Physical and Environmental Security Policy and Standard
Section 1 - Executive Summary
(1) The
(2) Physical and environment protections must be applied using a risk-based approach and in proportion to the classification and criticality of information and physical
(3) Responsibilities for implementing physical and environmental protections are shared across Infrastructure and Facilities Services (IFS), Digital Technology Solutions,
Section 2 - Scope
(4) This document establishes the physical and environmental safeguards for the
(5) Secure areas are areas where sensitive, classified, or critical information and
(6) All other areas of the
Section 3 - Physical and Environmental Security Requirements
Part A - Secure Areas
Physical Security Perimeter
(7)
(8)
(9) Controls that must be applied to secure areas are:
- the perimeters of buildings containing data centres or server infrastructure must be physically sound (i.e. there must be no gaps in the perimeter or areas where a break-in could easily occur);
- external walls must be of solid construction and all external doors must be suitably protected against unauthorised access with control mechanisms, e.g. bars, alarms, locks, etc;
- doors and windows must be locked when unattended;
- doors must be fitted with an audible alarm that triggers when the doors have been kept open beyond a pre-determined length of time;
- external protection must be considered for windows, particularly at ground level;
- all fire doors on a security perimeter must be alarmed and monitored; and
- fire doors and external walls must be tested at least annually, to establish the required level of resistance in accordance with suitable regional, national, and international standards.
(10) Where appropriate, data centre entry points must be monitored by a closed-circuit television (CCTV) system on a 24/7 basis. All video surveillance data must be protected from unauthorised disclosure, modification, and erasure, and maintained for at least 30 days. Refer to the
Physical Entry Controls
(11) Secure areas must be protected by appropriate entry controls to ensure that only authorised personnel are allowed access.
(12) The following controls must be implemented:
- access to areas where sensitive information is processed or stored must be restricted to authorised
personnel only; - authentication controls, e.g. access control card system, must be used to authorise and validate access;
- access logs must be maintained by for facilities and IT systems;
- visitors must be escorted whilst in buildings by authorised
personnel ; - visitors must only be allowed access for specific and authorised purposes and be escorted whilst in buildings;
- the date and time of entry and departure of visitors must be recorded;
- all employees and other authorised
personnel must wear visible identification; - visitors must be issued badges or tags of a different colour than employees;
- employees must notify a
University Security Officer when they encounter unescorted visitors or anyone not wearing visible identification; - contractors and vendors may be granted restricted access only when required and their access must be authorised and monitored; and
- access rights must be regularly reviewed by the business unit granting access.
Securing Offices, Rooms and Facilities
(13) Controls to ensure security of information and information systems located in
(14)
- physical entry controls described in clauses 11 and 12 of this document;
- ensure sensitive information is stored properly when not in use, in accordance with clauses 54 to 57 of this document; and
- directories that identify the locations of data centres and other areas where sensitive information is stored must not be made public.
Protecting Against External and Environmental Threats
(15) Physical protection against natural disasters, malicious attacks or accidents must be designed and applied.
- combustible or hazardous materials must be stored at a safe distance from the secure area;
- bulk supplies, e.g. stationery, must not be stored in a secure area;
- backup equipment and media must be located at a safe distance to avoid damage from a disaster affecting the main site; and
- environmental alarm systems, fire suppression and firefighting systems must be installed and tested.
Working in Secure Areas
(16) Security controls and procedures must be used by
(17)
- sensitive information cannot be discussed in a non-secure area;
- sensitive information cannot be disclosed to
personnel who do not have a need-to-know; and - visitors must be authorised, logged, and escorted.
Delivery and Loading Areas
(18) Access points such as reception, delivery and loading areas must be controlled and, if possible, isolated from secure areas or offices to avoid unauthorised access.
(19)
- loading docks and delivery areas must be regularly inspected and actively monitored;
- incoming material must be inspected for potential threats before this material is moved from the delivery and loading area to the point of use;
- incoming material must be registered on entry to the site; and
- incoming and outgoing shipments must be physically segregated where possible.
Public Areas
(20) Public areas are areas that are freely accessible to the public,
(21) The value of IT
(22) All equipment not intended for public use should be situated to minimise the
(23) Systems located in public areas that may be used to access confidential information must be situated in such a way as to prevent unauthorised individuals from viewing the displayed data.
(24) All publicly accessible IT
Part B - Equipment
Equipment Protection
(25) Equipment must be protected to reduce the
(26)
(27) Servers, routers, switches, and other centralised computing equipment must be located in a room with access restricted to only those
(28) Equipment should be located, and monitors angled, in such a way that unauthorised persons cannot observe the display.
(29) Staff printers and scanners should not be located in an area that is accessible to the public.
Supporting Utilities
(30) ICT infrastructure must be protected from power supply interruption and other disruptions caused by failures in supporting utilities.
