Physical Security Design Standards
ISO/IEC 27001 Toolkit Version 7 ©CertiKit 2016
Physical Security Design Standards [Insert Classification]
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document This document sets out standards for the design of secure areas.
Areas of the standard addressed The following areas of the ISO/IEC 27001:2013 standard are addressed by this document: Annex A A.11 Physical and environmental security A.11.1 Secure areas
General Guidance The physical layout of secure areas will obviously vary widely so this document will need to be tailored according to your specific circumstances. It is important that the correct design criteria are applied to the creation of the secure area in terms of location, perimeter, physical entry and office security controls.
Review Frequency We would recommend that this document is reviewed annually and upon significant change to the organization.
Toolkit Version Number ISO/IEC 27001 Toolkit Version 7 ŠCertiKit 2016.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is Š copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise,
Version 1
Page 1 of 13
[Insert date]
Physical Security Design Standards [Insert Classification]
Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 2 of 13
[Insert date]
Physical Security Design Standards [Insert Classification]
[Replace with your logo]
Physical Security Design Standards
Document Classification: Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 3 of 13
[Insert Classification] ISMS-DOC-A11-2 1 [Insert date]
[Insert date]
Physical Security Design Standards [Insert Classification]
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 4 of 13
Date
[Insert date]
Physical Security Design Standards [Insert Classification]
Contents 1
INTRODUCTION ....................................................................................................................................... 6
2
PHYSICAL SECURITY DESIGN STANDARDS ................................................................................... 7 2.1 PRINCIPLES OF SECURE AREAS ................................................................................................................. 7 2.2 PHYSICAL SECURITY PERIMETER .............................................................................................................. 7 2.2.1 Perimeter Definition ....................................................................................................................... 7 2.2.2 Reception Area................................................................................................................................ 8 2.2.3 Physical Barriers ............................................................................................................................ 8 2.2.4 Fire Doors ...................................................................................................................................... 8 2.2.5 Intruder Detection Systems ............................................................................................................. 8 2.3 PHYSICAL ENTRY CONTROLS .................................................................................................................... 8 2.3.1 Visitors ............................................................................................................................................ 8 2.3.2 Access Controls .............................................................................................................................. 8 2.3.3 Audit Trail....................................................................................................................................... 9 2.3.4 Visible Identification ....................................................................................................................... 9 2.4 SECURING OFFICES, ROOMS AND FACILITIES ............................................................................................ 9 2.4.1 Additional Security ......................................................................................................................... 9 2.4.2 Recording Equipment ..................................................................................................................... 9 2.4.3 Vacant Areas................................................................................................................................... 9 2.4.4 Directories ...................................................................................................................................... 9 2.5 PROTECTING AGAINST EXTERNAL AND ENVIRONMENTAL THREATS ...................................................... 10 2.6 PUBLIC ACCESS, DELIVERY AND LOADING AREAS ................................................................................. 10 2.6.1 Access ........................................................................................................................................... 10 2.6.2 Incoming Deliveries ...................................................................................................................... 10 2.6.3 Separation of Incoming and Outgoing Goods .............................................................................. 10 2.7 EQUIPMENT SITING AND PROTECTION..................................................................................................... 10 2.7.1 Siting ............................................................................................................................................. 10 2.7.2 Protection ..................................................................................................................................... 11 2.7.3 Eating, Drinking and Smoking ...................................................................................................... 11 2.7.4 Environmental............................................................................................................................... 11 2.7.5 Lightning Protection ..................................................................................................................... 11 2.8 SUPPORTING UTILITIES ........................................................................................................................... 