Physical and Environmental Security Policy

History Log

Version

Date

Author

1.1 1

November 2018 Information Dynamics

1.2

December 2019

Information Dynamics

1.3

December 2020

Saravanan & Sureshkutty

1.4

December 2021

Saravanan & Sureshkutty

Physical & Environmental Security Policy Information Dynamics

1. Purpose

The purpose of this policy is to create a set of security controls to secure the physical

boundary of the firm. This includes employee and visitors physical access, management

of entry points and working in secure environments.

ISO 27001:2013 domain reference: A.11 – Physical and Environmental Security

ISO 27001:2013 Reference

A.11.1.1 Physical security perimeter

A.11.1.2 Physical entry controls

A.11.1.3 Securing offices, rooms and facilities

A.11.1.4 Protecting against external and environmental threats

A.11.1.5 Working in secure areas

A.11.1.6 Delivery and loading areas

A.11.2.1 Equipment siting and protection

A.11.2.2 Supporting utilities

A.11.2.3 Cabling security

A.11.2.4 Equipment maintenance

A.11.2.5 Removal of assets

A.11.2.6 Security of equipment and assets off-premises

A.11.2.7 Secure disposal or reuse of equipment

A.11.2.8 Unattended user equipment

2. Scope

The scope of the policy will be applicable to all activities under the scope statement of

Information Dynamics.

3. Policy

3.1. Secure Areas Policy

3.1.1. Physical Security Perimeter

 Physical premises shall be classified (zoning of premises) based on

the sensitivity of information processing environment as critical,

dedicated, restricted and public areas.

 Security perimeter shall be defined to protect these areas.

3.1.2. Physical Entry Controls

Internal 2 of 5

Physical & Environmental Security Policy Information Dynamics

 A secure area shall have a preventive mechanism to ensure that

unauthorized individuals do not enter and a detective mechanism to

ensure that all personnel movement into the area is logged.

 Access to the secure shall be granted for specific, authorized

purposes and shall be issued with instructions on the security

requirements of the area.

 All employees, contractors and third party users and all visitors shall

wear visible identification.

3.1.3. Securing Offices, Rooms and Facilities

The following shall be considered to secure offices, rooms and facilities:

 Key facilities shall be sited to avoid access by the public;

 Where applicable, buildings shall be unobtrusive and give minimum

indication of their purpose, with no obvious signs, outside or inside

the building; and

 Rooms available for information processing shall be lockable and

shall have lockable cabinets & fire proof safes wherever required.

3.1.4. Protecting against external and environmental threats

 Physical protection against damage from fire, flood, explosion, civil

unrest, and other forms of natural or man-made disaster shall be

designed and applied;

 Hazardous or combustible materials shall be stored at a safe distance

from a secure area;

 Proper working of fire prevention/detection/fighting, lightning

conductor and testing of electricity safety measures shall be ensured;

and

 Back-up media shall be sited at a safe distance to avoid damage from a

disaster affecting the main site

3.1.5. Working in Secure Areas

Physical protection in secure areas shall be designed and applied. Following

controls shall be enforced:

 Information processing facilities like network and server rooms will

be adequately secured using electronic access control system and

access will be restricted to only authorized personnel;

Internal 3 of 5

Physical & Environmental Security Policy Information Dynamics

 Vacant secure areas shall be physically locked and periodically

checked;

 Accesses by third party personnel to information processing facilities

shall be monitored.

3.1.6. Public Access, delivery and loading areas

 Access points for delivery and loading areas and other points where

unauthorized persons may enter the premises shall be controlled and

isolated to avoid unauthorized access.

3.2. Equipment Security

3.2.1. Equipment sitting and protection

 Environmental conditions shall be monitored to ensure that they do

not have adverse effects on the operation of information processing

facilities

 All storage media having non-public information shall be physically

protected.

 All equipments shall be maintained regularly as per the

manufacturers recommended service intervals and specifications.

3.2.2. Supporting Utilities

 Equipment shall be protected from power failures and other

disruptions caused by failures in supporting utilities.

 Suitable power supply controlled through UPS shall be provided for

all equipment as per the manufacturers’ specifications.

 All supporting utilities, such as electricity, water supply, sewage,

heating/ventilation, and air conditioning shall be adequate for the

systems they are supporting.

 Support utilities shall be regularly inspected and as appropriate tested

to ensure their proper functioning and to reduce any risk from their

malfunction or failure.

3.2.3. Cabling Security

Following shall be considered for cabling security:

 Power and telecommunications lines into information processing

facilities shall be underground, wherever possible; and

 Power cables shall be segregated from communications cables to

prevent interference.

Internal 4 of 5

Physical & Environmental Security Policy Information Dynamics

3.2.4. Equipment Maintenance

Equipment shall be regularly maintained to ensure its continued availability

and integrity. Following shall be considered for equipment security:

 Equipment maintenance shall be carried as per the schedule provided

by the vendor for service intervals;

 Maintenance of equipment shall be performed only by authorized

personnel;

 Records shall be kept of all suspected or actual faults, and all

preventive and corrective maintenance; and

 All requirements imposed by insurance policies shall be complied

with.

3.2.5. Security of Equipment Off-Premises

 The equipment or media taken off-premises shall be taken after

proper authorization and shall not be left unattended.

 Adequate insurance cover shall be provided to protect the equipment

off-site.

3.2.6. Secure Disposal or Reuse of Equipment

 The owners of information assets will authorize disposal or re-use of

the assets.

 Adequate controls will be followed during the disposal of the

equipments to prevent compromise of the information.

 Items of equipment containing storage media shall be checked to

ensure that no sensitive data and licensed software has been removed

or securely overwritten prior to disposal.

3.2.7. Removal of Property

 Movement of information processing equipment, information,

storage media or software to off-site location or for maintenance

activities shall be carried out after obtaining appropriate

authorization

4. Associated Documentation

1. End user guidelines

2. Admin guidelines

3. Asset Management procedure – (Secure disposal)

Internal 5 of 5