Physical
Access and Security Policy
Document Number:
Innovative Digital
Solutions - Etisal International -ISMS-POL-006
The purpose of this policy is to prevent unauthorized
physical access, damage and interference to the Firm's information and
information processing facilities.
All Firm owned
and leased premises or locations.
Out of scope is third party and supplier
physical and environmental security.
Principle
Physical and Environmental Security Policy is built on the principle of exceeding Health and Safety regulation while protecting the most sensitive physical assets based on risk.
Physical Security Perimeter
The physical perimeter of the building or site containing information processing facilities should be physically sound. The exterior roof, walls and flooring of the site should be of solid construction and all external doors are suitably protected against unauthorized access with control mechanisms (e.g. bars, alarm, locks, card-access).
Doors and windows should be locked when unattended and external protection in the form of bars is in place for windows particularly at ground level.
Access to sites and buildings should be restricted to authorised personnel.
A manned reception area should be there to grant access to the building and to maintain a record of access.
All fire doors on a security perimeter should be alarmed, monitored, and tested in conjunction with the walls to establish the required level of resistance in accordance with suitable regional, national, and international standards. They should operate in accordance with the local fire code in a fail-safe manner.
Suitable intruder detection systems should be installed to national, regional, or international standards.
Information processing facilities managed by the Firm should be physically separated by those managed by external parties.
Secure Areas
Access rights to secure areas should be regularly reviewed and updated and revoked when necessary.
Access to secure defaults to deny.
Access to areas where confidential information is processed or stored should be restricted to authorised individuals only by implementing appropriate access controls. (e.g. by implementing a twofactor authentication mechanism such as an access card and secret PIN).
Logs of access are held and maintained for a minimum of 3 months.
External third-party services personnel are granted restricted access to secure areas or confidential information processing facilities only when required and always accompanied; this access is authorized and monitored.
Removable media storage should not be permitted in secure areas unless authorized.
Employee Access
Employee access should be based on least privilege providing access based on role.
Access control mechanisms like, tokens, badges, should be allocated to identify the employee or personnel and must be always worn.
Access control tokens, badges, should not be shared, transferred, or loaned.
Access should be revoked immediately upon termination and all physical access tokens are disabled and must be returned.
3.5 Visitor Access
Visitors are allowed unfettered access to the public areas.
Visitors are issued with instructions on the security requirements of the area and on emergency procedure.
Visitors are recorded in the visitor logbook and the information maintained for a minimum of three months.
Visitors are allocated a visitor pass that clearly identifies the visitor status, denies access to secure areas, and expires at the end of the business day on which issued.
Visitor access to secure areas requires verification of identity and presenting photographic identification.
Visitors are always escorted, except in the use of public area and bathrooms.
Delivery and Loading Areas
Access to a delivery and loading area from outside of the building should be restricted to identified and authorized personnel.
The delivery and landing area should be designed so that supplies can be loaded and unloaded without delivery personnel gaining access to other parts of the building.
The external doors of a delivery and loading area should be secured when the internal doors are opened.
Incoming material should be inspected and examined for explosives, chemicals, or other hazardous materials. Before it is moved from a delivery and loading area.
Incoming material should be registered in accordance with asset management procedures on entry to the site.
Incoming and outgoing shipments should be physically segregated, where possible.
Incoming material should be inspected for evidence of tampering on route. If such tampering is discovered, it should be immediately reported to security personnel.
Network Access Control
Physical access to networking equipment’s should be restricted which includes wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunications lines.
Network jacks / points in public areas should not allow access to the firm internal network to unregistered devices.
Network jacks / points that allow access to the Firm internal networks are secured by physical access control for entry and exit.
Visitors should be prohibited from connecting devices to network jacks / points that allow access to the Firm internal network unless explicitly authorised to do so and should always be escorted in areas with active network jacks/points.
Cabling Security
Power and telecommunications cabling carrying data or supporting information services should be protected from interception, interference, or damage.
Power and telecommunication lines into processing facilities should be underground.
Power cables should be segregated from communication cables to prevent interference.
Physical access to network cables should be restricted where possible.
Access to cable room and patch panels should be restricted by physical access control.
Equipment Siting and Protection
Equipment should be sited to minimize unnecessary access into work areas.
Information processing facilities handling sensitive data should be positioned carefully to reduce the risk of information being viewed by unauthorized person during their use.
Storage facilities should be secured to avoid unauthorized access.
Items requiring special protection should be safeguarded to reduce the general level of protection required.
Controls should be adopted to minimize risk of potential physical and environmental threats e.g. theft, fire. explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation, and vandalism.
Guidelines for eating, drinking, and smoking in proximity to information processing facilities should be established.
Environmental conditions, such as temperature and humidity, should be monitored for conditions which could adversely affect the operation of information processing facilities.
Lightning protection should be applied to all buildings and lightening protection filters should be fitted to all incoming power and communication lines.
The use of special protection methods, such as keyboard membranes, should be considered for equipment in industrial environments.
Equipment processing confidential information should be protected to minimize the risk of information leakage due to electromagnetic emanation.
Compliance Measurement
The information security management team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved and recorded by the Information Security Head in advance and reported to the Management review team.
• Exceptions to this policy shall comply with the ISMS exception Request Management Standard.
• Exceptions shall only be approved where it is technically, practically, or financially infeasible to comply with this policy.
• Reviews of exemptions shall be performed at least annually.
Non-compliance
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
The policy is updated and reviewed as part of the continual improvement process at least annually.
Information Security Office will
review this policy no later than one year from the date the document is
approved. This policy may be reviewed earlier in response to
post-implementation feedback, changes to applicable rules, or as necessary in
accordance with the Firm’s policy and procedures.
2003 © ETISAL. ALL Rights Reserved. About ETISAL | Privacy Policy | Terms of Service