When an employee leaves his/her workstation unattended, sensitive information contained in digital and physical materials on his workspace will be exposed to a heightened risk of unauthorized access, loss of confidentiality, and damage. For instance, if an employee uses a customer relationship management tool that processes health records and leaves his/her computer unattended during a lunch break, malicious parties may capitalize on this opportunity to steal and misuse sensitive health data.The clean desk and clear screen policy refers to practices that ensure sensitive information – both in digital and physical format, and assets (e.g. notebooks, cellphones, tablets, etc.) are not left unprotected at personal and public workspace when they are not in use, or when someone leaves his workstation, either for a short time or at the end of the day. A clear screen policy directs all your organisation’s employees to lock their computers when leaving their desk and to log off when leaving for an extended period of time. This ensures that the contents of the computer screen are protected from prying eyes and the computer is protected from unauthorized use. A clear screen policy and a clean desk policy work hand-in-hand to safeguard your organisation’s information.With the popularity of open plan offices and sharing computer workstations, there is a greater need to safeguard your organisation’s information. In addition, a clean desk and clear screen policy should be adopted because of the benefits it can provide to your organisation.

1. Prevent Prying Eyes. Computers that are left logged on and unattended pose as a tempting target for prying eyes. For example, many employees entrusted with sensitive information often leave documents open in plain view and leave their desk for breaks. An individual in your accounting department may leave a document open exposing the hourly wages of all employees in the office.
2. Prevent Unauthorised Access. A clear screen policy not only prevents curious passerby’s from observing information they should not have access to, it also prevents unauthorised access. Computers left unattended provide the opportunity for malicious data input, modification, or deletion, often to the worker’s blame.

Control

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.

Purpose

To reduce the risks of unauthorized access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours.

ISO 27002 Implementation Guidance

The organization should establish and communicate a topic-specific policy on clear desk and clear screen to all relevant interested parties. The following guidelines should be considered:

1. locking away sensitive or critical business information (e.g. on paper or on electronic storage media) (ideally in a safe, cabinet or other form of security furniture) when not required, especially when the office is vacated.
2. protecting user endpoint devices by key locks or other security means when not in use or unattended.
3. leaving user endpoint devices logged off or protected with a screen and keyboard locking mechanism controlled by a user authentication mechanism when unattended. All computers and systems should be configured with a timeout or automatic logout feature.
4. making the originator collect outputs from printers or multi-function devices immediately. The use of printers with an authentication function, so the originators are the only ones who can get their printouts and only when standing next to the printer.
5. securely storing documents and removable storage media containing sensitive information and, when no longer required, discarding them using secure disposal mechanisms.
6. establishing and communicating rules and guidance for the configuration of pop-ups on screens (e.g. turning off the new email and messaging pop-ups, if possible, during presentations, screen sharing or in a public area).
7. clearing sensitive or critical information on whiteboards and other types of display when no longer required.
   The organization should have procedures in place when vacating facilities including conducting a final sweep prior to leaving to ensure the organization’s assets are not left behind (e.g. documents fallen behind drawers or furniture).

Organisations should create and enforce a topic-specific policy that sets out clear desk and clear screen rules.A clear screen policy is simple and practical to implement. Your employees should already be accustomed to logging off and/or shutting down their computer when leaving for the day, but few may lock their computers when leaving their desks, especially for short breaks. A clear screen policy is most difficult to enforce in its infancy. However, once your organization stresses the importance of having a clear screen policy, your employees will eventually make it into a habit. A clear screen policy should be in writing and communicated to all employees, especially during introductory and refresher training. Have all employees sign the document for approval. Organisations should take into account when establishing and enforcing clear desk and clear screen rules

• Sensitive or critical information assets stored on digital or physical items should be locked securely when they are not in use or when the workstation hosting those materials is vacated. For example, items such as paper records, computers, and printers should be stored in secure furniture such as a locked or password-protected cabinet or drawer.
• Devices used by employees such as computers, scanners, printers, and notebooks should be protected via security mechanisms such as key locks when they are not used or when they are left unattended.
• When employees vacate their workspace and leave their devices unattended, they should leave their devices logged off and the reactivation of the device should be only via a user authentication mechanism. Furthermore, automatic time-out and log-out features should be installed on all end-point employee devices such as computers.
• Printers should be designed in a way that print-outs are collected immediately by the person(originator) who printed the document. Furthermore, a strong authentication mechanism should be in place so that only the originator is allowed to collect the printout.
• Physical materials and removable storage media containing sensitive information should be kept secure at all times. When they are no longer needed, they should be disposed of through a secure mechanism.
• Organisations should create rules for the display of pop-ups on screens and these rules should be communicated to all relevant employees. For example, e-mail and messaging pop-ups can contain sensitive information and if they are displayed on the screen during a presentation or in a public space, this may compromise the confidentiality of sensitive information.
• Sensitive or critical information displayed on whiteboards should be erased when they are no longer needed.

When an organisation vacates a facility, physical and digital materials previously stored in that facility should be securely removed so that sensitive information is not left insecure. Therefore organisations need to establish procedures for the vacation of facilities so that all sensitive information assets housed in that facility are securely disposed of. These procedures may include carrying out a final sweep so that no sensitive information is left unprotected. Pressing CTRL+ALT+DEL and clicking Lock this computer is straight-forward and simple. However, a windows key combination is yet much simpler. Press Windows Key + L and your computer will lock automatically.

Some basic guidelines while establishing a Clear desk and clear screen

1. Be aware of the classification of the information you hold.

• Public data can generally be made available or distributed to the general public;
• Internal data is for internal use and not for external distribution; and
• Restricted (moderately to highly sensitive) data is to be used only by individuals who require it in the course of performing their responsibilities, or data which is protected by legal requirements.

2. Ensure that your desk and surrounding workspace is clear of papers and clutter.

• A clear desk assists clear thinking, enables you or your colleagues to find items quickly and promotes a more professional image to visitors.
• Maintaining a clutter-free workspace can also help to reduce workplace accidents and falls.
• Papers containing restricted information should be kept locked away whilst you are working on them but are temporarily away from your desk. A locked drawer is suitable for this purpose but if you have your own office, locking the door will suffice too.
• Post-its should not be used to record restricted information, such as passwords, or other similar information.
• If large numbers of files are required, a lockable filing cabinet should be procured and when you are finished with a file, it should be put away as soon as possible.
• Don’t print out emails or papers only to read them and then throw them away. Only print what you absolutely need a hard copy of.
• Always clear your desk before you leave for the day, that way information isn’t kept unsecured and you are ready to work when you arrive the next morning.
• All waste paper which contains restricted information must be shredded or placed in ‘confidential waste’ bins. Under no circumstances should this type of waste paper be thrown away in normal wastebins.

3. Ensure that restricted information is not kept on your screen when not needed.

A clear screen works in a similar way to a clear desk and allows you to think more clearly

How?

• Close any applications or windows that are not required. Any that are required on an ongoing basis, such as Outlook, can be minimised to reduce clutter on the desktop.
• Every time you leave your desk, even if only for a few minutes, you should lock your screen (Press the windows button on your keyboard and L at the same time). A quick chat or coffee break can turn into an extended time away from your desk. computers should be set up to require a password to unlock computers, this should not be disabled.

4. Know where your mobile and portable storage devices are at all times.

Theft or misuse of devices leaves you susceptible to exploitation of any data they may hold.Every time you leave your desk, ensure any mobile devices are locked away or taken with you.

5. Keep your copies safe.

Restricted information left lying around in printer trays or fax machines may be picked up and/or used maliciously by someone who shouldn’t have access to that information. All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.

 Secure areas are areas within buildings or facilities where personnel work with sensitive information or assets (e.g. classified material). Secure areas are sites where sensitive information is handled or housed. This means that anywhere IT equipment or personnel are sheltered qualifies as a secure area. Buildings, rooms and offices. These can all be secure areas. The purpose of physical security processes is to ensure that your information is protected from physical threats. And this includes both physical and digital assets. Organisations must put in place appropriate security measures that apply to all personnel working in secure areas so that they cannot access, use, modify, destruct, damage, or interfere with information assets or information facilities without authorization. Housing sensitive information assets in secure areas such as secure server rooms and implementing strict access controls is not sufficient to maintain the security of these assets. Employees with access to secure rooms may, deliberately or negligently, cause damage to the hardware equipment and digital assets stored in secure areas or access, use, destruct these information assets and facilities without permission.

Control

Security measures for working in secure areas should be designed and implemented.

Purpose

To protect information and other associated assets in secure areas from damage and unauthorized interference by personnel working in these areas.