(31) The following controls must be implemented to help ensure availability of critical services:
- all supporting utilities such as electricity, water supply, sewage, heating/ventilation and air conditioning must be adequate for the systems they are supporting. Supporting utilities must be regularly inspected and, as appropriate, tested to ensure their proper functioning and to reduce any risk of malfunction or failure;
- an uninterruptible power supply (UPS) to support orderly close down or continuous running is recommended for equipment supporting critical business operations. Power contingency plans must cover the action to be taken on failure of the UPS. A back-up generator must be considered if processing is required to continue in the event of a prolonged power failure. An adequate supply of fuel must be available to ensure that the generator can perform for a prolonged period. UPS equipment and generators must be checked regularly to ensure they have adequate capacity and are tested in accordance with the manufacturer’s recommendations;
- emergency power off switches must be located near emergency exits in equipment rooms to facilitate rapid power down in case of an emergency. Emergency lighting must be provided in case of main power failure;
- the water supply must be stable and adequate to supply air conditioning, humidification equipment, and fire suppression systems (where used). An alarm system to detect malfunctions in the supporting utilities must be installed to limit any damage that a fault may cause to equipment;
- telecommunications equipment must be connected to the utility provider by at least two diverse routes to prevent failure in one connection path impacting voice or data services; and
- voice services must be adequate to meet local legal requirements for emergency communications.
Cabling Security
(32) Power and telecommunications cabling carrying data or supporting information services must be protected from interception or damage.
(33) Power and telecommunications lines into information processing facilities must be underground or subject to adequate alternative protection.
(34) Network equipment must be protected from unauthorised physical access or damage by placing it within a secured data centre, or a locked cabinet or room.
(35) Power cables should be segregated from communications cables to prevent interference.
(36) Cables and equipment must be clearly marked to minimise handling errors such as accidental patching of incorrect network cables. A documented patch cabling standard should be used to reduce the possibility of errors.
Equipment Maintenance
(37) Equipment must be correctly maintained to help ensure availability and integrity of sensitive information and
(38) When equipment is serviced,
- equipment must be maintained in accordance with the supplier’s recommended schedule and specifications;
- only formally contracted maintenance
personnel undertake repairs and service equipment; - records of all suspected faults and maintenance activity are maintained by IFS;
- maintenance activity is scheduled at a time of day that limits interference with services or operations; and
- users are notified before equipment is taken off-line for maintenance.
(39) If off-site maintenance is required, appropriate controls must be implemented; confidential information should be cleared from the equipment, maintenance
Removal of Assets
(40)
(41) An inventory of IT
- item description and serial number;
- where the
asset is (or will be) located; - the name of the individual responsible for the
asset ; - the removal date and return date; and
- the reason for removal.
(42) The description and serial numbers must be verified when the
(43)
Security of Equipment and Assets Off-Premises
(44)
(45)
- encrypting sensitive data;
- using a logical or physical access control mechanism (such as a password) to protect against unauthorised access;
- using a physical locking or similar mechanism to restrain the equipment; and
- ensuring
personnel are instructed on the proper use of the chosen controls.
(46)
- not leave it unattended in a public place;
- ensure the equipment is under their direct control at all times when travelling;
- take measures to prevent viewing of sensitive information by unauthorised
personnel ; - not allow unauthorised individuals to use the equipment; and
- report loss or stolen equipment immediately.
(47) Due care must be taken by
Secure Disposal or Re-Use of Equipment
(48) All data and software must be erased from equipment prior to disposal or redeployment.
(49)
(50) Prior to re-use within the
- the integrity of the
University records must be maintained by adhering to the Records Governance Policy; - information and software must be backed up by the original
System Owner in case information recovery is required; and - the storage media must be wiped.
(51) Storage media that will no longer be used in the
asset identifier;- date of erasure; and
- names of
personnel performing the erasure.
(52) When a supplier conducts the data wiping there must be contractual and audit procedures to ensure complete destruction of the information. The
Unattended User Equipment
(53) Unattended equipment must be safeguarded by:
- terminating the active session when finished;
- locking the session with a password protected screen saver or other approved mechanism;
- logging off computers, servers, terminals, and other devices when session is finished;
- switching off devices when not required;
- enabling password protection on mobile devices, printers, kiosks, and portable storage devices; and
- securing devices with a cable lock when enhanced physical security is justified.
Clear Desk and Clear Screen Policy
(54) Sensitive information must be safeguarded from unauthorised access, loss, or damage.
(55) Workspaces must be secured when they cannot be monitored by
- clearing desktops and work areas;
- locking hard copy sensitive information in an appropriate cabinet;
- locking portable storage devices with sensitive information in an appropriate cabinet;
- activating a password-protected screen saver;
- retrieving documents from printers; and
- ensuring that sensitive hard copy documents that are no longer needed are placed in shredding bins, not recycle bins.
(56) When visitors, cleaning contractors, or other
- covering up and maintaining control of hard-copy files;
- minimising windows, blanking computer screens or activating the password-protected screen saver.
(57) Sensitive information must not be discussed in public or other areas where there is a
Part C - Defence Industry Security Program (DISP)
(58) Prior to agreeing to store, process, or communicate information or assets under DISP, approval from the Information Security Team must be obtained.
(59) The Information Security Team must ensure that physical security controls required by the Defence Security Policy Framework (DSPF) are implemented when approving activity under the DISP.