11 Physical and Environmental Security
11 Physical and Environmental Security
Control
Security perimeters should be defined and used to protect areas that contain either sensitive
or critical information and information processing facilities.
Implementation guidance
The following guidelines should be considered and implemented where appropriate for
physical security perimeters:
a) security perimeters should be defined, and the siting and strength of each of the
perimeters should depend on the security requirements of the assets within the
perimeter and the results of a risk assessment;
c) a manned reception area or other means to control physical access to the site or building
should be in place; access to sites and buildings should be restricted to authorized
personnel only;
e) all fire doors on a security perimeter should be alarmed, monitored and tested in
conjunction with the walls to establish the required level of resistance in accordance with
suitable regional, national and international standards; they should operate in
accordance with the local fire code in a failsafe manner;
Physical protection can be achieved by creating one or more physical barriers around the
organization’s premises and information processing facilities. The use of multiple barriers
gives additional protection, where the failure of a single barrier does not mean that security is
immediately compromised.
A secure area may be a lockable office or several rooms surrounded by a continuous internal
physical security barrier. Additional barriers and perimeters to control physical access may
be needed between areas with different security requirements inside the security perimeter.
Special attention to physical access security should be given in the case of buildings holding
assets for multiple organizations.
The application of physical controls, especially for the secure areas, should be adapted to
the technical and economic circumstances of the organization, as set forth in the risk
assessment.
Control
Secure areas should be protected by appropriate entry controls to ensure that only
authorized personnel are allowed access.
Implementation guidance
a) the date and time of entry and departure of visitors should be recorded, and all visitors
should be supervised unless their access has been previously approved; they should
only be granted access for specific, authorized purposes and should be issued with
instructions on the security requirements of the area and on emergency procedures. The
identity of visitors should be authenticated by an appropriate means;
c) a physical log book or electronic audit trail of all access should be securely maintained
and monitored;
d) all employees, contractors and external parties should be required to wear some form of
visible identification and should immediately notify security personnel if they encounter
unescorted visitors and anyone not wearing visible identification;
e) external party support service personnel should be granted restricted access to secure
areas or confidential information processing facilities only when required; this access
should be authorized and monitored;
f) access rights to secure areas should be regularly reviewed and updated, and revoked
when necessary (see 9.2.5 and 9.2.6).
11.1.3 Securing offices, rooms and facilities
Control
Physical security for offices, rooms and facilities should be designed and applied.
Implementation guidance
The following guidelines should be considered to secure offices, rooms and facilities:
Control
Implementation guidance
Specialist advice should be obtained on how to avoid damage from fire, flood, earthquake,
explosion, civil unrest and other forms of natural or man-made disaster.
Control
a) personnel should only be aware of the existence of, or activities within, a secure area on
a need-to-know basis;
b) unsupervised working in secure areas should be avoided both for safety reasons and to
prevent opportunities for malicious activities;
c) vacant secure areas should be physically locked and periodically reviewed;
The arrangements for working in secure areas include controls for the employees and
external party users working in the secure area and they cover all activities taking place in
the secure area.
Implementation guidance
a) access to a delivery and loading area from outside of the building should be restricted to
identified and authorized personnel;
b) the delivery and loading area should be designed so that supplies can be loaded and
unloaded without delivery personnel gaining access to other parts of the building;
c) the external doors of a delivery and loading area should be secured when the internal
doors are opened;
d) incoming material should be inspected and examined for explosives, chemicals or other
hazardous materials, before it is moved from a delivery and loading area;
Control
A clear desk policy for papers and removable storage media and a clear screen policy for
information processing facilities should be adopted.
Implementation guidance
The clear desk and clear screen policy should take into account the information
classifications (see 8.2), legal and contractual requirements (see 18.1) and the
corresponding risks and cultural aspects of the organization. The following guidelines should
be considered:
a) sensitive or critical business information, e.g. on paper or on electronic storage media,
should be locked away (ideally in a safe or cabinet or other forms of security furniture)
when not required, especially when the office is vacated.
b) computers and terminals should be left logged off or protected with a screen and
keyboard locking mechanism controlled by a password, token or similar user
authentication mechanism when unattended and should be protected by key locks,
passwords or other controls when not in use;
Other information
A clear desk/clear screen policy reduces the risks of unauthorized access, loss of and
damage to information during and outside normal working hours. Safes or other forms of
secure storage facilities might also protect information stored therein against disasters such
as a fire, earthquake, flood or explosion.
Consider the use of printers with PIN code function, so the originators are the only ones who
can get their print-outs and only when standing next to the printer.