ISO 27002 Implementation Guidance

The security measures for working in secure areas should apply to all personnel and cover all activities taking place in the secure area. The following guidelines should be considered:

1. making personnel aware only of the existence of, or activities within, a secure area on a need-to- know basis;
2. avoiding unsupervised work in secure areas both for safety reasons and to reduce chances for malicious activities;
3. physically locking and periodically inspecting vacant secure areas;
4. not allowing photographic, video, audio or other recording equipment, such as cameras in user endpoint devices, unless authorized;
5. appropriately controlling the carrying and use of user endpoint devices in secure areas;
6. posting emergency procedures in a readily visible or accessible manner.

The security measures should cover all personnel working in secure areas and should apply to all activities carried out in these areas. While the type and degree of security measures implemented may vary depending on the level of risk to specific information assets, organisations should adhere to:

• Organisations should inform their personnel about the existence of secure areas and about the specific operations conducted in these areas on a need-to-know basis.
• No personnel should be allowed to carry out any unsupervised activity in the designated secure areas.
• Unoccupied secure areas should be locked and should be subject to periodic inspections.
• Use of recording equipment, including those used to record audio, video, and photos, should be subject to strict authorisation procedures.
• Carriage and use of end-point user devices such as laptops and smartphones in secure areas should be subject to strict controls.
• Emergency procedures should be displayed in a place easily accessible to all personnel working in secure areas
• writing an operational requirement
• the principle of locating them in spaces where the vulnerabilities are at their lowest (e.g. away from public areas, being overlooked etc)
• the concept of multiple layers, following the principles of deter, detect, delay etc
• the following three central pillars of barriers, access control and detection
• the physical measures being built using appropriate and proven materials, equipment and methods that are relevant to the threats
• the physical security measures being commensurate and compatible with personnel, information and technical security measures. Threats to secure working areas are likely to be persistent, and security will only be as strong as the weakest link
• the successful implementation of procedural controls to ensure security integrity.
• A physical security perimeter – such as walls, card controlled entry gates or manned reception security desks
• Physical entry controls – adequate and appropriate entry controls to ensure only authorised personnel are allowed access
• Secure offices, rooms and facilities – physical corporate security solutions designed and applied
• Protection against external and environmental threats – physical protection against fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disasters
• Secure area protection – physical corporate security solutions designed and applied for secure areas
• Physical security for public access, delivery and loading areas – access points where unauthorised persons may enter controlled and, if possible, isolated from information processing facilities to avoid unauthorised access

To ensure compliance, here are some physical security tips:

• The walls, ceilings and floor of any secure area should be of the same strength. If someone can access a secure area via, say, a false ceiling you will be non-compliant.
• The most sensitive assets should be stored in the most secure areas. Using the “onion technique”, each perimeter “layer” should house progressively more sensitive assets.
• Ban mobile phone and camera use in secure areas.
• Prohibit lone working in secure areas.
• Don’t co-store other assets (such as paper, non-IT equipment or anything else) in secure areas.
• Ensure delivery and loading areas don’t give direct access to secure areas.
• Install a welcome desk where at where all visitors are required to report first.
• Have security guards challenge unknown persons.
• Monitor spaces around the perimeter with CCTV or security patrols.

Physical security for information systems refers to the prevention methods put into place that aim to stop people entering a physical premises that will give them access to information. The most obvious example is having locks, alarms and perhaps security guards on premise at your organisation, meaning only authorised personnel can enter. Environmental controls are mechanisms put in place that will ensure the protection of your organisations information and resources from any environmental impact. This could include (but is not limited to) the threat of floods, earthquakes, fires, or extreme weather conditions. Any of these threats could result in interruptions to your organisation and its information, such as power outages, blockages of communication or the lack of access to filtered water, and gas.

Physical controls are important because you do not want just anybody having access to your information. In order to implement effective physical controls, you must review the physical building your organisation is set up in, and any other buildings that employees may work from or information be held. You may also need to review any hosts of your product or service (for example if you are a software company), ensure the host of your service is protected.You then need to record this information down, and review it regularly to ensure it is always secure.Environmental controls are important for information security because if there is a failure in environmental controls, there could be a threat of loss of important information or data. For example, if an environmental force causes a power outage at the offices of your organisation, you may be at threat of losing information that is not backed up or secure.

This clause centers on protecting the inevitable attacks on the organizations. These attacks can be environmental, or a cyber threat that steals your information, or the private data on your customers and/or suppliers. Natural disasters like floods, earthquakes, and fires are inevitable events. Organizations must include procedures and policies to deal with these threats. This pandemic has made organizations aware of the fact they need to proceed with remote working; some may work where the risk is high, and this needs to be identified by the management team. This could be addressed by identifying the risk around the business areas. Understanding your location and what is in the immediate vicinity is critical to identifying potential risks. It is required under this standard, physical and environmental threats are recognized and controlled by the organization well.

Appropriate environmental threat protection controls are necessary to limit the impact that either human-made or environmental threats may have on an organization’s operations, systems, personnel, or data availability. If not appropriately addressed, the lack of these controls can have a negative impact on an organization’s ability to maintain the delivery of their products or services. Organisations must be enabled to measure the potential adverse effects of environmental and physical threats and to mitigate and/or eliminate these effects by putting in place appropriate measures. Threats to information assets are not merely digital: An organisation’s critical physical infrastructure hosting information assets are also exposed to environmental and physical threats that may result in loss, destruction, theft and compromise of information assets and sensitive data. These threats may include natural events such as earthquakes, floods and wildfires. They may also include man-made disasters such as civil unrest and criminal activities. Organisations can assess, identify and mitigate risks to critical physical infrastructure due to physical and environmental threats.

Control

Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented.

Purpose

To prevent or reduce the consequences of events originating from physical and environmental threats.

ISO 27002 Implementation Guidance

Risk assessments to identify the potential consequences of physical and environmental threats should be performed prior to beginning critical operations at a physical site, and at regular intervals. Necessary safeguards should be implemented and changes to threats should be monitored. Specialist advice should be obtained on how to manage risks arising from physical and environmental threats such as fire, flood, earthquake, explosion, civil unrest, toxic waste, environmental emissions and other forms of natural disaster or disaster caused by human beings. Physical premises location and construction should take account of:
a) local topography, such as appropriate elevation, bodies of water and tectonic fault lines;
b) urban threats, such as locations with a high profile for attracting political unrest, criminal activity or terrorist attacks.
Based on risk assessment results, relevant physical and environmental threats should be identified and appropriate controls considered in the following contexts as examples:
a) fire: installing and configuring systems able to detect fires at an early stage to send alarms or trigger fire suppression systems in order to prevent fire damage to storage media and to related information processing systems. Fire suppression should be performed using the most appropriate substance with regard to the surrounding environment (e.g. gas in confined spaces);
b) flooding: installing systems able to detect flooding at an early stage under the floors of areas containing storage media or information processing systems. Water pumps or equivalent means should be readily made available in case flooding occurs;
c) electrical surges: adopting systems able to protect both server and client information systems against electrical surges or similar events to minimize the consequences of such events;
d) explosives and weapons: performing random inspections for the presence of explosives or weapons on personnel, vehicles or goods entering sensitive information processing facilities.

Other information

Safes or other forms of secure storage facilities can protect information stored therein against disasters such as a fire, earthquake, flood or explosion. Organizations can consider the concepts of crime prevention through environmental design when designing the controls to secure their environment and reduce urban threats. For example, instead of using bollards, statues or water features can serve as both a feature and a physical barrier.

This control relates primarily to natural disasters and infrastructural damage. Threats include weather events, such as floods, fires and heavy snowfall, as well as man-made incidents, including property damage and sabotage. The external and environmental threats that an organisation is most likely to face will depend on its location – on a macro and micro level. For example, an organisation based in a cold-weather city is more likely to consider the risk of rain and snow. Meanwhile, an organisation based in an older building might face greater risks related to infrastructural damage, such as leaky pipes. The key to compliance is to identify the likelihood and probability of external and environmental risks occurring, and to treat them appropriately. Some risks will be unavoidable or prohibitively expensive to eradicate, so organisations should focus on ways to mitigate the risk. Other times, there will be potentially devastating risks that can be addressed with simple fixes.

Physical protection against the damage from fires, floods, earthquakes, explosions, civil unrest, and other forms of environmental or human-made disasters should be implemented to protect organization. These protective controls are generally defined and documented in a Physical Security Policy that is made available to all appropriate personnel. Once defined, these controls can be used to not only protect information systems and personnel, but also address the risk treatment or risk mitigation of findings identified by your organization’s risk assessment. Smoke or heat activated fire detectors and alarms should be installed. Organizations should ensure these detectors and alarms are continuously operating effectively. Detectors should not be located near air conditioning vents or intake ducts that can disperse smoke, thus preventing the triggering of alarms. Fire authorities should be automatically notified when a fire alarm is activated. Appropriate fire suppression systems, such as sprinklers, should be implemented throughout your facilities and within secure areas containing information systems. These suppression systems should be automated for any facilities or areas that are not staffed continuously. Fire suppression and detection devices or systems that are supported by independent energy sources should be implemented and maintained. Maintenance logs should be kept up to date to demonstrate these physical security devices are regularly maintained. Water or moisture detection devices should be located in dropped ceilings and within raised floors to detect water leaks or possible flooding. Information systems should be protected from damage resulting from water leaks by ensuring that master shutoff valves are installed, accessible, and working properly. Master shutoff valves should be clearly marked, and their location should be known by all key personnel.