11 2.8.1 Capacity ........................................................................................................................................ 11 2.8.2 Inspection and Testing .................................................................................................................. 11 2.8.3 Alarms ........................................................................................................................................... 12 2.8.4 Redundancy................................................................................................................................... 12 2.9 CABLING SECURITY ................................................................................................................................ 12 2.9.1 Cable Routing ............................................................................................................................... 12 2.9.2 Shielding ....................................................................................................................................... 12 2.9.3 Access Control .............................................................................................................................. 12
3
CONCLUSION.......................................................................................................................................... 13
Version 1
Page 5 of 13
[Insert date]
Physical Security Design Standards [Insert Classification]
1 Introduction Secure areas are necessary in order to protect the physical and information assets of the organization from a loss of confidentiality, integrity or availability. This document sets out standards to be used in creating a secure area and details how to ensure that it remains secure whilst not obstructing the business carried out within it. This control applies to all areas within the organization which are categorised as secure. The following policies and procedures are relevant to this document:
Physical Security Policy Information Classification Guidelines Information Labelling Procedure Procedure for Working in Secure Areas
Version 1
Page 6 of 13
[Insert date]
Physical Security Design Standards [Insert Classification]
2
Physical Security Design Standards
2.1
Principles of Secure Areas
The design of secure areas is a complex business that requires that the designer undertake a full and comprehensive assessment of the risks associated with each specific facility, second-guessing the most likely methods of unauthorised access and addressing them one by one. The level of security applied to any given site should be appropriate to the classification of the information processed within it. As with all security design the measures put in place must remain appropriate so that the users of the facility are not unreasonably hampered by them and are able to carry out the task for which the facility was created. In line with the ISO/IEC 27001 information security standard there are a number of topics that need to be addressed when designing a secure area. These standards should be used both in the design of new areas and the review of existing ones to identify improvements. 2.2
Physical Security Perimeter
2.2.1
Perimeter Definition
The first consideration is to define the location and perimeter of the secure area. In general, secure areas should be sited to avoid access or visibility to the public or unauthorised people and measures taken to avoid drawing attention to them. If possible they should be physically separate from public areas and not shared with any third parties. All entry points around the physical security perimeter must be risk assessed including lift shafts, ceilings and walls to ensure they offer a good degree of protection with no weak points. External doors should be secure with a level of additional protection appropriate to the required security level (e.g. bars, chains, alarms and multiple locks) with due consideration of applicable fire safety regulations. External windows around the perimeter should be locked and those on the ground floor secured with bars where possible (subject to relevant regulations).
Version 1
Page 7 of 13
[Insert date]
Physical Security Design Standards [Insert Classification]
2.2.2
Reception Area
A defined reception area should be created through which all access is controlled. This should be adequately manned when the site is open and only authorised personnel admitted. 2.2.3
Physical Barriers
Where appropriate, physical barriers should be installed to prevent access without the correct level of authorisation. These should prevent tailgating i.e. an unauthorised person following an authorised person through the barrier. 2.2.4
Fire Doors
Fire doors should meet legal requirements and be tested on a regular basis. As standard these should be alarmed and monitored from reception. 2.2.5
Intruder Detection Systems
Where justified by the level of security required, intruder alarms and Closed Circuit Television (CCTV) should be installed to protect entry points and warn of security breaches.
2.3
Physical Entry Controls
2.3.1
Visitors
A procedure must be put in place to sign all visitors in at reception and record details of their identity and date/time of entry and departure. Third party visitor access to the secure area will usually need to be requested in advance and such visitors must be supervised by an authorised member of staff at all times. 2.3.2
Access Controls
Appropriate access controls should be used at all points where the level of security changes. Server room or other similar facilities should have their own access control. Two factor authentication such as a swipe or proximity card and a Personal Identification Number (PIN) must be used where information classified as confidential is stored or processed.
Version 1
Page 8 of 13
[Insert date]
Physical Security Design Standards [Insert Classification]
A regular review of access rights should be undertaken to ensure that they remain current. 2.3.3
Audit Trail
An audit trail of access to secure areas must be maintained either via manual completion of a signing in book or via electronic means. 2.3.4
Visible Identification
All users of secure areas (including visitors) will be required to wear a visible and current ID badge.
