CITY UNIVERSITY OF HONG KONG Physical Access Security Standard



Similar documents
Physical Security Policy

ISO IEC ( ) INFORMATION SECURITY AUDIT TOOL

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Policy Document. IT Infrastructure Security Policy

April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1. c Dines Bjørner 2006, Fredsvej 11, DK 2840 Holte, Denmark

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Service Children s Education

Supplier Information Security Addendum for GE Restricted Data

Does it state the management commitment and set out the organizational approach to managing information security?

DataCentre Access Policies & Procedures

State of Vermont. Physical Security for Computer Protection Policy

Physical Security Assessment Form

CITY UNIVERSITY OF HONG KONG Communications and Operating Management Standard

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

REVIEWED ICT DATA CENTRE PHYSICAL ACCESS AND ENVIROMENTAL CONTROL POLICY

Introduction. Conducting a Security Review

Louisiana State University Information Technology Services (ITS) Frey Computing Services Center Data Center Policy

Supply Chain Security Audit Tool - Warehousing/Distribution

Physical and Environment IT Security Standards

Standard: Data Center Security

CONNECTICUT RIVER WATERSHED COUNCIL, INC. DOCUMENT MANAGEMENT & WRITTEN INFORMATION SECURITY POLICY

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Data Center Access Policies and Procedures

Integration of Visitor Management with Access Control Systems

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Security and Data Center Overview

Effective Date: Subject Matter Experts / Approval(s): TAC: LASO: C/ISO: Front Desk: Technology Support Lead: Agency Head:

Intermec Security Letter of Agreement

PCI Data Security and Classification Standards Summary

Seventh Avenue Inc. 1

MARULENG LOCAL MUNICIPALITY

IT - General Controls Questionnaire

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

UCS Level 2 Report Issued to

hong kong//china data center specifications tel: fax: internet + intellectual property + intelligence

ISO Controls and Objectives

ProjectManager.com Security White Paper

Physical Protection Policy Sample (Required Written Policy)

INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY

Data Centers and Mission Critical Facilities Access and Physical Security Procedures

SOC 2 Report Seattle, WA (SEF)

Security Systems Surveillance Policy

System Security Plan University of Texas Health Science Center School of Public Health

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Newcastle University Information Security Procedures Version 3

Data Management Policies. Sage ERP Online

POLICY TEMPLATE. Date initially approved: November 5, 2013 Date of last revision: same

Aproved by: doron berger Data Security Manager - National Security unit

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

CITY UNIVERSITY OF HONG KONG

Small Business IT Risk Assessment

Why All Data Centers are Not Created Equal

HIPAA Security Alert

Surveillance Equipment

Technical Standards for Information Security Measures for the Central Government Computer Systems

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

University of Brighton School and Departmental Information Security Policy

Importers must have written and verifiable processes for the selection of business partners including manufacturers, product suppliers and vendors.

Identity Theft Prevention Program Compliance Model

ARTICLE 14 INFORMATION PRIVACY AND SECURITY PROVISIONS

WESTERVILLE DIVISION OF POLICE Security Survey Checklist: Business

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SERVICE SCHEDULE CO-LOCATION SERVICES

SECTION I: REPORT OF INDEPENDENT SERVICE AUDITORS... 3 SECTION II: MANAGEMENT OF INTERNAP NETWORK SERVICES CORPORATION'S ASSERTION 5

ST. CLOUD STATE UNIVERSITY INSTALLATION AND USE OF VIDEO SURVEILLANCE EQUIPMENT PROCEDURE. Purpose

SCHOOL SECURITY POLICY & PROCEDURES

Security Organization & Awareness. Januari, 28/29th th CENTR Security Workshop Brussels Bert ten Brinke

Security Policy and Procedures

Understanding Sage CRM Cloud

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

CONTENTS. Security Policy

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Supplier Security Assessment Questionnaire

Rules of Conduct and Safety

A Self-Audit of Your Current Campus Security Systems

Security Awareness Training

Best Practices For Department Server and Enterprise System Checklist

Information Technology Security Procedures

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

C-TPAT Importer Security Criteria

Information Security. Manual Guideline. Version 3

Enterprise Security Model in SAS Environment

Hosted Testing and Grading

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Privacy and Security Risk Assessment and Action Planning

Does a fence or other type physical barrier define the perimeter of the facility?

IOWA LABORATORIES FACILITIES PHYSICAL SECURITY PLAN

ISO27001 Controls and Objectives

C-TPAT Self-Assessment - Manufacturing & Warehousing

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

HIPAA Information Security Overview

Customs & Trade Partnership Against Terrorism (C TPAT)

Transcription:

CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24

Document Control Document Owner Classification Publication Date OCIO PUBLIC 2013-12-24 Revision History Version Date Summary of Changes 1.0 2013-12-19 Initial Release Distribution Copy Issued to Location Master Public http://www6.cityu.edu.hk/infosec/isps/docs/?page=00.about

Contents 1 Policy Statement... 1 2 Objective... 1 3 Securing Work Areas... 1 4 Physical Entry Controls of Secure Area... 2 5 Equipment Security... 3 6 Responsibilities... 3 6.1 System Owner, Controller, and Secure Area Personnel... 3 6.2 Authorized Staff with Access to Sensitive Information and Facilities... 3 6.3 Visitors... 3 7 Summary... 4 Reference... 4