A three-step process to identify and eliminate risks due to physical and environment threats:

Step 1: Complete a Risk assessment
Organisations should conduct a risk assessment to identify potential physical and environmental disasters that may occur on each specific physical premise and then measure the effects likely to arise due to the identified physical and environmental threats. Considering that each physical premise and infrastructure therein will be subject to different environmental conditions and physical risk factors, the type of threat and the level of risk identified will vary by each premise and its location. For instance, while one premise may be most vulnerable to wildfire, another premise may be located in an area where earthquakes occur frequently. Another critical requirement is that this risk assessment should be carried out before launch of operations on a physical premise.

Step 2: Identify and Implement Controls
Based on the type of threat and the level of risk identified in the first step, organisations should put in place appropriate controls taking into account the likely consequences of the environmental and physical threats. To illustrate, examples of controls that can be put in place for the following threats:

• Fire: Organisations should deploy systems to trigger alarms when a fire is detected or to activate fire suppression systems capable of protecting storage media and information systems from damage.
• Flooding: Systems should be deployed and configured to detect flooding in areas where information assets are stored. Furthermore, tools such as water pumps should be ready to be used in case of flooding.
• Electrical Surges: Servers and critical information management systems should be maintained and protected against electrical outages.
• Explosives and Weapons: Organisations should carry out random audits and inspections on all individuals, items and vehicles entering into premises that hosts critical infrastructure.

Step 3: Monitoring
Considering that the type of threats and the level of risks may change over time, organisations should continuously monitor the risk assessments and reconsider the controls they implemented if needed.

The four specific considerations that organisations should take into account.

• Consultation With Experts: Each specific type of environmental and physical threat, whether it is toxic waste, earthquake or fire, is unique in terms of its nature, the risks it presents and counter-measures it requires. Therefore, organisations should seek for expert advice on how to identify eliminate and/or mitigate risks arising out of these threats.
• Choice of Location for Premises: Taking into account the local topography, water levels and tectonic movements of the potential location for premises can help identify and eliminate risks early on. Furthermore, organisations should consider the risks of man-made disasters in the chosen urban area such as political unrest and criminal activity.
• Extra Layer of Security: In addition to the specific controls implemented, secure information storage methods such as safes can add an extra layer of security against disasters such as fire and flooding.
• Crime Prevention Through Environmental Design: Organisations can consider this concept when implementing controls to enhance the security of premises. This method can be used to eliminate urban threats such as criminal activities, civil unrest and terrorism.

Incidents are always a question of when, not if. By actual business trends, technical and administrative controls may catch more attention from security practitioners, but they can never forget that those controls ultimately rely on physical assets that must be protected as well, in many cases with superior levels of reliability. In addition to hardware and software, construction measures can be incorporated that reduce the likelihood of compromise, like:

• Location: By knowing the previous history of a place, an organization can avoid those subject to natural events like earthquakes, floods, and hurricanes, or activities like criminal actions and vandalism. If it does not have other options, at least it can prepare the site/facility to deal with those kinds of situations (e.g., reinforced foundations and election of an alternative site).
• Walls: Reinforced walls and treatments to protect them against agents like fire, water, and chemicals can help minimize or delay the effects of those agents over an organization’s assets.
• Entrances: Windows and doors represent a dilemma, since they should consider reinforcement against unauthorized access as well as facilitate people’s exit in case of emergency. For other not-so-obvious entrance points (e.g., ventilation ports and shafts), they should consider measures to prevent both people and animals from sneaking into the site or gaining access to the cabling or piping.
• External services: No organization is fully autonomous, and that means they depend on some external services like energy, communications, public transport, and, in case of accidents and disaster, emergency services. An organization should consider its needs for locations accessible by multiple routes and providers.
• Natural surveillance: See and be seen is a key factor for threat mitigation, and landscaping obstructions may cause points of vulnerability. While thinking about site surroundings, try to ensure there is a clear view of people, to make threatening activities easier to spot. Low solid fences, high tree foliage and points of observation are good examples.
• Natural access control: Use the natural landscape to direct traffic flow. Entrances sided by low hills offer more protection than those sided by flat terrain. A single entrance is better than multiple. Colored lines signaling routes are another alternative to make users naturally find their way in and out and increase opportunities to spot and discourage suspicious behavior.
• Territorial reinforcement: And though spaces can be welcoming, they should be well defined and possess clear boundaries. In this way you can change the way people use the areas, through unconscious rules that help prevent or spot undesirable behavior. Subtle changes in layout and signaling are good examples of territorial reinforcement.
• Other elements that can be considered are traffic calming, transition zones, maintenance, and lighting.

Prevention and Protection

Physical security needs to conform to the standards in force concerning both fire and environmental risks. Next, organisations should define sensitive areas (computer room, specific offices…) which must be protected in a specific way because they shelter vital data or critical infrastructures; a sort of high-level inventory dedicated to security.The protection of sensitive areas must be based on a prioritization of which risks to combat first. For example, in the case of a fire, fire suppression mechanisms using products that are not likely to damage computer hardware should be used, fireproof cabinets may be required, and restrictions on smoking should be enforced. A recovery plan should be put in place and tested, including the protection of all IT infrastructure. For all types of risk, the approach should be the same:

1. Define the perimeter.
2. Introduce preventive (to avoid the disaster) and protective (to protect the installation in case the disaster occurs) measures.
3. Test and evaluate these measures regularly.

To protect against all of these risks, approaches may vary depending on the situation. Below are some basic protective measures which are required for most cases:

This control deals with the implementation of appropriate surveillance systems to prevent unauthorized access by intruders to sensitive physical premises.Physical security monitoring are designed to protect buildings, and safeguard the equipment inside. In short, they keep unwanted people out, and give access to authorized individuals. While network and cyber security are important, preventing physical security breaches and threats is key to keeping your technology and data safe, as well as any staff or faculty that have access to the building. Without physical security plans in place, your office or building is left open to criminal activity, and liable for types of physical security threats including theft, vandalism, fraud, and even accidents. Physical security monitoring requires organisations to detect and prevent external and internal intruders who enter into restricted physical areas without permission by putting in place suitable surveillance tools. These surveillance tools constantly monitor and record access-restricted areas and protect organisation against risks that may arise as a result of unauthorized access, including but not limited to:

• Theft of sensitive data.
• Loss of information assets.
• Financial damage.
• Theft of removable media assets for malicious use.
• Infection of IT assets with a malware.
• Ransomware attacks that may be carried out by an intruder.

From landscaping elements and natural surveillance, to encrypted key cards or mobile credentials, to lock down capabilities and emergency mustering, there are many different components to preventing all different types of physical security threats in the modern workplace

Control

Premises should be continuously monitored for unauthorized physical access.

Purpose

To detect and deter unauthorized physical access.

Guidance

Physical premises should be monitored by surveillance systems, which can include guards, intruder alarms, video monitoring systems such as closed-circuit television and physical security information management software either managed internally or by a monitoring service provider. Access to buildings that house critical systems should be continuously monitored to detect unauthorized access or suspicious behavior by:
a) installing video monitoring systems such as closed-circuit television to view and record access to sensitive areas within and outside an organization’s premises.
b) installing, according to relevant applicable standards, and periodically testing contact, sound or motion detectors to trigger an intruder alarm such as:

1. installing contact detectors that trigger an alarm when a contact is made or broken in any place where a contact can be made or broken (such as windows and doors and underneath objects) to be used as a panic alarm.
2. motion detectors based on infra-red technology which trigger an alarm when an object passes through their field of view.
3. installing sensors sensitive to the sound of breaking glass which can be used to trigger an alarm to alert security personnel.

c) using those alarms to cover all external doors and accessible windows. Unoccupied areas should be alarmed at all times; cover should also be provided for other areas (e.g. computer or communications rooms).

The design of monitoring systems should be kept confidential because disclosure can facilitate undetected break-ins. Monitoring systems should be protected from unauthorized access in order to prevent surveillance information, such as video feeds, from being accessed by unauthorized persons or systems being disabled remotely. The alarm system control panel should be placed in an alarmed zone and, for safety alarms, in a place that allows an easy exit route for the person who sets the alarm. The control panel and the detectors should have tamper proof mechanisms. The system should regularly be tested to ensure that it is working as intended, particularly if its components are battery powered. Any monitoring and recording mechanism should be used taking into consideration local laws and regulations including data protection and PII protection legislation, especially regarding the monitoring of personnel and recorded video retention periods.

