Security Policy – Physical and Environmental Security

Physical Security Perimeter

Physical security relating to the organisation is the first security aspect to be implemented. What would be the point of setting up password protection and sophisticated software if anyone could physically access an essential resource to steal, modify or destroy it? (SMEs see: Infiltrating the premises and Insertion or removal of hardware and Device recovery and Aggravated theft)

Always be aware of the actual value of a resource (see classification) to be able to plan suitable protection.

All the elements listed as important or vital for the organisation must be installed in secure premises. These premises constitute the security perimeter.

Applying Security Measures To:

Directly Associated Organisational Measures:

Technical Measures:

Physical security

Rules Within the Perimeter

The Premises Within the Security Perimeter Should Be:

protected against access by unauthorised persons, especially by persons not from the organisation (SMEs see: Infiltrating the premises and Insertion or removal of hardware and Device recovery and Aggravated theft). Access should be through a single door and authorised by the IT manager.
protected against fire. The doors should be fire doors, and fire alarms should be fitted. (SMEs see: Fire)

The Following Rules Should Also be Respected:

keys should under no circumstances be accessible to the public.
office equipment such as fax machines and photocopiers should be located within a safe area, but not near more crucial elements, so as not to increase the need for people to access the area for more crucial elements,
doors and windows should be kept locked, especially outside office hours,
access points, especially on the ground floor, should be protected against unwanted entry, either by grills or by an electronic detection system paired with an audio alarm,
hazardous or dangerously flammable materials (including cardboard, paper, wastebaskets and cleaning products) should not be stored near vital or important elements.

To be Applied in Security Measures for:

Directly Associated Organisational Measures:

Technical Measures

Physical security

Electrical Equipment Safety

The electricity power supply for vital equipment must be made safe:

by a power supply for two different sources (two fuses on two circuits) where equipment has two power supplies (SMEs: see Service interruption and Power cut and Discontinuity of service providers);
by an uninterrupted power unit which ensures a supply of electricity during brief power cuts for a sufficient length of time to fully power off the equipment;
by a backup generator.

To be Applied in Security Measures for:

Directly Associated Organisational Measures:

Technical Measures

Physical security

Maintenance

For resources classified as important or vital, a maintenance agreement with a guaranteed intervention or replacement period should be signed, compatible with the resource availability requirements (SMEs: see Invalid or non-existent licence and Administration impossible). Maintenance is an important criterion in optimising the availability of resources.

When a piece of equipment leaves the organisation for maintenance, or when it is discarded, it should not contain confidential data. If it does contain confidential data, a specific procedure should be decided upon (processing in-house, someone goes with the equipment, destruction of the hardware, etc.) based on the sensitivity of the data in question (SMEs: see Hardware damaged during transport and Device recovery).

To be Applied in Security Measures for:

Directly Associated Organisational Measures:

Technical Measures

Physical security

Off-Site Equipment Security

The equipment used for processing information away from the site of the organisation (at home, in a hotel, at a client’s) such as laptops or telephone, is subject to similar security procedures. However, users should be particularly attentive to the risk of theft and keep the hardware in their sight at all times. A specific insurance policy should be taken out for this type of equipment. Hardware should be marked, to prevent it from being swapped. Authorisation must be granted by the head of equipment in the organisation before any hardware leaves the premises. This person may or may not provide for the use of data encryption tools on the hard disk (SMEs: see Hardware damaged during transport; Aggravated theft; Basic security measures for laptop computers).

Applying Security Measures to:

laptops

Directly Associated Organisational Measures:

Technical Measures:

Disposal and Reuse of Equipment

Any equipment that is disposed or reused in another context must have all its data removed; the disks should be wiped. The system can be reinstalled, where necessary. Depending on the sensitivity of the data saved on disk, the physical destruction of disks (in a crusher or a degausser) should be envisaged (SMEs: see Device recovery).

Traditional file deletion is not enough, as data will remain present on the disk. If in-house capabilities are not sufficient to do this, an external supplier can be entrusted with the task, under the careful monitoring of a member of the organisation.

Whichever method is chosen, please be respectful of the environment.

Applying Security Measures to:

Directly Associated Organisational Measures:

Technical Measures:

Clean Desk Policy

Follow a clean desk policy, i.e.:

tidy away papers and removable data storage media (USB flash drives, disks, etc.), keeping them out of sight. Remove your documents from the printer, fax or photocopiers;
keep the most important media under lock and key, or even in a fireproof safe;
if anyone leaves their PC unused for more than a few minutes, the screensaver should come on. A password should be entered to exit the screensaver and start work again. You are strongly advised not to bypass this step;
use a special waste bin or a shredder to destroy sensitive paper documents.

Directly Associated Organisational Measures:

Technical Measures:

Physical security