Physical Security Standards
Ratified by Data Custodians: June 15, 2006
Physical access to areas containing IT information resources
(including data, data processing equipment and storage devices)
and its supporting infrastructure (communications, power and the
environment) that involve confidential and/or registered confidential
data, must be controlled to prevent, detect, and minimize the
effects of unauthorized or unintended access to these areas.
Physical access controls must be in place for the following:
- Data Centers;
- Areas containing servers and associated media;
- Power and emergency backup equipment; and
- Operations and control areas.
- Choose a site for IT information resources for which it is
reasonably easy to ensure proper environmental and physical
controls.
- The site should be reasonably safe from exposure to fire,
flood, explosion, or similar hazards.
- The site should have as few access points as safety and
the functions of the site allow.
- Where applicable, detection devices should be utilized to
prevent theft and to safeguard the equipment.
- Doors that provide access to the equipment and media
should be constructed so as to discourage break-in.
- Physical security devices should have regular preventive
maintenance and maintenance logs should be retained.
- All portable storage media such as hard drives, flash media
drives, diskettes, magnetic tapes, laptops, PDAs, etc., should be
physically secured.
- Where feasible, file servers used to store confidential or
registered confidential data should be physically located in
separate locked areas that cannot be accessed by others who
might have a need to enter the main facility but do not require
access to the specific equipment.
- Ensure that access to the facility is controlled by granting
access only to those employees, contractors, technicians and
vendors who have legitimate business responsibilities within
the facility.
- There should be a regular review of authorization for
facility access of employees and vendors that ensures that
facility access is limited to only those with a business need
for physical, rather than electronic access to the facility,
equipment and media.
- Procedures must be in place that limit access to those
with authorization and which will enable the auditing of
authorization and access, procedures and logs. Procedures should
address both normal business hours and non-business hours.
Employees who access secured areas should have proper
identification and authorization to enter the area. All visitors should
sign in and wear proper IDs so that they can be identified easily.
Data Center personnel should be trained to restrict the removal
of assets from the premises and to record the identity of anyone
removing assets. Consideration should be given to implementing
a specific and formal authorization process for the removal of
hardware and software from premises.
- Authorization procedures must address change in work or
contractual status. A list of authorized individuals and the specific
equipment/data that each individual has access to must be
maintained.
- All physical access to facilities by visitors (including vendors)
must be logged (e.g., through sign-in sheets) for entry, exit and
purpose, and all access logs should be retained. All visitors
should be escorted by an employee who is authorized to access
the facility. All visitors should be required to wear an identification
badge during the time they are in the facility.
- In the case where physical keys are used, the keys should be
marked "Do not Duplicate".
- When an individual is no longer authorized to access the
facility his keys and access must be removed.
- There should be procedures in place for handling lost keys
and access cards.
|