In the built environment, we often think of physical security control examples like locks, gates, and guards. While these are effective, there are many additional and often forgotten layers to physical security for offices that can help keep all your assets protected. A comprehensive physical security plan combines both technology and specialized hardware, and should include countermeasures against intrusion such as: 

• Site design and layout
• Environmental components 
• Emergency response readiness
• Training
• Access control
• Intrusion detection
• Power and fire protection

Organisations are to implement these three steps at a minimum to detect and deter unauthorized access to facilities that host critical information assets:

Step 1: Put in place a video monitoring system
Organisations should have a video surveillance system, one example being a CCTV camera, in place to continuously monitor access to restricted areas which hosts critical information assets. Furthermore, this surveillance system should keep a record of all entries into the physical premises.

Step 2: Install detectors to set off an alarm
Trigger an alarm when an intruder accesses physical premises enables the security team to respond quickly to security breaches. Furthermore, it can also be effective at deterring the intruder. Organisations should use motion, sound, and contact detectors that set off an alarm when an unusual activity within the physical premises is detected. In particular:

• A contact detector should be installed and it should set off an alarm when an unknown object/individual gets in contact with an object or breaks contact with an object. For example, a contact detector can be configured to trigger an alarm when a window or a door is contacted with.
• Motion detectors can be programmed to start an alarm when the movement of an object is detected within their range of view.
• Sound detectors such as break glass detectors can be activated when a sound is detected.

Step 3: Configuration of alarms to protect all internal premises
The third compliance step requires the configuration of the alarm system to ensure that all sensitive areas, including all external doors, windows, unoccupied areas and computer rooms are within the range of the alarm system so that there is no vulnerability that can be exploited. For example, if premises such as smoking areas or even gym entrances are not surveilled, these may be used as attack vectors by intruders.

The top 5 most common threats your physical security system should protect against are:

• Theft and burglary
• Vandalism
• Natural disasters
• Terrorism or sabotage
• Violence in the workplace

Depending on where your building is located, and what type of industry you’re in, some of these threats may be more important for you to consider. For example, if your building or workplace is in a busy public area, vandalism and theft are more likely to occur. If your building houses a government agency or large data storage servers, terrorism may be higher on your list of concerns. Before updating a physical security system, it’s important to understand the different roles technology and barriers play in your strategy. The smartest security strategies take a layered approach, adding physical security controls s. This means building a complete system with strong physical security components to protect against the leading threats to your organization. The four main security technology components are:

1. Deterrence – These are the physical security measures that keep people out or away from the space. Deterrent security components can be a physical barrier, such as a wall, door, or turn style. Technology can also fall into this category. Access control systems and video security cameras deter unauthorized individuals from attempting to access the building, too.
2. Detection – Just because you have deterrents in place, doesn’t mean you’re fully protected. Detection components of your physical security system help identify a potential security event or intruder. Sensors, alarms, and automatic notifications are all examples of physical security detection.
3. Delay – There are certain security systems that are designed to slow intruders down as they attempt to enter a facility or building. Access control, such as requiring a key card or mobile credential, is one method of delay. Smart physical security strategies have multiple ways to delay intruders, which makes it easier to mitigate a breach before too much damage is caused.
4. Response – These are the components that are in place once a breach or intrusion occurs. Examples of physical security response include communication systems, building lock downs, and contacting emergency services or first responders.

Together, these physical security components work to stop unwanted individuals from accessing spaces they shouldn’t, and notify the necessary teams to respond quickly and appropriately. Your physical security plans should address each of the components above, detailing the technology and processes you’ll use to ensure total protection and safety. Before implementing physical security measures in your building or workplace, it’s important to determine the potential risks and weaknesses in your current security. Detection is of the utmost importance in physical security. While it is impossible to prevent all intrusions or physical security breaches, having the right tools in place to detect and deal with intrusions minimizes the disruption to your business in the long run. To locate potential risk areas in your facility, first consider all your public entry points. Where people can enter and exit your facility, there is always a potential security risk. Baseline physical security control procedures, such as proper access control measures at key entry points, will help you manage who is coming and going, and can alert you to potential intrusions. Once inside your facility, you’ll want to look at how data or sensitive information is being secured and stored. Do you have server rooms that need added protection? Are desktop computers locked down and kept secure when nobody is in the office? Do employees have laptops that they take home with them each night? Even USB drives or a disgruntled employee can become major threats in the workplace. List out all the potential risks in your building, and then design security plans to mitigate the potential for criminal activity. Take a look at these physical security examples to see how the right policies can prevent common threats and vulnerabilities in your organization.

• Restrict access to IT and server rooms, and anywhere laptops or computers are left unattended
• Use highly secure access credentials that are difficult to clone, fully trackable, and unique to each individual
• Require multi-factor authentication (MFA) to unlock a door or access the building
• Structure permissions to employ least-privilege access throughout the physical infrastructure
• Eliminate redundancies across teams and processes for faster incident response
• Integrate all building and security systems for a more complete view of security and data trends
• Set up automated security alerts to monitor and identify suspicious activity in real-time

Physical security planning is an essential step in securing your building. Use this guideline to create a physical security plan that addresses your unique concerns and risks, and strengthens your security posturing.

1. Identify the scope of your physical security plans. This should include the types of employees the policies apply to, and how records will be collected and documented.
2. Determine who is responsible for implementing your physical security plans, as well as the key decision-makers for making adjustments or changes to the plan.
3. Include the different physical security technology components your policy will cover.
4. State the types of physical security controls your policy will employ. Include any physical access control systems, permission levels, and types of credentials you plan on using.
5. List out key access points, and how you plan to keep them secure.
6. Define your monitoring and detection systems. What types of video surveillance, sensors, and alarms will your physical security policies include? Identify who will be responsible for monitoring the systems, and which processes will be automated.
7. Outline all incident response policies. Your physical security planning needs to address how your teams will respond to different threats and emergencies.
8. Scope out how to handle visitors, vendors, and contractors to ensure your physical security policies are not violated.
9. Create a cybersecurity policy for handling physical security technology data and records. Include your policies for encryption, vulnerability testing, hardware security, and employee training.
10. Address how physical security policies are communicated to the team, and who requires access to the plan.

 Here’s a quick overview of the best practices for implementing physical security for buildings.

• Install perimeter security to prevent intrusion. Physical barriers like fencing and landscaping help establish private property, and deter people from entering the premises. 
• Use access control systems to provide the next layer of security and keep unwanted people out of the building. When selecting an access control system, it is recommended to choose a cloud-based platform for maximum flexibility and scalability.
• Integrate your access control with other physical security systems like video surveillance and user management platforms to fortify your security.
• Employ cyber and physical security convergence for more efficient security management and operations.
• Regularly test your physical security measures to ensure you’re protected against the newest physical security threats and vulnerabilities.
• Always communicate any changes to your physical security system with your team.

Security of offices, rooms and facilities may seem easy and obvious, but it is worth considering and regularly reviewing who should have access, when and how. Some of the things that often get missed are; Who can see or even hear into the office from outside and what to do about it?; Is access updated when staff leave or transfer so no longer need access to this particular room; Do visitors need to be escorted in this area and is so, are they?; And are staff vigilant about challenging and reporting people they do not recognize? For rooms that are shared with others (eg if a rented office meeting room) policies would also include the protection and or removal of valuable assets when it is not occupied by the organisation – ranging from laptops, through to information posted on whiteboards, flip charts etc. The external auditor will be inspecting the security controls for offices, rooms and facilities and checking to see that there is evidence of adequate, risk-based control implementation, operation and review on a periodic basis

Control

Physical security for offices, rooms and facilities should be designed and implemented.

Purpose

To prevent unauthorized physical access, damage and interference to the organization’s information and other associated assets in offices, rooms and facilities.

ISO 27002 Implementation Guidance

The following guidelines should be considered to secure offices, rooms and facilities:

1. siting critical facilities to avoid access by the public;
2. where applicable, ensuring buildings are unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building, identifying the presence of information processing activities;
3. configuring facilities to prevent confidential information or activities from being visible and audible from the outside. Electromagnetic shielding should also be considered as appropriate;
4. not making directories, internal telephone books and online accessible maps identifying locations of confidential information processing facilities readily available to any unauthorized person.

Physical security is a critical element of information security. The two go hand in hand and must be considered together. Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Physical security refers to protective measures taken to safeguard personnel, facilities, equipment and other assets against natural or man-made hazards by reducing risks related to burglary, sabotage, terrorism and other criminal acts. The first step in physical security for information sensitive locations is determining if you have one. Information sensitive locations are rooms, offices and facilities, where there are computers that contain sensitive data or where there are people who have access to sensitive data. Physical security can include.

Locks and Keys: Locking doors, windows and cupboards; using security seals on laptops and mobile devices; password protection for computers; encryption for sensitive data.

CCTV:Closed circuit television cameras are an excellent way of monitoring activity around premises or in specific areas of a building.

