Physical and Environmental Security
Secure Areas
Physical Security Controls
Physical entry controls will be used to protect all secure areas. These controls will be designed to prevent unauthorised access, damage or interference to the business processes that take place within the area. Physical security controls apply to any CX Index owned or controlled facility, including temporary locations.
Site Risk Assessment
A risk assessment of secure areas to determine the type and strength of the physical entry control that is appropriate and prudent. The security controls for an area should be commensurate with the value and classification of the information resources contained therein. This risk assessment must also take into account the physical surroundings of the site.
Site risk assessments must be conducted for any sites where CX Index will be sharing facilities with any outside organisation. This may be sharing a building (where physical access is common to all, but network access is specific to each organisation) or where CX Index is sharing a suite (where physical and network access is common to all) with others. Specific security requirements must be determined for thefse situations, based on the arrangements.
Where sites are deficient in physical security controls (such as leased sites where the owner will not allow modification to the structure, or shared sites with business partners), additional network security controls are warranted to protect the rest of the corporate network. In addition, the levels of sensitivity of information that can be processed or stored there may be restricted.
Restricted Access to Sites
Access to sensitive information and information processing facilities will be restricted to authorised persons only. Physical barriers (i.e., doors) must be of sufficient strength and construction to deter entry, based on the results of the risk assessment.
Controls to restrict access to facilities will be determined on a case-by-case basis. These controls will ensure that unauthorised persons do not have easy physical access to the facilities, and such access is detected and the appropriate personnel notified if a breach occurs. The Senior Management will publish standards for access controls and other physical security measurements commensurate with the classification levels of data present and the information protection requirements.
Access rights will be given on a least-privilege basis, and will be as granular as necessary to appropriately protect various classifications of information or facilities. Access rights to secure areas will be reviewed periodically and updated where necessary.
Visitor Procedures
All visitors to secured areas will be supervised and only allowed in for authorised purposes.
Employees will challenge unfamiliar people who are unescorted or not showing visible identification.
Third Party Physical Security at CX Index Facilities
Special situations may arise where third parties will have personnel and devices at CX Index facilities. These third parties must only be allowed access if they serve to augment the core capability or flow of CX Index’s business. Special care should be taken to limit access of third party personnel to only their work areas as much as possible.
Control of Physical Security Controls
Access to the mechanisms that control physical access to secure sites must be done on the least-privilege basis. This includes access to badge enabling systems, door lock keys, or any other physical access control systems. Master badges or keys must be restricted to very few individuals per site or system.
Securing Offices, Rooms, and Facilities
All offices, rooms and facilities that contain other than public information resources will be protected accordingly to prevent unauthorised access, damage or interference to the business processes.
Site Risk Assessment
A risk assessment of secure areas to determine the type of control that is appropriate and prudent, taking into account not only personnel risks, but also that of environment, neighbourhood, civil unrest, and natural and man-made disasters shall be conducted. Health and safety regulations and concerns will also be examined and controls incorporated. Resulting policies may vary greatly depending on the locality of the office.
Information processing facilities that are managed by third party organisations shall be separated from those that are managed in-house.
Securing Sites when Unoccupied
Rooms in a facility that contain sensitive assets will be locked when not in use. Windows and doors will be kept locked and have protection from intrusion or environmental factors. Intrusion alarms will be in place and maintained to the vendors’ standards as applicable according to the information protection requirements. Unoccupied areas will be alarmed as required.
Sensitive documents will be locked in file cabinets or other protective furniture that takes into account the results of the risk analysis.
Additional controls will be implemented for computer and communications rooms or areas. Key facilities will be situated so as they avoid public access. Support functions and equipment will be situated in a way that keeps them away from the public and unauthorised personnel.
Signage and Directory Listings for Secure Sites
The uses of buildings that contain sensitive materials or processing facilities will be unobtrusive and not marked in such a way that gives the public and indication of their purpose or function.
Directories and diagrams that provide information on locations of sensitive facilities shall be secured from unauthorised access.
Monitoring of Facilities for Physical Security
Where possible, systems shall monitor the physical security of facilities. Monitoring could include any or all of the following technologies, based on the outcome of the physical security risk assessment:
- Closed circuit TV or video cameras
- Glass break sensors
- Door and window opening alarms
- Hold open sensors for doors or windows
- Always-active door alarms for emergency exits and other little used doors
- Above or below ceiling sensors (sites with false ceilings and walls that do not extend from floor to ceiling
- Motion/heat sensors for sensitive working areas
- Security Patrols
Other Site Security Issues
Hazardous or combustible materials shall be stored securely a safe distance from secure facilities. Only necessary bulk supplies shall be stored within secure facilities.
Back-up equipment and media shall be stored off-site and a safe distance from facilities sufficient that it would not be damaged if the facility is damaged.