IT Policies, Standards, and Guidelines

Physical Security Standards

Physical access to areas containing IT information resources (including data, data processing equipment and storage devices) and its supporting infrastructure (communications, power and the environment) that involve confidential and/or registered confidential data, must be controlled to prevent, detect, and minimize the effects of unauthorized or unintended access to these areas.

Physical access controls must be in place for the following:

• Data Centers;
• Areas containing servers and associated media;
• Power and emergency backup equipment; and
• Operations and control areas.

1. Choose a site for IT information resources for which it is reasonably easy to ensure proper environmental and physical controls.
• The site should be reasonably safe from exposure to fire, flood, explosion, or similar hazards.
• The site should have as few access points as safety and the functions of the site allow.
• Where applicable, detection devices should be utilized to prevent theft and to safeguard the equipment.
• Doors that provide access to the equipment and media should be constructed so as to discourage break-in.
• Physical security devices should have regular preventive maintenance and maintenance logs should be retained.
• All portable storage media such as hard drives, flash media drives, diskettes, magnetic tapes, laptops, PDAs, etc., should be physically secured.
• Where feasible, file servers used to store confidential or registered confidential data should be physically located in separate locked areas that cannot be accessed by others who might have a need to enter the main facility but do not require access to the specific equipment.
2. Ensure that access to the facility is controlled by granting access only to those employees, contractors, technicians and vendors who have legitimate business responsibilities within the facility.
• There should be a regular review of authorization for facility access of employees and vendors that ensures that facility access is limited to only those with a business need for physical, rather than electronic access to the facility, equipment and media.
• Procedures must be in place that limit access to those with authorization and which will enable the auditing of authorization and access, procedures and logs. Procedures should address both normal business hours and non-business hours. Employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Data Center personnel should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises.
• Authorization procedures must address change in work or contractual status. A list of authorized individuals and the specific equipment/data that each individual has access to must be maintained.
• All physical access to facilities by visitors (including vendors) must be logged (e.g., through sign-in sheets) for entry, exit and purpose, and all access logs should be retained. All visitors should be escorted by an employee who is authorized to access the facility. All visitors should be required to wear an identification badge during the time they are in the facility.
• In the case where physical keys are used, the keys should be marked “Do not Duplicate”.
• When an individual is no longer authorized to access the facility his keys and access must be removed.
• There should be procedures in place for handling lost keys and access cards.