Intruder Alarms: These can be activated by movement, heat or sound and are used to alert you to intruders or people who shouldn’t be in a particular area (for example, an alarm sounding when someone tries to break into the office).

The purpose 3 is to prevent unauthorized physical access, damage and interference to the organisation’s information and other associated assets in offices, rooms and facilities and is to reduce the level of risk of unauthorized physical access to offices, rooms, and facilities, to an acceptable level by:

• Preventing unauthorised physical access to offices, rooms and facilities by persons other than authorised personnel.
• Prevent damage or interference with the organisation’s information and other associated assets inside offices, rooms and facilities.
• Ensuring that any information security sensitive areas are unobtrusive to to make it hard for people to determine their purpose.
• Minimizing the risk of theft or loss of property within offices, rooms and facilities.
• Ensuring that people who have authorized physical access are identified (this can be achieved by using a combination of uniform badges, electronic door entry systems and visitor passes).
• Where possible, CCTV or other monitoring devices should be used to provide security surveillance over key areas such as entrances/exits.

It applies to all buildings used by the organisation for offices or administrative functions. It also applies to rooms where confidential information is stored or processed, including meeting rooms where sensitive discussions take place. It does not apply to reception areas or other public areas of an organisation’s premises unless they are used for administrative purposes (e.g. a reception area that doubles as an office). It specifies that rooms and facilities must be secured. The following security measures can be taken to ensure that rooms and facilities are secure:

• Siting critical facilities to avoid access by the public.
• Where applicable, ensuring buildings are unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building, identifying the presence of information processing activities.
• Configuring facilities to prevent confidential information or activities from being visible and audible from the outside. Electromagnetic shielding should also be considered as appropriate.
• Not making directories, internal telephone books and online accessible maps identifying locations of confidential information processing facilities readily available to any unauthorized person.

 Some step companies can take to secure office rooms and facilities:

• A physical security perimeter – such as walls, card controlled entry gates or manned reception security desks
• Physical entry controls – adequate and appropriate entry controls to ensure only authorized personnel are allowed access
• Secure offices, rooms and facilities – physical corporate security solutions designed and applied
• Protection against external and environmental threats – physical protection against fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disasters
• Secure area protection – physical corporate security solutions designed and applied for secure areas
• Physical security for public access, delivery and loading areas – access points where unauthorized persons may enter controlled and, if possible, isolated from information processing facilities to avoid unauthorized access
• The walls, ceilings and floor of any secure area should be of the same strength. If someone can access a secure area via, say, a false ceiling you will be non-compliant.
• The most sensitive assets should be stored in the most secure areas. Using the “onion technique”, each perimeter “layer” should house progressively more sensitive assets.
• Ban mobile phone and camera use in secure areas.
• Prohibit lone working in secure areas.
• Don’t co-store other assets (such as paper, non-IT equipment or anything else) in secure areas.
• Ensure delivery and loading areas don’t give direct access to secure areas.
• Install a welcome desk where at where all visitors are required to report first.
• Have security guards challenge unknown persons.
• Monitor spaces around the perimeter with CCTV or security patrols.

Entry controls and access points are a crucial part of any building’s security system. They’re what makes it possible for you to get in and out of your building without compromising its safety, and they can also prevent unauthorized or unwanted people from entering. Entry controls are the devices that allow you access into a building through doors or gates, such as keypads, card readers, biometric scanners and fobs. They can also include other features such as locking mechanisms for doors and gates, as well as turnstiles or revolving doors.An access point is an electronic device that provides security in large commercial buildings. It uses radio frequency identification (RFID) technology to track all movement in and out of the facility. The access point transmits data back to headquarters so that security personnel can monitor when someone enters or leaves the facility and which areas they are accessing while they are there. Secure areas need to be protected by the appropriate entry controls to ensure only authorised personnel are allowed access. As a really basic example, only those employees who have been given the alarm access code and received a key can access the office. More risk averse organisations and or those with more sensitive information at threat might go much deeper with policies that include biometrics and scanning solutions too. Entry controls will need to be selected and implemented based on the nature and location of the area being protected, and the ability to implement such controls if for example, the location is not owned by the organisation. The processes for granting access through the entry controls need to be robust, tested and monitored and may also need to be logged and audited. The control of visitors will also be especially important and the processes related to such should be considered. Extra consideration should be given to access being granted to areas in which sensitive or classified information is being processed or stored. Whilst areas containing key IT infrastructure equipment in particular need to be protected to a greater extent and access limited to only those that really need to be there. The auditor will expect to see that appropriate controls are in place as well as regularly tested and monitored.

Once you have identified physical security perimeters, you must implement entry controls to govern who can move between secure areas of the premises. The most common example of this will be keycodes issues to employees so that they can enter the office, but physical entry controls can take many forms. Organisations should select controls based on the nature and location of the area being protected. As a rule, the strength of the control should reflect the sensitivity of the data being stored. For example, physical records related to day-to-day activities might be protected by a lock and key. By contrast, highly classified data might require multiple security controls or ones that are less likely to be compromised, such as biometric and scanning solutions. Additionally, organisations might have multiple levels of security within their premises. For example, they might build a barrier at the entrance of the premises to check the credentials of anyone entering the site, followed by separate entrances to the building that require individuals to present a key card.

Control

Secure areas should be protected by appropriate entry controls and access points.

Purpose

To ensure only authorized physical access to the organization’s information and other associated assets occurs.

ISO 27001 Implementation Guidance

General

Access points such as delivery and loading areas and other points where unauthorized persons can enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. The following guidelines should be considered:

1. restricting access to sites and buildings to authorized personnel only. The process for the management of access rights to physical areas should include the provision, periodical review, update and revocation of authorizations
2. securely maintaining and monitoring a physical logbook or electronic audit trail of all access and protecting all logs and sensitive authentication information;
3. establishing and implementing a process and technical mechanisms for the management of access to areas where information is processed or stored. Authentication mechanisms include the use of access cards, biometrics or two-factor authentication such as an access card and secret PIN. Double security doors should be considered for access to sensitive areas;
4. setting up a reception area monitored by personnel, or other means to control physical access to the site or building;
5. inspecting and examining personal belongings of personnel and interested parties upon entry and exit. NOTE Local legislation and regulations can exist regarding the possibility of inspecting personal belongings.
6. requiring all personnel and interested parties to wear some form of visible identification and to immediately notify security personnel if they encounter unescorted visitors and anyone not wearing visible identification. Easily distinguishable badges should be considered to better identify permanent employees, suppliers and visitors;
7. granting supplier personnel restricted access to secure areas or information processing facilities only when required. This access should be authorized and monitored;
8. giving special attention to physical access security in the case of buildings holding assets for multiple organizations;
9. designing physical security measures so that they can be strengthened when the likelihood of physical incidents increases;
10. securing other entry points such as emergency exits from unauthorized access;
11. setting up a key management process to ensure the management of the physical keys or authentication information (e.g. lock codes, combination locks to offices, rooms and facilities such as key cabinets) and to ensure a log book or annual key audit and that access to physical keys or authentication information is controlled

Visitors

The following guidelines should be considered:
a) authenticating the identity of visitors by an appropriate means;
b) recording the date and time of entry and departure of visitors;
c) only granting access for visitors for specific, authorized purposes and with instructions on the security requirements of the area and on emergency procedures;
d) supervising all visitors, unless an explicit exception is granted.

Delivery and loading areas and incoming material

The following guidelines should be considered:

1. restricting access to delivery and loading areas from outside of the building to identified and authorized personnel
2. designing the delivery and loading areas so that deliveries can be loaded and unloaded without delivery personnel gaining unauthorized access to other parts of the building;
3. securing the external doors of delivery and loading areas when doors to restricted areas are opened;
4. inspecting and examining incoming deliveries for explosives, chemicals or other hazardous materials before they are moved from delivery and loading areas;
5. registering incoming deliveries in accordance with asset management procedures on entry to the site;
6. physically segregating incoming and outgoing shipments, where possible;
7. inspecting incoming deliveries for evidence of tampering on the way. If tampering is discovered, it should be immediately reported to security personnel.

The organization must ensure that only authorized physical access to the organisation’s information and other associated assets occurs. Physical security is of primary importance when protecting the confidentiality, integrity, and availability of information assets. This Control is primarily concerned with protecting information and other associated assets from unauthorized access, theft or loss. To this end, appropriate entry controls and access points must be in place to ensure that only authorized individuals can access secure areas. These controls should be designed so that they provide a reasonable assurance that physical access is restricted to authorized persons and that these persons are in fact who they claim to be. This includes the use of locks and keys (both manual and electronic), security guards, monitoring systems and other barriers around entrances and access points. Access control systems such as passwords, card keys or bio metric devices may also be used to control access to sensitive areas in the facility should also be deployed. Upon entry and departure, visitors should be registered and supervised, without prior authorization; Only approved purposes should be granted access, and guidelines should be provided regarding the region’s safety and emergency procedures. A suitable method should be used to verify visitors’ identities. Suitable access controls should be introduced to areas where information is handled or stored, such as a two-factor authentication system that uses an access card and a PIN. Maintaining and monitoring an audit trail of all access records in a physical logbook or electronically. Employees, contractors, and external parties should all wear some kind of visible identification and tell security personnel immediately if they meet persons who are not escorted or who do not have identification. Employees outside of the company who require external support should only have limited access to secure areas or confidential information processing facilities; access authority should be provided and monitoring should be carried out. It is necessary to review, update, and revoke access privileges to protected areas periodically. Whenever necessary.

