1 PHYSICAL SECURITY & ENVIRONMENTAL SECURITY General Overview Physical security elements are safeguards enacted t ensure nly authrized individuals have access t varius physical lcatins, such as crprate facilities, data warehuses, cmputer peratin centers, and any ther critical areas. Additinally, physical security als cnsists f the varius measures put in place fr prtecting rganizatinal assets, ranging frm peple, prperty, t any number f tangible gds, services r prducts. And with many rganizatins tday utsurcing critical functins t data centers, managed services prviders, and dcument strage facilities - just t name a select few - physical security has nw becme a critical cmpnent f ne's risk assessment and risk management framewrk. Knwing where yur assets are and hw they are prtected is paramunt. But it's just as imprtant t have physical security cntrls in place at ne's crprate ffice, satellite ffices, and any ther imprtant lcatins. And anther imprtant cmpnent f physical security are the supprting envirnmental security cntrls in place. Specifically, envirnmental security elements are the essential measures utilized t prtect physical surrundings frm damaging elements, such as fire, water, smke, electrical surges, spikes, and utages, alng with any ther hidden dangers. Envirnmental safeguards are critical in that they - alng with physical security, ensure the safety f the emplyees, cmpany prperty, and all ther pertinent physical elements near the facility. The subsequent Physical Security & Envirnmental Security plicy and prcedures dcument includes all necessary measures fr ensuring adequate safeguards are in place at all facilities cnsidered critical frm an rganizatinal perspective. The scpe f this plicy and prcedure dcument includes the fllwing types f facilities: Crprate ffice and reginal, satellite ffices. Data centers, c-lcatin facilities, and managed service prviders, dcument strage prviders, warehuses, etc. Any ther physical facility fr which the subsequent plicy, prcedures, and checklists culd be adapted t, and ultimately used fr.
2 Physical Security & Envirnmental Security Plicy and Prcedures Title [cmpany name] Physical Security & Envirnmental Security Plicy and Prcedures Versin Versin 1.0 Date Language Individual and/r Department Respnsible fr Distributin f Dcument Individual and/ r Department Respnsible fr Timely Update f Dcument Develped by: Subject Apprval Date Purpse f Dcument TBD English [cmpany name] Infrmatin Technlgy Department [name and title] [cmpany name] Use f Sftware TBD T implement cmprehensive Physical Security & Envirnmental Security plicies, prcedures, and practices whereby all emplyees and ther intended parties are readily aware f the rganizatin s Physical Security & Envirnmental Security plicies. Distributin f Dcument Disbursed t all emplyees f [cmpany name] and available by request t all ther intended parties.
3 1.0 Overview In accrdance with mandated rganizatinal security requirements set frth and apprved by management, [cmpany name] has established a frmal Physical Security & Envirnmental Security plicy and supprting prcedures. This plicy is t be implemented immediately alng with all relevant and applicable prcedures. Additinally, this plicy is t be evaluated n a(n) [annual, semi-annual, quarterly] basis fr ensuring its adequacy and relevancy regarding [cmpany name]'s needs and gals. 1.0 Purpse This plicy and supprting prcedures are designed t prvide [cmpany name] with a dcumented and frmalized Physical Security & Envirnmental Security plicy that is t be adhered t and utilized thrughut the rganizatin at all times. Cmpliance with the stated plicy and supprting prcedures helps ensure the safety and security f the [cmpany name] I.T. system resurces and all supprting assets. Assets are defined as the fllwing: Smething that is deemed t be tangible r intangible and that is capable f being wned, perated, maintained, and cntrlled t prduce a stated value. 1.0 Scpe This plicy and supprting prcedures encmpasses all system resurces and supprting assets that are wned, perated, maintained, and cntrlled by [cmpany name] and all ther system resurces, bth internally and externally, that interact with these systems. Internal system resurces are thse wned, perated, maintained, and cntrlled by [cmpany name] and include all netwrk devices (firewalls, ruters, switches, lad balancers, ther netwrk devices), servers (and the perating systems and applicatins that reside n them, bth physical and virtual servers) and any ther system resurces and supprting assets deemed in scpe. External system resurces are thse wned, perated, maintained, and cntrlled by any entity ther than [cmpany name], but fr which these very resurces may impact the cnfidentiality, integrity, and availability (CIA) f [cmpany name] system resurces and supprting assets. 1.0 Plicy [Cmpany name] is t ensure that the Physical Security & Envirnmental Security plicy adheres t the fllwing cnditins fr purpses f cmplying with the mandated rganizatinal security requirements set frth and apprved by management: Cnstructin The applicable facilities are t be cnstructed in a manner that ensures the adequate prtectin f all [cmpany name] system resurces and supprting assets. Specifically, this requires that the fllwing elements meet and/r exceed all lcal, state, federal and cuntry regin specific mandated guidelines pertaining t cnstructin f a cmmercial facility: Designed and built with the use f apprved architectural, mechanical, electrical and/r engineering drawings. Safe and secure fundatin and fting that meets all stated zning requirements.
