This policy establishes guidelines to prevent unauthorized access and interference to <Organization-Name> Company’s premises and information assets. It also suggests guidelines to build security controls to prevent damage from physical security threats and environmental hazards.
This policy applies to all users of information assets including <Organization-Name> employees, employees of temporary employment agencies, vendors, business partners, and contractor personnel and functional units regardless of geographic location.
This Policy covers all Information Systems environments operated by <Organization-Name> or contracted with a third party by <Organization-Name>. The term “IS environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. mainframe, distributed, desktop, network devices, wireless devices), software, and information.
Although this Policy explicitly covers the responsibilities of users, it does not cover the matter exclusively. Other <Organization-Name> Information Security policies, standards, and procedures define additional responsibilities. All users are required to read, understand and comply with the other Information Security policies, standards, and procedures. If any user does not fully understand anything in these documents, he should consult with his systems administrator, business or functional manager, or human resources department, as applicable, who will contact the Information Security Department.
The Information Security Department shall resolve any conflicts arising from this Policy.
- The sponsor of this policy is the Information Security Manager.
- The Security department is responsible for maintenance and accuracy of the policy.
- Any questions regarding this policy should be directed to the Security Department.
Definition of some of the common terms:
Authentication: The identification requirements associated with an individual using a computer system. Identification information must be securely maintained by the computer system and can be associated with an individual’s authorization and system activities.
Availability: Ensuring that authorized users have access to information and associated assets when required.
Critical: Degree to which an organization depends on the continued availability of the system or services to conduct its normal operations.
Sensitive: concerned with highly classified information or involving discretionary authority over important official matters.
Physical and environmental security protects information and information systems facilities from physical and environmental threats. Physical access to information processing areas and their supporting infrastructure (communications, power, and environmental) must be controlled to prevent, detect, and minimize the effects of unintended access to these areas (e.g., unauthorized information access, or disruption of information processing itself).
This policy document addresses issues related to physical security perimeter, physical entry controls, working conditions, securing offices, datacenters, equipment security and general controls.
Physical Security Perimeter
The physical layout of <Organization-Name>’s information processing facilities will be segregated into perimeter zones. Each zone will have a different level of access restrictions and access authorization requirements.
The perimeter zones could include the following: -
- Public zone and Reception Zone. (Limited restrictions – area under overall surveillance)
- Office zone (Limited access – registration with reception required. Area under overall surveillance)
- Restricted access zone (Limited access. Access logged. Escorted access for visitors. Area under surveillance.)
- Highly Restricted access zone – Specifically authorized personnel only. (Highly restricted access. Logged access. Specific authorization required for employee and visitor access. Area under surveillance)
Appropriate physical barriers and access control devices must be installed to restrict access to <Organization-Name>’s information processing facilities.
Physical Entry Controls
All employees, contractors, consultants and other visitors entering (non public) <Organization-Name> premises are required to wear <Organization-Name> supplied identification badges.
Physical access to <Organization-Name>’s information systems facilities is to be restricted to authorized persons only. Authorization to enter restricted facilities is to be granted only when there is a business or technical reason for the person to enter the premises.
Physical access to <Organization-Name>’s information systems facilities must be authorized in accordance with specific physical access control procedures, standards and guidelines to be developed for this purpose.
Physical access to <Organization-Name>’s information processing facilities to (authorized) <Organization-Name> personnel, vendors or contractors will be based on identification and authentication procedures.
Secure areas (restricted zones) must be protected with a combination of access control devices (like physical barriers, and intrusion alarms), access logging equipment (like card key systems and security cameras) and guards to ensure that only authorized personnel are allowed access.
Access to sensitive or critical information processing facilities outside normal working hours must be specifically authorized and logged.
Access rights must be updated regularly, based on the criticality of the information system.
Visitors must be provided supervised and controlled access to secure areas in accordance with Access Control policy and other specific polices, procedures, and guidelines.
Supervised and controlled access could include: -
- Sign-in with the security guard in a Visitors Log that is retained and reviewed. The logbook should record the visitor’s name, company, purpose for visiting, time of entrance, time of departure, and date.
- Wearing of a visitor badge to inform personnel that a nonassociate is in the area. Visitors must produce picture identification to obtain the badge from the security guard. Those visitors not wearing badges should be challenged for identification.
- Escort of the visitor by <Organization-Name> personnel or by an individual with a current <Organization-Name> badge while the visitor is in the building.
- Personnel and visitors must declare their belongings like laptop computer, mobile phones etc. before entering restricted premises. The security guard must verify the declarations to prevent removal of <Organization-Name>’s property from the building.
- Physical access rights must be revoked immediately upon termination/resignation of employees or completion of a consultation or vendor agreement.
Securing Offices, Telecommunications Closets, Data Center And Facilities
Data center, equipment rooms, and telecommunications closets must be protected from unauthorized or unnecessary access. The construction of data centers, equipment rooms, telecommunication closets must take into account:-
- Specifications developed as a response to potential threats to the asset.
- Specifications developed in accordance with the assets classification (in accordance with <Organization-Name>’s Asset Classification & Control Policy).
- Vendor Specifications.
All data centers, equipment rooms, and telecommunications closets must be locked when unattended.
Network devices such as routers, switches, and hubs must be placed in restricted access zones that provide protection from unauthorized or unnecessary access.