Administrative Controls

1) The site and Facility Considerations
All sites should have automated controls in place to protect the physical environment. The first line of defense must be administrative, technical and physical controls. The last line of defense should always be employees. Limiting human interaction with attackers reduces the risk of injury. These controls must be at the center when applying and sustaining physical security to protect people, IT infrastructure and operations. Controls must be utilized so that attackers have an opposition to stop or delay them.

2) Facility Plan
The facility plan uses critical path analysis which is a systematic approach that identifies relationships between processes, operations, and applications. An example could be a company web server that needs access to the internet, power, climate control, computer hardware, storage location. In this example, resources that require securing are identified. Additionally, dependencies and interactions that support the business functions are reduced to only the mandatory ones because the processes, operations, and applications were identified. Critical path analysis is the first stage in securing the IT infrastructure. IT infrastructure includes computers, servers, networking equipment, water, electricity, climate control, and buildings. Using current and future technologies, such as operating systems or mobile devices simultaneously is important. Current solutions improve, and new ones emerge as technologies involved. It is necessary to strategize how the older legacy systems and the new systems will merge together. The integration of old and new systems is called technology convergence. An organization could potentially have multiple systems doing the same function as technologies change, creating inefficiencies and risk to the company as it can be difficult to differentiate which system performs a particular task. In some cases, such as an e-commerce website, multiple servers are required to run in parallel, so there is not a single point of failure. Another example could be the intrusion alarm system, fax, and phone line utilizing a single phone line cable. One phone line that different systems connect to is a single point of failure and if an attacker compromised the line at one location, none of these systems would work. Having separate phone lines ran to each system would lower the risk of all three losing their connection at the same time. Parties including management, employees, and especially safety and security personnel, should contribute to the site plan. Management should be in the planning process so they can make sure funds are available for the project. Employee safety concerns should be addressed during the creation of the facility plan. Security staff can point out important aspects of physical security. Security goals for the business and the facility are supported further when their knowledge is used to help make the site plan.

3) Site location
Geographical location, price, and size are factors that involve thought when purchasing a site location. Security requirements should always be the primary concern when determining a location. Buying an existing facility or building a new one also needs to be considered. Site physical security involves deliberation of situational awareness. It is important to take into account that looting, riots, vandalism, and break-ins can occur. Other things to consider before determining a site is visibility, including the terrain around the building, facility markings, signs, neighbors, and area population. Accessibility to the site is important. Road access, traffic, and distance to train stations, freeways, and airports are important aspects. Building facilities susceptible to these accounts should be avoided. Geographical areas prevalent in natural disasters are not ideal site locations. These threats cannot be avoided because natural disasters are not predictable. The IT staff, emergency personnel, management, and disaster recovery team must be prepared and equipped to handle natural disasters. Disaster recovery plans contained within the business continuity plan is the overarching plan that lists the details necessary to recover from a tragedy

4) Securing Data
Data centers and server rooms that house IT or communications equipment must be off-limits to unauthorized individuals. These rooms have to be locked down to prevent attacks. These rooms should be protected and have limited access to those employees that require access to job duties. The more human-incompatible these rooms are, the less likely attacks are executed. Oxygen displacement, extremely dim lighting, cold temperatures and hard to maneuver due to little space are methods used in creating a human inhospitable environment. These data center rooms store mission-critical equipment and should be located in the middle of the facility and not in the basement, ground or top floors.

Physical Controls

Facilities need physical access controls in place that control, monitor and manage access. Categorizing building sections should be restricted, private or public. Different access control levels are needed to restrict zones that each employee may enter depending on their role. Many mechanisms exist that enable control and isolation access privileges at facilities. These mechanisms are intended to discourage and detect access from unauthorized individuals.

1)Perimeter Security
Man traps, gates, fences, and turnstiles are used outside of the facility to create an additional layer of security before accessing the building. Fences distinguish clear boundaries between protected and public areas. Materials used to create fences vary in types and strengths. Protected assets dictate the necessary security levels of the fences. Types of fences include electrically charged, barbed wire, heat, motion or laser detection, concrete, and painted stripes on the ground. Gates are entry and exit points through a fence. To be an effective deterrent, gates must offer the same level of protection equal to the fence; otherwise, malicious people have the opportunity to circumvent the fence and use the gate as the point of intrusion. Construction of gates should consist of hardened hinges, locking mechanisms, and closing devices. Gates should be limited in number to consolidate resources needed to secure them. Dogs or surveillance cameras should monitor gates when guards are not present. Turnstiles are a type of gate that allows only one person to enter. They must provide the same protection level as the fence they are connected. Turnstiles operate by rotating in one direction like a revolving door and allow one individual to leave or enter the premises at a time. Man traps are small rooms that prevent individuals from tailgating. The design of man traps only allows one person may enter at a time. The idea is to trap the person trying to gain access by locking them inside until proof of identity is confirmed. If the individual has permission to enter, the inside door opens allowing entry. This is a security control measure that delays unauthorized people from entering the facility until security or police officers arrive.

2)Badges
Proof of identity is necessary for verifying if a person is an employee or visitor. These cards come in the forms of name tags, badges, and identification (ID) cards. Badges can also be smart cards that integrate with access control systems. Pictures, RFID tags, magnetic strips, computer chips, and employee information are frequently included to help security validate the employee.

3) Motion Detectors
Motion detectors offer different technology options depending on necessity. They are used as intrusion detection devices and work in combination with alarm systems. Infrared motion detectors observe changes in infrared light patterns. Heat-based motion detectors sense changes in heat levels. Wave pattern motion detectors use ultrasonic or microwave frequencies that monitor changes in reflected patterns. Capacitance motion detectors monitor for changes in electrical or magnetic fields. Photoelectric motion detectors look for changes in light and are used in rooms that have little to no light. Passive audio motion detectors listen for unusual sounds.

4) Intrusion Alarms
Alarms monitor various sensors and detectors. These devices are door and window contacts, glass break detectors, motion detectors, water sensors, and so on. Status changes in the devices trigger the alarm. In hardwired systems, alarms notice the changes in status by the device by creating wiring short. Types of alarms are deterrent, repellant, and notification. Deterrent alarms attempt to make it more difficult for attackers to get to major resources by closing doors and activating locks. Repellant alarms utilize loud sirens and bright lights in the attempt to force attackers off the site. Notification alarms send alarm signals through dial-up modems, internet access or GSM (cellular) means. The siren output may be silenced or audible depending on if the organization is trying to catch criminals in the act.

Technical Controls

The main focus of technical controls is access control because it is one of the most compromised areas of security. Smart cards are a technical control that can allow physical access into a building or secured room and securely log in to company networks and computers. Multiple layers of defense are needed for overlap to protect from attackers gaining direct access to company resources. Intrusion detection systems are technical controls that are essential because they detect an intrusion. Detection is a must because it notifies the security event. Awareness of the event allows the organization to respond and contain the incident. Audit trails and access logs must be continually monitored. They enable the organization to locate where breaches are occurring and how often. This information helps the security team reduce vulnerabilities.

1) Smart Cards
Token cards have microchips and integrated circuits built into the cards that process data. Microchips and integrated circuits enable the smart card to do two-factor authentication. This authentication control helps keeps unauthorized attackers or employees from accessing rooms they are not permitted to enter. Employee information is saved on the chip to help identify and authenticate the person. Two-factor authentication also protects computers, servers and data centers from unauthorized individuals. Assess will not be granted with possession of the card alone. A form of bio metrics (something you are) or a PIN or password (something you know) must be entered to unlock the card to authenticate the user. Access token smart cards come in two types, contact and contactless. Contact smart cards have a contact point on the front of the card for data transfer. When the card is inserted, fingers from the device make a connection with chip contact points. The connection to the chip powers it and enables communication with the host device. Contactless smart cards use an antenna that communicates with electromagnetic waves. The electromagnetic signal provides power for the smart card and communicates with the card readers. Access token cards are thought to be impervious to tampering methods; however, these cards are not hacker-proof. Security is provided through the complexity of the smart token. The smart token only allows the card to be read after the correct PIN is entered. Encryption methods keep malicious people from acquiring the data stored in the microchips. Smart cards also have the ability to delete data stored on it the card detects tampering. Cost is a disadvantage of smart card technology. It is expensive to create smart cards and purchase cards, readers. Smart cards are basically small computers and carry the same risks. As technology evolves, storage capacity and the ability to separate “security-critical computations” inside the smart cards. Smart cards can store keys used with encryption systems which helps security. The self-contained circuits and storage, permit the card to use encryption algorithms. The encryption algorithms allow for protected authorization that can be applied enterprise-wide.