Page 1 of 4 1 Policy Statement The City University of Hong Kong or hereinafter referred as the University must ensure that unauthorized physical access to IT infrastructures, information, and information systems of the University are prohibited. These include the setups of all University Units. 2 Objective The objective of this document is to govern physical security controls protecting information and information facilities of the University from unauthorized access, damage, and interference. 3 Securing Work Areas Work areas are broadly referred to Offices, Rooms, Facilities, and Secure Area of the University. Work areas shall be protected by security perimeters with limited entry and exit points, while fulfilling relevant health and safety regulations and standards. The perimeter should be physically sound. There should be no gaps in the perimeter or areas where a break-in could easily occur. The external walls should be of solid construction and all external doors should be protected against unauthorized access using appropriate control mechanisms such as alarms, locks, CCTV, etc. Suitable intrusion detection systems should be professionally installed and regularly tested to cover premises. General buildings, offices, rooms and facilities should be protected by ensuring that all doors and windows remain closed and locked while unoccupied. Manned reception desks should be used to restrict access to offices of supporting and servicing units containing confidential information. Critical equipment and information should be placed in secure areas (such as filing cabinet rooms, printing rooms, computer rooms, and data centers). Access areas to secure should be restricted to authorized personnel only. The cost of implementing protection measures should commensurate with the identified level of acceptable risk. Personnel should only be aware of the existence of, or activities within, a secure area on a need-toknow basis Personnel of contracted third party service providers should be given restricted access to secured rooms and this should always be under supervision unless CCTV camera equipment monitoring the rooms.

Page 2 of 4 4 Physical Entry Controls of Secure Area Secure areas should be protected to ensure that they are only accessible to authorized personnel. Entry to secure areas should be handled as follows: Entrance of secure areas must be controlled by physical token, e.g. access control card, assigned to onsite personnel or authorized staff only; Visitors, including staffs and contractors, must be authorized before entering secure areas; access should be granted for specific, authorized purpose only and their access being recorded; Approval records and access log must be preserved Onsite personnel should wear physical badge; Visitors should wear physical visitor badges unless they are escorted by authorized staff of the University or onsite personnel who is wearing a badge; Visitor badges must be surrendered before leaving the secure areas; Moving of materials and equipment into and out of site must be escorted by onsite personnel, inventory being checked and logged; Transfer log shall be used to maintain a physical audit trail of change in equipment. Onsite personnel or authorized staff should document the following: o Owner, controller or custodian responsible for the equipment o Report number, Model number and Serial number equipment if available o Time in or out o Name of transferor Visitor log shall be used to maintain a physical audit trail of visitors activities. Retain this log for a minimum of three months. Onsite personnel or authorized staff should verify the identify and documents the following of visitors: o Name o Organization or company represented o Time in and out o Purpose of visiting o Signature of visitor o Signature of verifier System owner, custodian or controller should indicate the Information Classification and/or security requirements of equipment in secure area; Access to equipment in secure area shall be granted by system owner, custodian or controller Equipment Access log shall be used to maintain a physical audit trail of visitors activities. Onsite personnel or authorized staff should document the following: o Name o Equipment (e.g. Cabinet or Rack identifier) o Time start and end Visitor log and Equipment Access log should be regularly reviewed by Management to detect any unauthorized or inappropriate access CCTV cameras should be installed to monitor the access activities of secure areas. Access control and retention policy of recorded media should be defined and followed.

Page 3 of 4 5 Equipment Security Equipment should be protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access and equipment theft. Equipment, information or software should not be taken off-premises without prior authorization. Appropriate security measures should be applied to equipment placed in public (e.g. Express Terminals) and area off-site equipment, taking into account the various risks of working Appropriate power protection (e.g. Uninterruptable Power Supplies, Redundant Power Feeds), adequate fire protection, proper heating and cooling should be installed to prevent interruption of service or availability. Maintenance contracts should be in placed to ensure that equipment will be correctly maintained. 6 Responsibilities Clearly define responsibilities are needed for proper management and protection of physical access to the University s sensitive information and information processing facilities. This is achieved by establishment of the following roles: 6.1 System Owner, Controller, and Secure Area Personnel Authorize, control and monitor visitor s access to secure area, protected equipment, and information processing facilities; Control working in server area; Review and update access rights to secure area regularly; Control the physical security perimeter for secure area; Implement the physical entry controls for secure area; Control the isolated delivery and loading area for secure area; and Review the processes involved in the above protections. 6.2 Authorized Staff with Access to Sensitive Information and Facilities Escort authorized visitors within secure area; and Challenge and report any un-escorted strangers or anyone not wearing visible identification. 6.3 Visitors Comply with physical security standards of the University; and Obtain approvals from relevant management prior to access to the University s sensitive information or information processing facilities.

Page 4 of 4 7 Summary The University must restrict the physical access to its sensitive information and information processing facilities. Physical access rights are only granted on a need-to-know basis. Visitor logging must be implemented and access logs should be reviewed regularly. Reference The following documents were consulted during the preparation of this document: City University of Hong Kong (2013), Information Security Policies City University of Hong Kong (2013), Environmental Security Standard City University of Hong Kong (2013), Guidelines on Access Control of the Computer Room, https://wiki.cityu.edu.hk/sites/ccwiki/mngt/ppp/security/guide-computerroomaccesscontrol.htm

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information