1.1 Appropriate physical security and
access control measures should be established for information technology
facilities, including off-site use of information devices. Physical security and
access controls should address the areas containing system hardware, network
wiring, backup media, and any other elements required for the system's
operation.
1.2 Management should establish appropriate
physical safeguards over special forms such as negotiable instruments, and over
sensitive output devices such as signature cartridges. In doing so, management
should take into consideration proper accounting of IT resources, forms or items
requiring additional protection, and inventory management.
1.3 Original copies of purchased software
should be housed in a secured location.
A Definition of Security
Security is the protection of data against:
Accidental destruction or modification by forces of nature or by people.
Intentional destruction or modification by unauthorized people.
Accidental or intentional disclosure to unauthorized people.
Physical Security
Physical security is an essential part of information technology (IT)
security. Physical security encompasses not only the area containing system
hardware, but also locations of wiring used to connect the systems, supporting
services, backup provisions and any other part of the systems.
Access to IT resources should be restricted to only those individuals with a
need for access. When IT resources are located in a public place, they should be
protected as well.
Tips for effective physical security
Keep a log of all individuals admitted to secured areas.
Sufficient measures should be put in place and maintained for protection
against environmental factors (e.g., fire, dust, power, excessive heat and
humidity).
Generators to provide power in the event of an interruption are desirable.
Have formal, documented policies and procedures that govern the receipt
and removal of hardware/software from a facility.
Document repairs and modifications to the physical components of a
facility, such as hardware, software, walls, doors, and locks.
Use surge protectors when possible on all machines.
Physical security includes the end user machines. Make provisions for
individual workstations.
Laptops should be protected during transport by placing in secured storage
or having them in your possession.
When possible, users should lock their workstations any time they leave
their immediate work area.
Critical Resources
Data centers, wiring closets, and other rooms with critical resources ideally
. . .
Should have access restricted to those authorized because of a need for
access
Should have locked doors even during normal business hours
Should have adequate electric wiring with proper grounding
Should be located in areas that are not subject to flooding
Should not have windows to the outdoors
Should be protected with non-water based fire suppression systems
Should be in a location as obscure to the public as practical
Should not overtly advertise their location (i.e., listings on boards in
public areas)
When not staffed, should be monitored with a system to provide
notification in case of heat, moisture, or access outside of set parameters
Should not contain unnecessary flammable materials such as cardboard boxes
and extra paper
Should provide closed cabinets for needed flammable materials such as log
books and manuals
Should not contain dust producing devices such as paper shredders or high
speed printers
Should assure proper disposal of physical data records, including
computers and their components, removable media (i.e. tape, diskettes, CDs),
printouts, microfiche
Questions?
For more information about effective physical security and other security
practices, contact:
