removed from XXX’s premises without prior authorisation.
(b) Information Owners must establish a formal authorisation process for the removal of assets for re-location, loan, maintenance, disposal or any other purpose. Authorisation must include:
- item description and serial number(s);
- information indicating where the asset will be located;
- the removal date and return date;
- the name of the individual responsible for the asset; and
- the reason for removal.
(c) The description and serial numbers must be verified when the asset is returned.
(d) Personnel must be informed of and accept responsibility for protection of the asset
2.2.6 Security of Equipment and Assets Off-Premises
(a) Assets must be safeguarded using documented security controls when off-site from XXX premises.
(b) Information Owners must ensure that equipment used or stored off-site is safeguarded in accordance with the sensitivity of the information and the value of the assets. Controls to apply include:
- encrypt sensitive data;
- use a logical or physical access control mechanism (BIOS password, USB key, smart card) to protect against unauthorised access;
- use a physical locking or similar mechanism to restrain the equipment;
- ensure personnel are instructed on the proper use of the chosen controls. Personnel in possession of equipment:
- must not leave it unattended in a public place;
- must ensure the equipment is under his/her direct control at all times when traveling;
- must take measure to prevent viewing of sensitive information by unauthorised personnel;
- must not allow other persons to use the equipment;
- must report loss or stolen equipment immediately
2.2.7 Secure Disposal or Re-Use of Equipment
(a) All data and software must be erased from equipment prior to disposal or redeployment.
(b) Information owners must consider the sensitivity of information and the value of the assets when determining whether or not hardware or media will be reused or destroyed.
(c) Prior to re-use within XXX:
- the integrity of University records must be maintained by adhering to the Records Management policy;
- information and software must be backed up by the original Information Owner; and
- the storage media must be wiped in accordance with the Asset Management Procedure (Disposal of Media).
(d) Storage media that will no longer be used in the University must be wiped by a method approved by the IT Security team, in compliance with the Asset Management Procedure. Asset inventories must be updated to record details of the data wiping including:
- asset identifier;
- date of erasure;
- names of personnel conducting the erasure.
(e) When a supplier conducts the data wiping there must be contractual and audit procedures to ensure complete destruction of the information. XXX must receive certification that the destruction has occurred.
2.2.8 Unattended User Equipment
(a) Users must ensure unattended equipment has appropriate protection.
(b) User must safeguard unattended equipment by:
- terminating the active session when finished;
- lock the session with a password protected screen saver or other approved mechanism;
- logoff computers, servers, terminals and other devices when the session is finished;
- enabling password protection on mobile devices, printers, kiosks and portable storage devices; and
- secure devices with a cable lock when enhanced physical security is justified
2.2.9 Clear Desk and Clear Screen Policy
(a) Users must safeguard sensitive information from unauthorised access, loss or damage.
(b) Users must secure their work space when it cannot be monitored by authorised personnel. Secure work spaces by:
- clearing desktops and work areas;
- locking hard copy sensitive information in an appropriate cabinet;
- locking portable storage devices with sensitive information in an appropriate cabinet;
- activating a password-protected screen saver;
- safeguarding incoming and outgoing mail;
- retrieving documents from printers and fax machines; and
- ensuring that sensitive hard copy documents no longer needed are placed in shredding bins, not recycle bins.
(c) When visitors, cleaning staff or other personnel without a “need-to-know” are in the area, safeguard sensitive information by:
- covering up and maintaining control of hard copy files;
- blanking computer screens or activating the password-protected screen saver.
- Sensitive information must not be discussed in public or other areas where there is a risk of being overheard by unauthorised personnel
2.3 Physical security Monitoring
The purpose is to detect and deter unauthorized physical access.Physical access monitoring includes publicly accessible areas within XXX. XXX shall
- Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;
- Review physical access logs at least once every week and upon occurrence of events or potential indications of events and
- Coordinate results of reviews and investigations with the organizational incident response capability.
In XXX physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs should be done to identify suspicious activity, anomalous events, or potential threats. The reviews should be supported by audit logging controls. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.