4 Prper utilities in place, such as sewer, water, gas, electric, fire prtectin fire preventin, and ther applicable utilities as warranted. Apprpriate insurance in place, such as general liability, wrkers cmpensatin, and ther applicable insurance cverage. Architecturally and structurally sufficient t meet all needs f [cmpany name]. If necessary, authrized persnnel within [cmpany name] are t cntact the apprpriate party fr cnfirmatin f the afrementined elements. Physical Security Prtectin Measures The applicable facilities are t have adequate physical prtectin measures in place cnsisting f the fllwing elements, as applicable: Lcatin: Gegraphically lcated in a secure area, with apprpriate markings and indicatins cmmensurate with its use. Nte: Sme facilities require clear identificatin as t what they are and their purpse, while thers facilities deliberately hide their identificatin. Ultimately, this determinatin is t be made by management f the applicable facility. Cnstructin: Slid cnstructin with minimal r n physical penings that culd weaken the physical structure and/r allw unauthrized access. Additinally, all drs and main entry and egress pints (windws, bay drs, rf entry pints, undergrund access pints, shipping and receiving entry areas, etc.) are t be deemed f adequate physical cnstructin. Physical Barricades: Physical elements that serve as barricades fr prtecting the physical grunds. This is a requirement fr any data center r c-lcatin facility fr which [cmpany name] system resurces and supprting assets reside in. Additinally, apprpriate gates, fences and ther physical devices are t be utilized as necessary. Access Cntrl Prtectin: One r mre f the fllwing prtectin measures regarding physical access: Electrnic Access Cntrl (ACS), bimetrics (i.e., iris, palm reader, facial recgnitin), and/r traditinal lck-and-key measures. Nte: Fr any windws, bay drs, rf entry pints, undergrund access pints, shipping and receiving entry areas, and any ther entry and egress areas that d nt utilize ACS, bimetrics, r lck-and-key, they are t be secured with adequate prtectin measures, such as using internal lcks, latches, r ther apprved devices r mechanisms. Additinally, all access cntrl pints are t be securely clsed and lcked when nt in use r are unattended. Access via Electrnic Access Cntrl (ACS), and bimetrics (i.e., iris, palm reader, facial recgnitin) is nly granted t authrized individuals - thse wh have gne thrugh the prper prvisining prcess. Custmer Infrmatin: An imprtant cmpnent f ensuring that adequate physical security prtectin measures are in place is keeping track f all persnnel that enter and leave a facility. Thus, all critical custmer infrmatin, such as vital statistical infrmatin (i.e., name, cmpany affiliatin, cntact infrmatin, date and time f entrance and departure, etc.) is t be captured, recrded, stred, and archived.
