Physical Security Policy

Overview

Information assets are necessarily associated with the physical devices on which they reside. Information is stored on workstations and servers and transmitted on the company's physical network infrastructure. In order to secure the company data, thought must be given to the security of the company's physical Information Technology (IT) resources to ensure that they are protected from standard risks.

Purpose

The purpose of this policy is to protect the company's physical information systems by setting standards for secure operations.

Scope

This policy applies to the physical security of the company's information systems, including, but not limited to, all company-owned or company-provided network devices, servers, personal computers, mobile devices, and storage media. Additionally, any person working in or visiting the company's office is covered by this policy.

Please note that this policy covers the physical security of the company's Information Technology infrastructure, and does not cover the security of non-IT items or the important topic of employee security. While there will always be overlap, care must taken to ensure that this policy is consistent with any existing physical security policies.

Policy

Choosing a Site

When possible, thought should be given to selecting a site for IT Operations that is secure and free of unnecessary environmental challenges. This is especially true when selecting a datacenter or a site for centralized IT operations. At a minimum, the company's site should meet the following criteria:

  • A site should not be particularly susceptible to fire, flood, earthquake, or other natural disasters.

  • A site should not be located in an area where the crime rate and/or risk of theft is higher than average.

  • A site should have the fewest number of entry points possible.

If these criteria cannot be effectively met for any reason, the company should consider outsourcing its data in whole or in part to a third-party datacenter or hosting provider, provided that such a company can cost effectively meet or exceed the company's requirements.

 

Security Zones

At a minimum, the company will maintain standard security controls, such as locks on exterior doors and/or an alarm system, to secure the company's assets. In addition to this the company must provide security in layers by designating different security zones within the building. Security zones should include:

1. Public

This includes areas of the building or office that are intended for public access.

  • Access Restrictions: None

  • Additional Security Controls: None

  • Examples: Lobby, common areas of building

2. Company

This includes areas of the building or office that are used only by employees and other persons for official company business.

  • Access Restrictions: Only company personnel and approved/escorted guests

  • Additional Security Controls: None

  • Examples: Hallways, private offices, work areas, conference rooms

3. Private

This includes areas that are restricted to use by certain persons within the company, such as executives, scientists, engineers, and IT personnel, for security or safety reasons.

  • Access Restrictions: Only specifically approved personnel

  • Additional Security Controls: None

  • Examples: Executive offices, lab space, network room, manufacturing area, financial offices, and storage areas.

Access Controls

Access controls are necessary to restrict entry to the company premises and security zones to only approved persons. There are a several standard ways to do this, which are outlined in this section, along with the company's guidelines for their use.

1. Keys & Keypads - The use of keys and keypads is acceptable, as long as keys are marked "do not duplicate" and their distribution is limited. These security mechanisms are the most inexpensive and are the most familiar to users. The disadvantage is that the company has no control, aside from changing the locks or codes, over how and when the access is used. Keys can be copied and keypad codes can be shared or seen during input. However, used in conjunction with another security strategy, such as an alarm system, good security can be obtained with keys and keypads.

2. Keycards & Biometrics - The company requires that keycards or biometrics be used for all user access controls. The company must use this technology to enforce security zones and provide employees the least amount of access required to do their jobs. 

Keycards and biometrics have an advantage over keys in that access policies can be tuned to the individual user. Schedules can be set to forbid off-hours access, or forbid users from accessing a security zone where they are not authorized. Perhaps best of all, these methods allow for control over exactly who possesses the credentials. If a keycard is lost or stolen it can be immediately disabled. If an employee is terminated or resigns, that user's access can be disabled. The granular control offered by keycards and biometrics make them appealing access control methods.

3. Alarm System - A security alarm system is a good way to minimize risk of theft or reduce loss in the event of a theft. The company recommends the use of an alarm system where feasible; however, historically the company’s offices have been located in shared-space buildings where alarm systems are not possible to install. The physical security measures in place to control entry into these buildings provides adequate protection in lieu of an alarm system.

Physical Data Security

Certain physical precautions must be taken to ensure the integrity of the company's data. At a minimum, the following guidelines must be followed:

  • Computer screens must be positioned where information on the screens cannot be seen by outsiders.

  • Confidential and sensitive information must not be displayed on a computer screen where the screen can be viewed by those not authorized to view the information.

  • Users must log off or shut down their workstations when leaving for an extended time period, or at the end of the workday.

  • Network cabling must not run through non-secured areas unless the cabling is carrying only public data (i.e., extended wiring for an Internet circuit).

  • Network ports that are not in use must be disabled.

Physical System Security

In addition to protecting the data on the company's information technology assets, this policy provides the guidelines below on keeping the systems themselves secure from damage or theft.

1. Minimizing Risk of Loss and Theft

In order to minimize the risk of data loss through loss or theft of company property, the following guidelines must be followed:

  • Unused systems: If a system is not in use for an extended period of time it should be moved to a secure area or otherwise secured.

