History Log | ||
Version | Date | Author |
1.1 | 1st November 2018 | Information Dynamics |
1.2 | 29th December 2019 | Information Dynamics |
1.3 | 24th December 2020 | Saravanan & Sureshkutty |
1.4 | 24th December 2021 | Saravanan & Sureshkutty |
1.5 | 24th December 2022 | Saravanan & Sureshkutty |
Purpose
The purpose of this policy is to create a set of security controls to secure the physical boundary of the firm. This includes employee and visitors physical access, management of entry points and working in secure environments.
ISO 27001:2013 domain reference: A.11 – Physical and Environmental Security
ISO 27001:2013 Reference | |
A.11.1.1 | Physical security perimeter |
A.11.1.2 | Physical entry controls |
A.11.1.3 | Securing offices, rooms and facilities |
A.11.1.4 | Protecting against external and environmental threats |
A.11.1.5 | Working in secure areas |
A.11.1.6 | Delivery and loading areas |
A.11.2.1 | Equipment siting and protection |
A.11.2.2 | Supporting utilities |
A.11.2.3 | Cabling security |
A.11.2.4 | Equipment maintenance |
A.11.2.5 | Removal of assets |
A.11.2.6 | Security of equipment and assets off-premises |
A.11.2.7 | Secure disposal or reuse of equipment |
A.11.2.8 | Unattended user equipment |
Scope
The scope of the policy will be applicable to all activities under the scope statement of Information Dynamics.
Policy
Secure Areas Policy
Physical premises shall be classified (zoning of premises) based on the sensitivity of information processing environment as critical, dedicated, restricted and public areas.
Security perimeter shall be defined to protect these areas.
A secure area shall have a preventive mechanism to ensure that unauthorized individuals do not enter and a detective mechanism to ensure that all personnel movement into the area is logged.
Access to the secure shall be granted for specific, authorized purposes and shall be issued with instructions on the security requirements of the area.
All employees, contractors and third party users and all visitors shall wear visible identification.
The following shall be considered to secure offices, rooms and facilities:
Key facilities shall be sited to avoid access by the public;
Where applicable, buildings shall be unobtrusive and give minimum indication of their purpose, with no obvious signs, outside or inside the building; and
Rooms available for information processing shall be lockable and shall have lockable cabinets & fire proof safes wherever required.
Physical protection against damage from fire, flood, explosion, civil unrest, and other forms of natural or man-made disaster shall be designed and applied;
Hazardous or combustible materials shall be stored at a safe distance from a secure area;
Proper working of fire prevention/detection/fighting, lightning conductor and testing of electricity safety measures shall be ensured; and
Back-up media shall be sited at a safe distance to avoid damage from a disaster affecting the main site
Physical protection in secure areas shall be designed and applied. Following controls shall be enforced:
Information processing facilities like network and server rooms will be adequately secured using electronic access control system and access will be restricted to only authorized personnel;
Vacant secure areas shall be physically locked and periodically checked;
Accesses by third party personnel to information processing facilities shall be monitored.
Access points for delivery and loading areas and other points where unauthorized persons may enter the premises shall be controlled and isolated to avoid unauthorized access.
Equipment Security
Environmental conditions shall be monitored to ensure that they do not have adverse effects on the operation of information processing facilities
All storage media having non-public information shall be physically protected.
All equipments shall be maintained regularly as per the manufacturers recommended service intervals and specifications.
Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.
Suitable power supply controlled through UPS shall be provided for all equipment as per the manufacturers’ specifications.
All supporting utilities, such as electricity, water supply, sewage, heating/ventilation, and air conditioning shall be adequate for the systems they are supporting.
Support utilities shall be regularly inspected and as appropriate tested to ensure their proper functioning and to reduce any risk from their malfunction or failure.
Following shall be considered for cabling security:
Power and telecommunications lines into information processing facilities shall be underground, wherever possible; and
Power cables shall be segregated from communications cables to prevent interference.
Equipment shall be regularly maintained to ensure its continued availability and integrity. Following shall be considered for equipment security:
Equipment maintenance shall be carried as per the schedule provided by the vendor for service intervals;
Maintenance of equipment shall be performed only by authorized personnel;
Records shall be kept of all suspected or actual faults, and all preventive and corrective maintenance; and
All requirements imposed by insurance policies shall be complied with.
The equipment or media taken off-premises shall be taken after proper authorization and shall not be left unattended.
Adequate insurance cover shall be provided to protect the equipment off-site.
The owners of information assets will authorize disposal or re-use of the assets.
Adequate controls will be followed during the disposal of the equipments to prevent compromise of the information.
Items of equipment containing storage media shall be checked to ensure that no sensitive data and licensed software has been removed or securely overwritten prior to disposal.
Movement of information processing equipment, information, storage media or software to off-site location or for maintenance activities shall be carried out after obtaining appropriate authorization
End user guidelines
Admin guidelines