6. Physical and environmental security (ISO) : Information Security Management System

Secure areas

The objective of this category is to prevent unauthorized physical access, damage or interference to the organization's premises and infrastructure, using controls appropriate to the identified risks and the value of the assets protected.

Authorities: ISO-27002:2005 9.1.; HIPAA 164.310(a)(1)

Physical security perimeter • Security perimeters should be used to protect areas that contain information and information processing facilities -- using walls, controlled entry doors/gates, manned reception desks and other measures. Control includes:

perimeter siting and strength determined by risk assessment;
clearly defined and marked perimeters, except in situations where hidden/disguised perimeters would enhance security;
use of physically sound walls, windows and doors, protected with bars, locks, alarms as appropriate;
use of additional physical barriers, where appropriate to prevent unauthorized access or physical contamination;
provision of appropriate protection against fire, water or other reasonably anticipated environmental threats;
use of appropriate intrusion detection systems, such as motion and perimeter alarms, audio and video surveillance;
use of manned reception areas or appropriate lock/ID systems to control passage into the restricted area;
measures designed with sufficient redundancy such that a single point of failure does not compromise security; and
regular maintenance to and review of the adequacy of the components of these physical protections.

Authorities: ISO-27002:2005 9.1.1.; HIPAA 164.310(a)(1)

Physical entry control • Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Control includes:

authentication mechanisms (e.g., keycard and PIN) proportionate to the identified risks and the value of the asset(s) protected;
recording of date/time of entry and exit, and/or video recording of activities in the entry/exit area, as appropriate;
requirement for authorized personnel to wear visible identification, and to report persons without such identification;
appropriate authorization and monitoring procedures for third-party personnel who must be given access to the restricted area; and
regular review and, when indicated, revocation of access rights (see also human resources security.)

Authorities: ISO-27002:2005 9.1.2.; HIPAA 164.310(a)(1)

Secure offices, rooms and facilities • Physical security for offices, rooms and facilities should be designed and implemented. Control includes:

use of measures that are commensurate to the identified risks and the value of the assets at risk in each setting;
use of measures that balance relevant health, safety and related regulations and standards;
use of highly visible controls, where appropriate as a deterrent;
use of unobtrusive or hidden controls/facilities, where appropriate for highly sensitive assets; and
restrictions on information about facilities, including directory and location information.

Authorities: ISO-27002:2005 9.1.3.

Protecting against external and environmental threats • Physical protection against damage from fire, flood, wind, earthquake, explosion, civil unrest and other forms of natural and man-made risk should be designed and implemented. Control includes:

consideration of probabilities of various categories of risks and value of assets protected against those risks;
consideration of security threats posed by neighboring facilities and structures;
appropriate fire-fighting equipment and other counter-measures provided and suitably located on site; and
appropriate siting of backup facilities and data copies in a suitable location off-site.

Authorities: ISO-27002:2005 9.1.4.

Working in secure areas • Physical protection and guidelines for working in secure areas should be designed and implemented. Control includes:

limiting personnel's awareness of, and activities within, a secure location on a need-to-know basis;
limiting or prohibiting unsupervised/unmonitored work in secure areas, both for safety reasons and to avoid opportunities for malfeasance;
keeping vacant secure areas locked, subject to periodic inspection, and/or monitored remotely as appropriate by video or other technologies;
limiting video, audio or other recording equipment, including cameras in portable devices, in secure areas.

Authorities: ISO-27002:2005 9.1.5.

Public access, delivery and loading access • Access points such as delivery and loading areas, and other points where unauthorized persons may enter the premises, should be controlled. Control includes:

limits on access to the delivery and loading areas, and to other public access areas, to the degree possible;
inspection of incoming and outgoing materials, and separation of incoming and outgoing shipments, where possible; and
isolation of these areas from information processing facilities and areas where information is stored, where possible.

Authorities: ISO-27002:2005 9.1.6.

Equipment security

This category aims to prevent loss, damage, theft or compromise of assets or interruption to the organization's activities.

Authorities: ISO-27002:2005 9.2; HIPAA 164.310(a)(1)

Equipment siting and protection • Equipment should be sited or protected to reduce the risks from environmental threats and hazards, and to reduce the opportunities for unauthorized access by human threats. Control includes:

siting to minimize unnecessary risks to the equipment, and to reduce the need for unauthorized access to sensitive areas;
siting to isolate items requiring special protection, to minimize the general level of protection required;
use of particularized controls as appropriate to minimize physical threats -- e.g., theft or damage from vandalism, fire, water, dust, smoke, vibration, electrical supply variance, or electromagnetic radiation; and
guidelines for eating, drinking, smoking or other activities in the vicinity of equipment.

Authorities: ISO-27002:2005 9.2.1.; HIPAA 164.310(c)

Supporting utilities • Equipment should be protected from power failures, telecommunications failures, and other disruptions caused by failures in supporting utilities such as HVAC, water supply and sewage. Control includes:

assuring that the supporting utilities are adequate to support the equipment under normal operating conditions; and
making reasonable provision for backups (e.g., a UPS) in the event of supporting utility failure.

Authorities: ISO-27002:2005 9.2.2.

Cabling security • Power and telecommunications cabling carrying sensitive data or supporting information services should be protected from interception or damage. Control includes:

physical measures to prevent unauthorized interception or damage, including additional protections for sensitive or critical systems;
alternate/backup routings or transmission media where appropriate, particularly for critical systems;
clearly identified cable and equipment markings, except where security is enhanced by removing/hiding such markings; and
documentation of patches and other maintenance activities.

Authorities: ISO-27002:2005 9.2.3.

Equipment maintenance • Equipment should be correctly maintained to ensure its continued availability and integrity. Control includes:

appropriate preventive maintenance;
documentation of all maintenance activities, including scheduled preventive maintenance;
documentation of all suspected or actual faults, and associated remediation;
maintenance only by authorized employees or contracted third parties; and
appropriate security measures, such as clearing of information or supervision of maintenance processes, appropriate to the sensitivity of the information on or accessible by the devices being maintained;

Authorities: ISO-27002:2005 9.2.4.

Security of equipment off-premises • Appropriate security measures should be applied to off-site equipment, taking into account the different risks of working outside the organization's premises. Control includes:

authorization of any off-site processing of organizational information, regardless of the ownership of the processing device(s);
security controls for equipment in transit and in off-site premises, appropriate to the setting and the sensitivity of the information on or accessible by the device;
adequate insurance coverage, where third-party insurance is cost-effective; and
employee and contractor awareness of their responsibilities for protecting information and the devices themselves, and of the particular risks of off-premises environments.

Authorities: ISO-27002:2005 9.2.5.; HIPAA 164.310(c)

Secure disposal or re-use of equipment • All equipment containing storage media should be checked to ensure that sensitive data and licensed software has been removed or securely overwritten prior to disposal. Control includes:

use of generally accepted methods for secure information removal, appropriate to the sensitivity of the information known or believed to be on the media;
secure information removal by appropriately trained personnel, or verification of secure information removal by appropriately trained personnel.

Authorities: ISO-27002:2005 9.2.6.; HIPAA 164.310(d)(1)

Removal of property • Equipment, information or software should not be taken off-premises without prior authorization. Control includes:

limitations on types/amounts of information or equipment that may be taken off-site;
recording of off-site authorizations and inventory of equipment and information taken off-site; and
for persons authorized to take equipment or information off-site, appropriate awareness of security risks associated with off-premises environments and training in appropriate controls and counter-measures.