6.1.1 Physical security perimeter and entry controls

Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. These areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

• Ensure the siting and strength of each of the perimeters reflects the security requirements of the assets within the perimeter and the results of a risk assessment. 
• Perimeters of a building or site containing information processing facilities do not have gaps in the perimeter or areas where a break-in could easily occur.
  a) the construction of exterior roof, walls and flooring of the site is solid;
  b) all external doors are protected against unauthorized access (e.g. by using bars, alarms, locks);
  c) doors and windows are locked when unattended and external protection applies for windows, particularly at ground level. 
• Build physical barriers around the organization’s premises and information processing facilities to prevent unauthorized physical access and environmental contamination.
  a) install additional barriers and perimeters to control physical access between areas with different security requirements inside the security perimeter;
  b) give special attention to physical access security in the case of buildings holding assets for multiple organizations. ·
• Place under alarm and monitoring all fire doors on the security perimeter, and operate these doors in accordance with the local fire code in a failsafe manner. 
• Install suitable intruder detection systems (IDS) in accordance with the national, regional or international standards.
  a) regularly test the IDS to cover all external doors and accessible windows;
  b) place under alarm unoccupied areas at all times (e.g. storage rooms). 
• Physically separate information processing facilities managed by the organization from those managed by external parties.
• Ensure to control physical access to the site or building so that only authorized personnel accesses these sites for example thorugh a manned reception area. 
• Restrict the access to areas where confidential information is processed to authorized individuals by implementing appropriate access controls, e.g. a two-factor authentication mechanism such as an access card and secret PIN.
  a) maintain and monitor a physical log book or electronic audit trail of all access;
  b) regularly review and update access rights to secure areas.

  An example of a secure area is a lockable office or several rooms surrounded by a continuous internal physical security barrier. Areas with different security requirements inside the security perimeter require additional barriers and perimeters to control physical access. Special attention to physical access security is deserved for buildings holding assets for multiple organizations. Physical controls, especially for the secure areas, adapt to the technical and economic circumstances of the organization, as set forth in the risk assessment.               

• Record the date and time of entry and departure of visitors, and prepare a clear guidance on:
  a) granting the access for specific, authorized purposes;
  b) when to supervise the visitors and report unsupervised visitors;
  c) what are the security requirements of the area and emergency procedures.
  d) what are the appropriate means to authenticate visitors’ identity.  
• Grant to the support service personnel of an external party restricted access to secure areas or confidential information processing facilities only when required; authorize and monitor this access.  
• Require from all employees and externals to wear some form of visible identification.
• Control access points such as delivery and loading areas and other points where unauthorized persons could enter the premises.
  a) isolate these areas from information processing facilities to avoid unauthorized access.   

6.1.2 Securing offices, rooms and facilities and working from secure areas

Physical security for offices, rooms and facilities should be designed and applied. Procedures for working in secure areas should be designed and applied.

• Separate key facilities on the site to avoid access by the public. 
• Configure facilities to prevent confidential information or activities from being visible and audible from the outside.
  a) electromagnetic shielding should also be considered as appropriate. 
• Ensure that identifying locations of confidential information processing facilities is not readily accessible to anyone unauthorized. 
• Physically lock and periodically review vacant secure areas. The arrangements for working in secure areas cover who works there as well as all activities taking place in the secure area.

  As far as work is concerned within a secure area of importance, buildings where these areas reside are unobtrusive and give minimum indication of their purpose. Such buildings have no obvious signs, outside or inside the building, identifying the presence of information processing activities. Only personnel with the “need-to-know” is aware of the existence of, or activities within, a secure area of importance.   Consider not to allow photographic, video, audio or other recording equipment, such as cameras in mobile devices, unless authorized.  

6.1.3 Protecting against external and environmental threats

Physical protection against natural disasters, malicious attack or accidents should be designed and applied

• Obtain specialist advice on how to avoid damage from fire, flood, earthquake, explosion, civil unrest and other forms of natural or man-made disaster.

6.2.1 Equipment siting and protection

Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access, especially as left unattended. Equipment should be correctly maintained to ensure its continued availability and integrity, and later on disposed.

• Minimize unnecessary access into work areas thrught the following:
  a) carefully position information processing facilities handling sensitive data to reduce the risk of unauthorized persons seeing information during their use;
  b) secure storage facilities to avoid unauthorized access; 
• Ensure to safeguard items requiring special protection by separating and siting these items from the rest of the environment. This way, the remaining environment does not require a higher level of protection; 
• Adopt controls to minimize the risk of potential physical and environmental threats, e.g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation and vandalism.
  a) monitor environmental conditions, such as temperature and humidity for conditions which could adversely affect the operation of information processing facilities;
  b) establish guidelines for eating, drinking and smoking in proximity to information processing facilities; 
• Apply lightning protection to all buildings and lightning protection filters should be fitted to all incoming power and communications lines. 
• Consider the use of special protection methods, such as keyboard membranes, for equipment in industrial environments. 
• Protect equipment processing confidential information to minimize the risk of information leakage due to electromagnetic emanation. 
• Make all users aware of the security requirements and procedures for protecting unattended equipment, as well as their responsibilities for implementing such protection: 
  a) terminate active sessions when finished, unless they can be secured by an appropriate locking mechanism, e.g. a password protected screen saver;
  b) log-off from applications or network services when no longer needed;
  c) secure computers or mobile devices from unauthorized use by a key lock or an equivalent control, e.g. password access, when not in use.
• Maintain the equipment in accordance with the supplier’s recommended service intervals and specifications.
  a) only authorized maintenance personnel carry out repairs and service equipment. Require assurance that personnel is sufficiently cleared;
  b) keep records of all suspected or actual faults, and of all preventive and corrective maintenance;
  c) comply with all maintenance requirements imposed by insurance policies
  d) inspect the equipment before putting it back into operation after its maintenance to ensure that the equipment has not been tampered with and does not malfunction.
• Verify equipment to ensure whether or not storage media is contained prior to disposal or re-use. Physically destroy the storage media containing confidential or copyrighted information, or delete or the information to make the original information non-retrievable rather than using the standard delete or format function.
  a) damaged equipment containing storage media may require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded. Information can be compromised through careless disposal or re-use of equipment.

  Techniques for securely overwriting storage media differ according to the storage media technology. Overwriting tools must be applicable to that technology. The risk of disclosure of confidential information when equipment is disposed of or redeployed is also reduced through whole-disk encryption, if:  
  a) the encryption process is sufficiently strong and covers the entire disk (including slack space, swap files, etc.);
  b) the encryption keys are long enough to resist brute force attacks;
  c) the encryption keys are themselves kept confidential (e.g. never stored on the same disk).  

  Encryption is covered in this manual under 5.1 Cryptographic controls  

6.2.2 Security of supporting utilities and cabling

Equipment should be protected from failures in supporting utilities (e.g. power failures). Power and telecommunications cabling carrying data or supporting information services should be protected from interception, interference or damage.

• Ensure that supporting utilities (e.g. electricity, telecommunications, water supply, gas, sewage, ventilation and air conditioning):
  a) conform to equipment manufacturer’s specifications and local legal requirements; b) are inspected and tested as well as appraised regularly for their capacity to meet business growth and interactions with other supporting utilities;   
  c) if necessary, be alarmed to detect malfunctions and have multiple feeds with diverse physical routing;
  d) obtain redundancy for network connectivity by means of multiple routes from more than one utility provider.
• Provide emergency lighting and communications, and locate emergency switches and valves to cut off power, water, gas or other utilities near emergency exits or equipment rooms. 
• Ensure that power and telecommunications lines into information processing facilities are underground or subject to adequate alternative protection.
  a) segregate power cables from communications cables to prevent interference; 
• For sensitive or critical systems further controls to consider include:
  a) install armoured conduit and locked rooms or boxes at inspection and termination points;
  b) use of electromagnetic shielding to protect the cables;
  c) initiate technical sweeps and physical inspections for unauthorized devices being attached to the cables;
  d) control access to patch panels and cable rooms.

6.2.3 Removal of assets from the premises and security of assets off-premises

Equipment, information or software should not be taken off-site without prior authorization. Security should be applied to off-site assets taking into account the different risks of working outside the organization’s premises. 

• Identify employees and external party users who have authority to permit off-site removal of assets. Where necessary and appropriate, record such assets as being removed off-site and record when returned. 
• Document the identity, role and affiliation of anyone who handles or uses assets and return this documentation with the equipment, information or software. 
• The use of any information storing and processing equipment outside the organization’s premises should be authorized by management. This applies to equipment owned by the organization and that equipment owned privately and used on behalf of the organization. 
• Do not to leave unattended the equipment and media in public places. 
• Observe manufacturers’ instructions for protecting at all times, e.g. protection against exposure to strong electromagnetic fields. 
• Determine home-working, teleworking and temporary sites according to a risk assessment and apply controls as appropriate, e.g. lockable filing cabinets, clear desk policy, access controls for computers and secure communication with the office. 
• Maintain a log of the chain of custody for the equipment (at least names and organizations of those who are responsible for the equipment) when the equipment is used off-premises and is transferred among different individuals or externals. 
• Take into account risks, e.g. of damage, theft or eavesdropping, which vary considerably between locations and determine the most appropriate controls.

  Risks, e.g. of damage, theft or eavesdropping, vary considerably between locations and determine the most appropriate controls. Any other aspects of protecting mobile equipment in this manual are included in 1.2 Mobile devices and teleworking .  

6.2.4 Clear desk and clear screen policy

A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted.

• Establish a clear desk and clear screen policy. Take into account the information classifications, legal and contractual requirements and the corresponding risks and cultural aspects of the organization.
  a) lock away sensitive or critical business information (ideally in a safe or cabinet or other forms of security furniture) when not required, especially when the office is vacated.
  b) use screen lock with an authentication mechanism for computers and terminals when unattended and should be protected by key locks, passwords or other controls when not in use.
  c) remove media containing sensitive or classified information from printers. Consider the use of printers with PIN code function, so the originators are the only ones who can get their print-outs and only when standing next to the printer.

  The risks of unauthorized access, loss of and damage to information during and outside normal working hours are reduced by implementing the clear desk and clear screen policy. Safes or other forms of secure storage facilities protect information stored therein against disaster, e.g. fire, earthquake, flood or explosion.

  Printers PIN codes ensure that the originators are the only ones who can get their print-outs and only when standing next to the printer.