2) Proximity Readers and RFID: Access control systems use proximity readers to scan cards and determines if it has authorized access to enter the facility or area. Access control systems evaluate the permissions stored within the chip sent via radio frequency identification RFID. This technology utilizes the use of transmitters (for sending) and responders (for receiving).In physical access control, the use of proximity readers and access control cards that contain passive tags are used. Passive tags are powered from the proximity of readers through an electromagnetic field generated by the card reader. A signal is sent to the reader when a card is swiped. The door unlocks once the signal is received and verified. Active tags contain batteries to self-power the RFID tag. Active tags have a battery power source built-in that allows them to transmit signals further than passive tags. However, the cost of these are significantly higher, and their life is limited because of battery life. These are typically used to track high-value items. Readers can track movements and locate items when connected to the network and detection systems. If an asset is removed from certain areas, the organization can have the access control system trigger an alarm.

3) Intrusion Detection, Guards and CCTV
If the equipment is relocated without approval, intrusion detection systems (IDSs) can monitor and notify of unauthorized entries. IDSs are essential to security because the systems can send a warning if a specific event occurs or if access was attempted at an unusual time. Guards are a significant part of an intrusion detection system because they are more adaptable than other security aspects. Security officers may be fixed at one location or make rounds patrolling the campus. While making rounds, guards can verify the doors and windows are locked, and vaults are protected. Guards may be accountable for watching IDSs and CCTVs and can react to suspicious activity. They can call for backup or local police to help capture a suspect if necessary. Closed-circuit television or surveillance systems utilize cameras and recording equipment to provide visual protection. In areas that cameras monitor, having enough light in the right areas is essential. It might be too dim for the camera to capture decent video quality necessary to prosecute or identify persons of interest without enough light. Cameras can be a fixed lens (not movable) or a zoom lens (adjustable). In monitoring something that is stationary, you would want to use the right type of fixed lens depending on the distance and width you are monitoring. Fixed lenses are available in wide, narrow or wide-angle. The zoom lens is recommended when viewing a target that might need an enlarged view. Another type of camera is a pan, tilt, zoom camera. These are dome style cameras that have the ability to move in all directions as well as zoom in. PTZ cameras are best for tracking suspects because the camera automatically detects and follows a suspect. PTZ cameras can auto-track moving objects through mechanical or application methods. Cameras that use software applications have the ability to change targets and can filter out images that are stationary, saving bandwidth and storage.

 4) Auditing Physical Access
Auditing physical access control systems require the use of logs and audit trails to surmise where and when a person gained false entry into the facility or attempted to break-in. The software and auditing tools are detectives, not preventive. Consistent monitoring of audit trails and access logs are needed to act swiftly. The system has no value if the organization does not respond or response time is limited. Management needs to know when there are incidents so they can make security decisions. Adding additional resources to particular areas or at certain times might be necessary to protect the environment. Access logs and audit trails must include the date and time that the incident occurred. These logs should capture all failed access attempts, the person’s employee information, and the location where the attacker tried to gain entry.

Access points such as delivery and loading areas and other points where unauthorised persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorised access. For some organisations, delivery/loading areas are either not available or not controlled by the organisation (e.g. a shared office accommodation). However, where the organisation can control or influence these areas, it is important that risks are identified and assessed and appropriate controls are therefore implemented. Examples of these controls may include; Location away from the main office building; Extra guarding; CCTV monitoring & recording; And procedures to prevent external and internal access being open at the same time.The auditor will inspect the delivery and loading protection to assure there are appropriate controls relating to the control of incoming materials (e.g. deliveries) and the control of outgoing materials (e.g. for information leakage prevention). Although, the level of assurance around delivery and loading relative to the assessed risk levels that the auditor will be looking for will depend on the availability and ownership of such facilities.There should be complete control of all the access points where necessary. The information stored within the building should be secured and consider as a legal responsibility. Examples of these controls may include;

• Docks away from the main office building;
• Security Guards; CCTV monitoring & recording; and
• procedures to prevent external and internal access.

Physical perimeter security can be defined as systems and technologies that protect people and assets within a facility and its grounds by blocking unauthorized physical intrusions across the perimeter. Achieving effective perimeter security requires the creation of layers to defend and deter potential attackers.The term physical security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment. Physical security perimeters are used to identify the physical boundaries of a building or area and control access to it. Physical security perimeters may include fences, walls, gates and other barriers that prevent unauthorized access by people or vehicles. In addition to physical barriers, electronic surveillance equipment such as closed circuit television cameras can be used to monitor activity outside the facility. Physical security perimeters provide a first line of defense against intruders who might try to enter your computer system through the network cable or wireless connection in an organisation. They are often used in conjunction with other types of information security controls such as identity management, access control and intrusion detection systems. The organisation must establish secure areas that protect the valuable information and information assets only authorized people can access. This is also related to the risk assessment and risk appetite for an organisation

The best, most viable physical security strategies make use of both technology and specialized hardware to achieve its safety goals. You will need to protect your assets from intruders, internal threats, cyber attacks, accidents and natural disasters, which in turn requires a mix of technology and in-person monitoring that requires careful planning and placement of security staff and other tactics. For your preventive measures and countermeasures to be effective, you also need to introduce a security perimeter, the size and scope of which may vary depending on your specific needs and possible threats to your facility. Physical security bundles many needs together, so make sure you consider your space as a whole, not as separate parts.

Control

Security perimeters should be defined and used to protect areas that contain information and other associated assets.

Purpose

To prevent unauthorized physical access, damage and interference to the organization’s information and other associated assets.

ISO 27002 Implementation Guidance

The following guidelines should be considered and implemented where appropriate for physical security perimeters:

1. defining security perimeters and the siting and strength of each of the perimeters in accordance with the information security requirements related to the assets within the perimeter;
2. having physically sound perimeters for a building or site containing information processing facilities (i.e. there should be no gaps in the perimeter or areas where a break-in can easily occur). The exterior roofs, walls, ceilings and flooring of the site should be of solid construction and all external doors should be suitably protected against unauthorized access with control mechanisms (e.g. bars, alarms, locks). Doors and windows should be locked when unattended and external protection should be considered for windows, particularly at ground level; ventilation points should also be considered;
3. alarming, monitoring and testing all fire doors on a security perimeter in conjunction with the walls to establish the required level of resistance in accordance with suitable standards. They should operate in a fail safe manner.

Other information

Physical protection can be achieved by creating one or more physical barriers around the organization’s premises and information processing facilities. A secure area can be a lockable office or several rooms surrounded by a continuous internal physical security barrier. Additional barriers and perimeters to control physical access can be necessary between areas with different security requirements inside the security perimeter. The organization should consider having physical security measures that can be strengthened during increased threat situations.

Physical security manages and protects resources in the form of administrative, technical, and physical controls. Access control systems, intrusion detection systems, and auditing systems are examples of technical controls. Some examples of administrative controls are site location, facility design, building construction, emergency response, and employee controls. Physical control examples include types of building materials, perimeter security including fencing and locks, and guards. Deterrence, Denial, detection then delays are the controls used for securing the environment. Attempts to obtain physical resources should be deterred through the use of fences, gates, and guards around the perimeter. Locked doors and vaults protecting physical assets through denial. Physical Intrusion detection systems (IDS) and alarms are the next lines of defense and notify first respondents if a breach is detected. If attackers reach their target, security measures such as a cable lock on a computer must delay the suspect from acquiring assets until guards or police arrival.

An organisation must demonstrate that it has adequate physical security perimeters in place to prevent unauthorized physical access to information and other associated assets. This includes preventing:

• Unauthorized entry to buildings, rooms or areas containing information assets;
• Unauthorized removal of assets from premises;
• Unauthorized use of assets on premises (e.g., computers and computer related devices); and
• Unauthorized access to electronic communications equipment such as telephones, fax machines and computer terminals (e.g., unauthorized tampering).

Physical security perimeters can be implemented through the following two categories:

• Physical access control: Provides controls over the entry into facilities and buildings, as well as the movement within them. These controls include locking doors, using alarms on doors, using fences or barriers around facilities, etc.
• Hardware security: Provides controls over physical equipment (e.g., computers) used by an organisation to process data such as printers and scanners that may contain sensitive information.

