Security – ISMS – Physical Security

Physical Security

Requirements

The topic of Physical Security addresses areas of security that relate to physical building access. Additionally, this involves the management of physical assets. Also working in secure locations and environmental controls/conditions. Essentially, measures for areas in company facilities that contain equipment and devices providing access to information and technology systems.

As a minimum, guidelines in this topic should cover:

• Company Building Access – who and where
• Identification – how to distinguish ‘friend’ from potential ‘foe’
• Security Areas – definition of types and controls
• Environmental Controls – safeguarding systems.

Policy Explanation

Controls around the purpose, use and security of each of the company buildings should be defined. This ensures clarity on the level of authorisation required to enter those areas. Also needed is definition of the different technology systems at company sites with details of access. This should be restricted to those individuals that require it – following the ‘need to know’ principle.

Roughly speaking, each physical area of the business can be classified in one of the following security terms:

• Public Access – areas available to members of the public and other non-employees
• Office Areas – areas where employees will be located to carry out their normal duties
• Restricted Access – areas requiring elevated authorisation levels
• Offsite Facilities – areas remote from the main operating location(s).

Be sure to cover areas of public areas by non-employees. This may include reception areas, meeting rooms and any general office area that may be visited. Office areas are those that are routinely used by employees but may occasionally have non-employees present.

The areas covered by guidelines on restricted or security areas are those that house technology and other computer equipment. This typically includes: computer rooms, data centres, network cabinets, etc. However, areas where end-user devices are located should also be included in these guidelines. Additional measures will be needed if the devices can access sensitive information.

And don’t forget offsite facilities – this topic is not only about the main company premises. The housing of company equipment by hosting providers will also need to be included. This involves shared data centre facilities, etc but also includes areas such as offsite storage facilities. Be careful to incude any specialised storage facilities for media or equipment containing digital data or hardcopy information. The security of these sites must consider vulnerabilities such as unauthorised access, theft, etc.

Identification concerns the means of identifying those that are authorised to access different locations in the business operating environment. Standard measures involve ID cards, name tags and badges, electronic key tags. Different individuals need to be recognised as employees, visitors, contractors, etc. There may be a need to include different levels of ID/access cards depending on what restrictions exist to control access to sensitive areas. Note whether a secure area requires separate arrangements to provide authorisation. It is not unusual to require a differently configured electronic tag to facilitate access.

Additional Considerations

Perhaps not so obvious but equally important is how to manage physical security of cabling cabinets, ducts and electrical panels. These areas house the building wiring needed to service the network devices. Also, power systems and environmental controls should not be overlooked. There may not be regular access to these areas, but relevant security measures must be included in the overall framework. Generally, these building facilities are managed by personnel other than those concerned with information security. In this situation, there will need to be collaboration across several different teams to ensure the security is properly arranged.

Environment controls involve the management of conditions that allow the proper use of equipment and systems, within defined operating parameters. This will involve systems such as air-conditioning, fire-fighting systems, waterproofing, etc. Be sure to include any other automated controls that maintain the operating capability of equipment and devices.

Similarly, areas that include alarms, electronic access control systems, cameras, CCTV, etc must be included in the physical security guidelines. Again, measures to control and safeguard these devices will need collaboration between information security specialists and physical building security providers. This overlap in responsibilities for different purposes must be clearly defined so there is no confusion over where the day-to-day management belongs.