  • Mobile devices: Special precautions must be taken to prevent loss or theft of mobile devices. Refer to the company's Mobile Device Policy for guidance.

  • Systems that store confidential data: Special precautions must be taken to prevent loss or theft of these systems. Refer to the company's Confidential Data Policy for guidance.

2. Minimizing Risk of Damage

Systems that store company data are often sensitive electronic devices that are susceptible to being inadvertently damaged. In order to minimize the risk of damage, the following guidelines must be followed:

  • Environmental controls should keep the operating environment of company systems within standards specified by the manufacturer. These standards often involve, but are not limited to, temperature and humidity.

  • Proper grounding procedures must be followed when opening system cases. This may include use of a grounding wrist strap or other means to ensure that the danger from static electricity is minimized.

  • Strong magnets must not be used in proximity to company systems or media.

  • Except in the case of a fire suppression system, open liquids must not be located above company systems. Technicians working on or near company systems should never use the systems as tables for beverages. Beverages must never be placed where they can be spilled onto company systems.

  • Uninterruptible Power Supplies (UPSs) and/or surge-protectors are strongly recommended for all computer systems. These devices should ideally carry a warranty that covers the value of the systems if the systems were to be damaged by a power surge.

 

Fire Prevention

It is the company's policy to provide a safe workplace that minimizes the risk of fire. In addition to the danger to employees, even a small fire can be catastrophic to computer systems. Further, due to the electrical components of IT systems, the fire danger in these areas is typically higher than other areas of the company's office. The guidelines below are intended to be specific to the company's information technology assets and should conform to the company's overall fire safety policy.

  • Fire, smoke alarms, and/or suppression systems must be used, and must conform to local fire codes and applicable ordinances.

  • Electrical outlets must not be overloaded. Users must not chain multiple power strips, extension cords, or surge protectors together.

  • Extension cords, surge protectors, power strips, and uninterruptible power supplies must be of the three-wire/three-prong variety.

  • Only electrical equipment that has been approved by Underwriters Laboratories and bears the UL seal of approval must be used.

  • Unused electrical equipment should be turned off when not in use for extended periods of time (i.e., during non-business hours) if possible.

  • Periodic inspection of electrical equipment must be performed. Power cords, cabling, and other electrical devices must be checked for excessive wear or cracks. If overly-worn equipment is found, the equipment must be replaced or taken out of service immediately depending on the degree of wear.

 

Entry Security

It is the company's policy to provide a safe workplace for employees. Monitoring those who enter and exit the premises is a good security practice in general, but is particularly true for minimizing risk to company systems and data. The guidelines below are intended to be specific to the company's information technology assets and should conform to the company's overall security policy.

Use of Identification Badges

Identification (ID) badges are useful to identify authorized persons on the company premises. The company has established the following guidelines for the use of ID badges.

  • Employees: ID badges are required in accordance with Veterans Administration (VA) security guidelines.

  • Non-employees/Visitors: Visitor badges are not required, though generic visitor badges are encouraged. Third-party contractors onsite to perform work on behalf of the company should display badges, apparel branding or other identifying markings while in company-controlled spaces.

Sign-in Requirements

The company must maintain a sign-in log (or similar device) in the lobby or entry area and visitors must be required to sign in upon arrival. At minimum, the register must include the following information: visitor's name, company name, reason for visit, name of person visiting, sign-in time, and sign-out time.

Visitor Access

Visitors should be given only the level of access to the company premises that is appropriate to the reason for their visit. After checking in, visitors must be escorted unless they are considered "trusted" by the company. Examples of a trusted visitor may be the company's legal counsel, financial advisor, or a courier that frequents the office, and will be decided on a case-by-case basis.

Applicability of Other Policies

This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

Enforcement

This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

Definitions

  • Biometrics The process of using a person's unique physical characteristics to prove that person's identity. Commonly used are fingerprints, retinal patterns, and hand geometry.

  • Datacenter A location used to house a company's servers or other information technology assets. Typically offers enhanced security, redundancy, and environmental controls.

  • Keycard A plastic card that is swiped, or that contains a proximity device, that is used for identification purposes. Often used to grant and/or track physical access.

  • Keypad A small keyboard or number entry device that allows a user to input a code for authentication purposes. Often used to grant and/or track physical access.

  • Mobile Device A portable device that can be used for certain applications and data storage. Examples are PDAs or Smartphones.

  • PDA Stands for Personal Digital Assistant. A portable device that stores and organizes personal information, such as contact information, calendar, and notes.

  • Smartphone A mobile telephone that offers additional applications, such as PDA functions and email.

  • Uninterruptible Power Supplies (UPSs) A battery system that automatically provides power to electrical devices during a power outage for a certain period of time. Typically also contains power surge protection.

(843) 371-0037

109 Bee St, Charleston, SC 29401, USA

©2020 by Lowcountry Center for Veterans Research.