All computers with modems must be placed in zones having restricted physical access, and comply with the Client Policy of <Organization-Name>.
All source media for operating system software, applications, backup tapes/devices and license keys must be clearly labeled and stored in a software library in a restricted access zone – with access for authorized personnel only.
Adequate intrusion detection controls e.g. burglar alarm, motion detector etc., and safety devices e.g. fire alarm, smoke detector, close circuit televisions etc. must be placed in all offices, switch rooms and data centers.
Support functions and equipments such as photocopiers and fax machines should be protected from unauthorized access.
No combustible or hazardous materials should be allowed in restricted zones.
All data centers, equipment rooms, and telecommunications closets must have a documented evacuation plan integrated with the Business Continuity Plan.
Working In Secure Areas
All work must be done under supervision of the respective department management.
All third party members must be given restricted access to <Organization-Name>’s information resources and their activities should be monitored and reviewed regularly.
All Vacant secure areas must be locked and inspected regularly.
No photographic, video, audio or other recording equipment should be allowed into secure areas without authorization.
Delivery And Loading Areas
Wherever possible, delivery and loading areas must be isolated from the information resources.
Materials, supplies and equipment entering and leaving <Organization-Name> premises must be inspected and where necessary registered in accordance with <Organization-Name>’s standard procedures for material handling.
Equipment Location And Protection
Equipment must be placed in a location commensurate with its criticality and its classification (See Asset Classification and Control Policy).
Equipment must be protected from environmental threats and hazards and opportunities for unauthorized access. <Organization-Name>’s standards and guidelines for secure location of equipment must be implemented.
All equipment should have adequate insurance based on the value of the equipment.
Equipment must not be moved from its location unless authorized in accordance with <Organization-Name>’s procedures for re-locating equipment.
Equipment must be protected from power failures and electrical anomalies.
Electrical supply must conform to the manufacturer’s specifications for each piece of equipment.
Critical equipment must be supported by uninterruptible power supply (UPS) and backup power generating equipment. Contingency plans must describe in detail the action to be taken in case of a continued power outage.
Power supply backup equipment including UPS’s, backup generators etc. must be subject to regular maintenance and testing.
Power and telecommunications cables carrying data or supporting information services must be protected from interception or damage.
The following controls could be considered:
- Power and telecommunications lines into the premises and server room must be adequately protected.
- Network cabling must be protected from unauthorized interception or damage.
- Power cables must be segregated from communications cables to prevent interference.
Equipment must be maintained in accordance with <Organization-Name>’s procedures, standards and guidelines for equipment maintenance. As a minimum these standards will recognize the criticality of the equipment and will comply with the vendor’s recommendations and specifications.
Maintenance of <Organization-Name> equipment must be performed only by authorized and qualified maintenance personnel.
Security Of Equipment Off-Premises
Equipment used to support business activities outside of <Organization-Name> departments must be made subject to the same type of management authorization and security protection as that of on-site equipment.
Secure Disposal Or Re-Use Of Equipment
All equipment containing storage media (e.g., fixed hard drives) must be checked to ensure that any critical business information assets and licensed software are removed, securely overwritten or destroyed prior to disposal.
Clear desk and clear screen policy
The company must follow a clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities in order to reduce the risks of unauthorized access, loss of, and damage to information during and outside normal working hours.
Guidelines must be developed and implemented to promote <Organization-Name>’s clear desk and clear screen policy. These could include the following: -
- Paper and computer media must be stored in suitable locked cabinets and/or other forms of security furniture when not in use, especially outside working hours.
- Sensitive or critical business information should be locked away (ideally in a fire-resistant safe or cabinet) when not required, especially when the office is vacated.
- Personal computers and computer terminals and printers are not to be left logged on when unattended and should be protected by password protected screen savers.
- Photocopiers are to be locked (or protected from unauthorized use in some other way) outside normal working hours.
- Sensitive or classified information, when printed, is to be cleared from printers immediately.
Removal of property
<Organization-Name> departments equipment, software, or critical business information assets must not be taken off-site (whether for a short term or long term period or permanently) without written authorization in accordance with <Organization-Name>’s physical security procedures developed for this purpose.
Compliance with Physical and Environmental Security Policy is mandatory. <Organization-Name> managers must ensure continuous compliance monitoring within their organizations. Compliance with Physical and Environmental Security Policy will be a matter for periodic review by Information Security Audit team as per the audit guidelines and procedures mentioned in Security Control Framework and the Security Auditing Guidelines. Compliance measurement should also include periodic review for Security Quality Assurance. Violations of the policies, standards, and procedures of <Organization-Name> will result in corrective action by management. Disciplinary action will be consistent with the severity of the incident, as determined by an investigation, and may include, but not be limited to:
- Loss of access privileges to information assets
- Other actions as deemed appropriate by management, Human Resources, and the Legal Department.
This Policy is intended to address information security requirements. Requested waivers must be formally submitted to the Information Security Department, including justification and benefits attributed to the waiver, and must be approved by the Information Security Manager. The waiver should only be used in exceptional situations when communicating non-compliance with the policy for a specific period of time. At the completion of the time period the need for the waiver should be reassessed and re-approved, if necessary. No policy should be provided waiver for more than three consecutive terms.
The waiver should be monitored to ensure its concurrence with the specified period of time and exception.
All exceptions to this policy must be communicated through the Policy Waiver Request Form.