5 Manned Access Cntrl Pints: Fr areas where individuals enter, register, and leave the applicable facility, actual persnnel are t be statined fr aiding and facilitating these prcesses. Additinally, visitr and emplyee prvisining and de-prvisining systems are t be in place that dcuments all essential access infrmatin. Placing f Equipment: Fr all system resurces and supprting assets lcated at a facility that handles (i.e., string, prcessing and/r transmitting) sensitive data, they shuld be lcated in physically secure areas, and islated as necessary, t avid unauthrized access. Additinally, cntrls are t be in place fr helping minimize the many physical and envirnmental threats as discussed thrughut this stated plicy and prcedures dcument. Vegetatin All vegetatin (i.e., grass, shrubs, plants, etc.) is t be apprpriately maintained at all time by either a licensed, bnded, and insured landscaping cmpany r by [cmpany name] landscape persnnel. Adequate maintenance f vegetatin nt nly imprves the appearance f a facility, it als ensures that intruders r ther suspicius peple r elements cannt cnceal themselves as easily. Security Alarm System A security alarm system is t be in place, peratinal at all applicable times as necessary, hard-wired and wireless mnitring (where applicable) fr all entry and egress pints thrughut the facility, and ther areas deemed vulnerable. Additinally, respnse and reslutin services fr the security alarm are t be a licensed, bnded, and insured third-party security alarm cmpany and/r lcal plice. Mrever, an apprpriate party at [cmpany name] is t be immediately ntified anytime an alarm has passed its maximum threshld whereby the third-party security alarm cmpany and/r the lcal plice have been cntacted. Alarm Pints Bth hard-wired cntact pints and wireless-alarm pints (where applicable) are t be utilized fr ensuring the security alarm system is cnnected t all critical entry and egress pints thrughut the facility and ther areas deemed vulnerable. The use f glass breakers, mtin detectrs, vice recgnitin elements, if used, are t be tied int the security alarm system using apprved measures. Cameras Mnitring Surveillance Recrding Archival Cameras are t be strategically placed thrughut the facility as deemed necessary and capable f capturing and recrding all activity. Additinally, this requires the use f mnitring devices whereby authrized persnnel can view all activity in real-time, while als recrding such activity. During nnbusiness hurs r when persnnel are nt available fr real-time viewing, recrding is t be in place that allws fr capturing any activity. Mrever, archival measure are t be in place (minimum f 90 days) fr retentin f data caught n camera. Threat Cnditins Plicy Because f the grwing threats facing rganizatins, a threat cnditins plicy is t be in place which cnsists f dcumented respnses and initiatives t undertake in the event f an actual threat. This may include, but is nt limited, t the fllwing: Threats f terrrism r hstage situatins.
6 Physical r envirnmental cnditins resulting in the structural integrity f a facility being cmprmised which culd ultimately endanger the lives f all ccupants. Pwer utages, utility issues. Technlgy threats and data cmprmises, such as Distributed Denial f Service Attacks (DDS), etc. Badge Identificatin Equipment Checks Any persns entering r leaving a facility are t be checked at anytime, and at the discretin f authrized persnnel, fr prperly identifying wh they are and fr items deemed suspicius that may be in their pssessin. Because many system resurces and supprting assets can be small in size, and als cstly, bag checks, bdy searches, pat dwns, and any ther checks deemed necessary, are t be emplyed. Remval f Prperty and Security f Equipment All prperty remved frm a facility is t be dne s with apprved methds nly, ne that allws fr dcumented prcess that recrds vital statistical infrmatin fr such prperty, whether it leaves indefinitely r is being returned at a later date (fr which it will then be required t be checked-in thrugh a dcumented prcess als). Specifically, prperty may nly be remved if apprved by authrized persnnel and is required t be returned (if applicable) under an agreeable and predetermined timeframe. Additinally, prperty, while still under the legal binding wnership f the applicable facility, is t be safeguarded at all times, must adhere t manufacture's perating plicies (if applicable), with apprpriate insurance in place fr prtecting such prperty. Cages Cabinets Vaults System resurces, such as cmputer and netwrking systems (bth the hardware sftware, and supprting assets) are t be placed in secure cages, cabinets, r vaults that meet r exceed strength, rigidity, and general safety standards as required by law and/r custmers. Additinally, physical access cntrls, such as electrnic access cntrl systems (ACS), cmbinatin lcks, punch key lcks, and/r traditinal lck and key are t be used fr prtectin f the applicable system resurces. Security Department and Security Staff As necessary, the applicable facility is t have in place a frmalized security department cnsisting f the fllwing: Operates 24x7 and is respnsible fr cntrlling and mnitring facility access and ensuring cmpliance with access prcedures. Is respnsible fr cntrlling the mvement f materials taken ut f the facility main entry and exit pints, issuing pht id access badges and visitr badges and retrieving them als, alng with administering the cmputerized access cntrl system t permit and terminate access. Dedicated n-site security staff 24x7 wh are respnsible fr prper peratins and maintenance f the physical security systems, lss preventin, material mvement, and security plicy and prcedures cmpliance. Dedicated n-site security staff 24x7 wh perfrm the fllwing functins: Respnse and reslutin t security alarms. Custmer assistance fr cage lckuts and escrts. Scheduled and unscheduled security inspectins.