Implementing this control may also cover the unauthorized use of facility space, equipment and supplies in order to protect information and other associated assets, such as confidential documents, records and equipment.The following guidelines should be considered and implemented where appropriate for physical security perimeters:

• Defining security perimeters and the siting and strength of each of the perimeters in accordance with the information security requirements related to the assets within the perimeter.
• Having physically sound perimeters for a building or site containing information processing facilities (i.e. there should be no gaps in the perimeter or areas where a break-in can easily occur).
• The exterior roofs, walls, ceilings and flooring of the site should be of solid construction and all external doors should be suitably protected against unauthorized access with control mechanisms (e.g. bars, alarms, locks).
• Doors and windows should be locked when unattended and external protection should be considered for windows, particularly at ground level; ventilation points should also be considered.

Physical and environmental safeguards are often overlooked but are very important in protecting information. Physical security over past decades has become increasingly more difficult for organizations. Technology and computer environments now allow more compromises to occur due to increased vulnerabilities. USB hard drives, laptops, tablets, and smartphones allow for information to be lost or stolen because of portability and mobile access. In the early days of computers, they were large mainframe computers only used by a few people and were secured in locked rooms. Today, desks are filled with desktop computers and mobile laptops that have access to company data from across the enterprise. Protecting data, networks, and systems has become difficult to implement with mobile users able to take their computers out of the facilities. Fraud, vandalism, sabotage, accidents, and theft are increasing costs for organizations since the environments are becoming more “complex and dynamic”. Physical security becomes tougher to manage as technology increases with complexity, and more vulnerabilities are enabled. Buildings and rooms that house information and information technology systems must be afforded appropriate protection to avoid damage or unauthorized access to information and systems. In addition, the equipment housing this information (e.g., filing cabinets, data wiring, laptop computers, and portable disk drives) must be physically protected. Equipment theft is of primary concern, but other issues should be considered, such as damage or loss caused by fire, flood, and sensitivity to temperature extra. Physical and environmental security programs define the various measures or controls that protect organizations from loss of connectivity and availability of computer processing caused by theft, fire, flood, intentional destruction, unintentional damage, mechanical equipment failure, and power failures. Physical security measures should be sufficient to deal with foreseeable threats and should be tested periodically for their effectiveness and functionality.

1. Determine which managers are responsible for planning, funding, and operations of the physical security of the Data Center.
2. Review best practices and standards that can assist with evaluating physical security controls.
3. Establish a baseline by conducting a physical security controls gap assessment that will include the following as they relate to your campus Data Center:
   • Environmental Controls
   • Natural Disaster Controls
   • Supporting Utility Controls
   • Physical Protection and Access Controls
   • System Reliability
   • Physical Security Awareness and Training
   • Contingency Plans
4. Determine whether an appropriate investment in physical security equipment (alarms, locks or other physical access controls, identification badges for high-security areas, etc.) has been made and if these controls have been tested and function correctly.
5. Provide responsible managers guidance in handling risks. For example, if the current investment in physical security controls is inadequate, this may allow unauthorized access to servers and network equipment. Inadequate funding for key positions with responsibility for IT physical security may result in poor monitoring, poor compliance with policies and standards, and overall poor physical security.
6. Maintain a secure repository of physical and environmental security controls and policies and establish timelines for their evaluation, update, and modification.
7. Create a team of physical security auditors, outside of the management staff, to periodically assess the effectiveness of the measures taken and provide feedback on their usefulness and functionality.

This control establishes guidelines that govern the use of any utility program that has the potential to override business critical system and application controls. The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. None out of the organization shall be sharing any sort of confidential details. Use of utility programs (an application that performs computer management tasks such as virus protection, password management, file compression, etc.),or other software that might be capable of overriding system and application controls or altering system configurations must be restricted. Management approval is required prior to the installation or use of any ad hoc or third-party system utilities. A utility program is any piece of software that is designed to analyse or maintain a computer system or network. Examples of utility programs include:

• Diagnostic tools
• Patching assistants
• Antivirus programs
• Disk defragmenters
• Backup software
• Networking tools

Utility programs are essential to the smooth running of any given LAN or WAN, and help network administrators to improve up time and increase resilience across a broad range of commercial functions. Given their intrusive nature, utility programs also have the potential to cause a significant amount of damage on a given network, unless their use is properly monitored.The Internet is bombarded with different utility programs, all seeking to help you stay organised. Yet many of these software programs are viruses and malware that hacker’s prey on to get into your system and even target your antivirus software and before you know it, they have access to confidential files. ISO 27001 warns against downloading random utility programs to your system. Those you used must be verified by competent staff and checked for any possible spyware, malware or insecure code. If the program is required, then only a small group of personnel should have privileged access rights to the software and its use monitored.

Control

The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled.

Purpose

To ensure the use of utility programs does not harm system and application controls for information security.

ISO 27002 Implementation Guidance

The following guidelines for the use of utility programs that can be capable of overriding system and application controls should be considered:

1. limitation of the use of utility programs to the minimum practical number of trusted, authorized users ;
2. use of identification, authentication and authorization procedures for utility programs, including unique identification of the person who uses the utility program;
3. defining and documenting of authorization levels for utility programs;
4. authorization for ad hoc use of utility programs;
5. not making utility programs available to users who have access to applications on systems where segregation of duties is required;
6. removing or disabling all unnecessary utility programs;
7. at a minimum, logical segregation of utility programs from application software. Where practical, segregating network communications for such programs from application traffic;
8. limitation of the availability of utility programs (e.g. for the duration of an authorized change);
9. logging of all use of utility programs.

Other information

Most information systems have one or more utility programs that can be capable of overriding system and application controls, for example diagnostics, patching, antivirus, disk defragmenters, debuggers, backup and network tools.

Utility computer programmes that might be capable of overriding system and application controls need to be carefully managed.

Powerful system and network utility programs can create an attractive target for malicious attackers and access to them must be restricted to the smallest number of people. As such utility programs can be easily located and downloaded from the internet it is also important that users are restricted in their ability to install any software as much as possible weighed against business requirements and risk assessment. Use of utility programs should be logged and monitored/reviewed periodically to satisfy auditor requests. In order to maintain network integrity and bolster business continuity, organisations should:

1. Restrict the use of utility programs to employees and IT maintenance staff who specifically require them to carry out their job role.
2. Ensure that all utility programs are identified, authenticated and authorised in line with business requirements, and management are able to gain a top down view of their use at any given time.
3. Identify all personnel who use utility programs, either as part of their daily duties, or on an ad-hoc basis.
4. Implement adequate authorisation controls for any employee who needs to use utility programs, either as part of their daily duties, or on an ad-hoc basis.
5. Prevent the use of utility programs on any system where the organisation has deemed it necessary to segregate duties.
6. Periodically review the use of utility programs, and either remove or disable any programs as the organisation requires.
7. Partition utility programs are distinct from standard applications that the business uses on a regular basis, including network traffic.
8. Restrict the availability of utility programs, and only use them for express purposes

A utility program is usually smaller than a standard application and refers to a program that is responsible for managing system resources and adding functionality to your computer. This can include screen savers, icon tools and other desktop enhancement features. A privileges utility program is an application that requires elevated (administrative) privileges to perform the specific task. This can include endpoint security tools, such as anti-virus software, software updates, device/process managers, disk encryption and software firewalls. Allowing employees access to privileged utilities from their standard user account introduces security risks into the network. This allows malware to cause much more damage as it can run with the privileges of the utility program. Therefore, it is advised to ensure that administrative accounts are not utilized to conduct daily business functions such as sending e-mails and browsing the web. These accounts must only be utilized when conducting tasks that require admin privileges. Equally, standard users should not be given administrative rights over specific utilities/programs. If a standard user account is used and a privileged utility program is executed, it will prompt the User Access Control (UAC) and administrative credentials will need to be entered. Access to privileged utility programs should be heavily restricted to employees except those who require it to perform their daily tasks. If the user requests access to a privileged utility, justification should be provided, and it should be reviewed by a person with authority within the organisation. Additionally, it is advised to identify and disable all unnecessary utility programs on the machines as well as monitor and review the event logs on a regular basis in order to identify any suspicious behavior or mis-assignment of correct account privileges within the organisation.

The organization must restrict access to privileged utility programs and control utility program access to systems and applications, by controlling access to the privileged account credentials stored securely in the digital vault. Access can be restricted to a certain time period and can be disabled when not in use. “Dual Control” can specify that access to highly sensitive credentials requires confirmation by one or more authorized users. As well, administrators can be granted authorized access to resources but never see the privileged account password in clear text. Many utility programs involve the use of service accounts; services such as back-up or vulnerability scanning require privileged access to systems. To perform their designated tasks such as retrieve, process, transmit and store sensitive data, these programs require high levels of access to running processes. Service accounts are difficult to secure since the credentials are typically hard-coded and in clear text within the programs. The solution must eliminate hard-coded passwords from utility programs and uses an advanced means to authenticate the programs that are requesting credentials. Access to be granted only to trusted programs, with no impact to performance or downtime. The solution must provide a tamper-proof audit record to track all privileged account access to utility programs and all utility program service account access to systems.