7 Enfrcement f n fd r drinks in certain areas. Enfrcement f n unauthrized phtgraphy plicy. Fire and safety patrl inspectins. Mnitr intrusin security alarm systems. Dispatch mbile security fficers t emergencies. Mnitring t prevent unauthrized access, such as tailgating. Assist all individuals wh have authrized access t enter the facility. Cntrlling access t the data center by cnfirming identity. Issue and retrieve access badges. Respnd t telephne and radi cmmunicatins. Lcal Law Enfrcement Cntact Infrmatin The psting f lcal law enfrcement cntact infrmatin (ther than 911 r ther emergency numbers) is t be in place whereby authrized persnnel can cntact authrities as necessary. This infrmatin shuld be made available t security staff and psted accrdingly in an area where it can be easily viewed by such security staff (such as their security rm). Mantrap Mantraps, which are cmmn in any facility that require entrance int sensitive areas, are t be used as necessary. This ften includes facilities such as data center, c-lcatin entities, managed services prviders and ther related entities. Facility Access Only authrized persnnel (i.e., emplyees, visitrs, cntractrs, and ther third party.) are allwed access t the applicable facility, with ne's access rights cmmensurate fr his her rles and respnsibilities. Additinally, a dcumented identificatin, prvisining and de-prvisining prcess and related prcedures are t be in place cnsisting f the fllwing measures: The use f a sftware utility, ticketing system, in cnjunctin with a hard-cpy lg reprt that captures all vital statistical access rights infrmatin, such as full name, cntact infrmatin, cmpany affiliatin, alng with date and time f entry and departure t and frm the facility, and any ther vital statistical infrmatin. Fr individuals wh have been granted an actual access cntrl badge - thus allwing t bypass many f the prvisining steps in place fr visitrs, cntractrs, and ther third party individuals - the sftware utility that allws access is t be reviewed n a regular basis. The regular review is t ensure that all terminated users d nt have access and access fr current users is cmmensurate with their rles and respnsibilities. Assignment f badge, card reader, r sme f ther clearly labeled frm f visible identificatin that indicates the type f persnnel they are (i.e., emplyees, visitrs, cntractrs, and ther third party), the type f access, duratin f access (if applicable). Nte: The requirement fr a "clearly labeled frm f visible identificatin" prevents unauthrized access and allws anyne within the facility t identify unescrted visitrs, ultimately helping in determining if access cntrls have been breached. Thus, visitrs, cntractrs, and ther third party individuals are t be escrted at all times, when applicable.
8 Fr areas deemed restricted, sensitive, classified, r any ther designatin whereby access is allwed nly t select, authrized persnnel, additinal access cntrl measures are t be in place (i.e., tw-factr authenticatin, bimetrics, etc.) fr prtecting [cmpany name]'s system resurces and supprting assets. Because many facilities have shipping, receiving, delivery, and lading areas that are used n a daily basis, these areas are t have secure access cntrl mechanisms in place, such as thse described earlier under "Physical Security Prtectin Measures." Additinally, fr facilities that have shipping, receiving, delivery, and lading areas, the fllwing prvisins are t be in place: Access restricted t authrized persnnel. Areas that are cnfined fr nly their applicable use, with n access allwed t ther parts f the facility withut undertaking prcess access cntrl measures. Incming and utging gds and prducts are t be inspected, tagged and labeled accrdingly, recrded, and registered with an apprved methd. Gds and prducts arriving at the facility are t be stred in designated areas, such as bins, hlding rms, r sme ther type f apprved methd. Gds and prducts leaving the facility are t have crrect transprtatin labels n them, and are t be stred in designated areas befre being picked up. All gds and prducts entering and leaving the facility are t be physically inspected fr any pssible security threats. Fr a facility that receives gd and prducts fr a custmer, a ntificatin prcess is t be in place whereby custmers are immediately cntacted and infrmed f packages. The entire identificatin, prvisining, and de-prvisining prcess is t be recrded and archived fr purpses f prducing audit recrds as needed, such as fr access cntrl breaches, daily peratinal review activities, and fr regulatry cmpliance requirements. Access Cntrl System Access cntrl systems, while imprtant fr physical security prtectin measures, ultimately ensure that nly authrized individuals have access t a particular facility, with access rights being cmmensurate with ne's rles and respnsibilities. As such, access cntrl systems are t be prvisined and deplyed fr any area requiring physical access int a facility - r within the facility - access t additinal areas. Additinally, the access cntrl systems are t be maintained by authrized individuals nly. Bimetrics Bimetrics, while als imprtant fr physical security prtectin measures, ultimately ensure that nly authrized individuals have access t a particular facility, with access rights being cmmensurate with ne's rles and respnsibilities. As such, bimetric devices are t be prvisined and deplyed fr any area requiring physical access int a facility - r within the facility - access t additinal areas. Additinally, the bimetric devices are t be maintained by authrized individuals nly. Example f bimetrics include, but are nt limited, t the fllwing: Fingerprint and Palm Readers Vice Recgnitin