2.4
Securing Offices, Rooms and Facilities
2.4.1
Additional Security
Individual rooms within the secure area may also be protected by additional security. Such rooms will typically include server rooms, communications rooms, Human Resources, directors’ offices and plant rooms (such as power and air conditioning). Depending on the type of facility, users of such individual rooms may need to have specific access and be required to sign in and out. 2.4.2
Recording Equipment
Cameras or other video or audio recording equipment will not be allowed in secure areas without explicit prior permission. 2.4.3
Vacant Areas
Vacant areas within the secure perimeter will be locked and regularly checked for signs of unauthorised entry or use. Where possible they should be alarmed. 2.4.4
Directories
Phone directories or other information regarding secure areas should not be made generally available.
Version 1
Page 9 of 13
[Insert date]
Physical Security Design Standards [Insert Classification]
2.5
Protecting Against External and Environmental Threats
In addition to being covered by the organization’s business continuity plans, secure areas may require further consideration to ensure that any external events such as fire, flood or earthquake will not expose the confidentiality, integrity or availability of the contents. This may affect the siting of secure locations and the procedures used for reacting to events such as fires, subject to health and safety considerations.
2.6
Public Access, Delivery and Loading Areas
2.6.1
Access
Where a secure area includes the need to provide access to the public and /or to accept deliveries this should be segregated as far as possible with a controlled interface with the secure perimeter. This should allow for two sets of doors, only one of which should be opened at a time i.e. an airlock type arrangement. 2.6.2
Incoming Deliveries
A separate delivery or holding area should be used so that deliveries may be inspected prior to them being accepted into the secure area. Such inspection should happen as soon as possible after the delivery and be comprehensive enough to assess the likelihood of any threats being present. Delivery staff should not have access to the secure area. 2.6.3
Separation of Incoming and Outgoing Goods
Areas should be designed such that deliveries and outgoing items are not stored or processed in the same place.
2.7
Equipment Siting and Protection
2.7.1
Siting
The secure area should be designed such that equipment such as server farms cannot be viewed from public areas. Screens that may display sensitive information must be sited away from positions where unauthorised people might view them.
Version 1
Page 10 of 13
[Insert date]
Physical Security Design Standards [Insert Classification]
2.7.2
Protection
Where appropriate, additional protection against threats such as dust, vibration, electrical interference and chemicals should be designed in to the secure area. This should be based on a comprehensive risk assessment. 2.7.3
Eating, Drinking and Smoking
Eating, drinking and smoking will generally not be allowed in secure areas and provision for them should not be made in the design. 2.7.4
Environmental
Appropriate environmental controls such as air conditioning must be provided and its health capable of being monitored on an ongoing basis. 2.7.5
Lightning Protection
Appropriate protection from lightning damage to equipment must be designed in to the secure area.
2.8
Supporting Utilities
Care must be taken to ensure the correct design of supporting utilities such as: 2.8.1
Electricity Gas Water Ventilation Network communications Capacity
A capacity assessment must be undertaken by a qualified individual when considering the requirements of the secure area and its contents for supporting utilities. This should allow for estimated usage plus adequate room for growth. 2.8.2
Inspection and Testing
Plans should be put in place for initial and repeated inspection and testing of supporting utilities to ensure that they continue to operate within manufacturer’s recommended parameters.
Version 1
Page 11 of 13
[Insert date]
Physical Security Design Standards [Insert Classification]
2.8.3
Alarms
Alarms will be installed to detect circumstances where supporting utilities are operating or are about to operate outside of normal levels. 2.8.4
Redundancy
Appropriate redundancy of supporting utilities should be designed in e.g. diverse routing for network communications and excess capacity for air conditioning.
2.9
Cabling Security
2.9.1
Cable Routing
Where possible, cabling should be routed underground and away from any potential sources of interference. 2.9.2
Shielding
Additional shielding against electromagnetic interference should be implemented where required. Power cables should not be routed with data cables. 2.9.3
Access Control
Access to patch panels and cabling termination points should be controlled via the use of locked access panels and cabinets. Cabling should not be routed via public areas.
Version 1
Page 12 of 13
[Insert date]
Physical Security Design Standards [Insert Classification]
3 Conclusion Designing a secure area is an involved task which needs to have a clear set of requirements to meet. The intention of these standards is to set out a baseline for such requirements that complies with the ISO/IEC 27001:2013 international standard for information security. The overall and ongoing security of the area in question will of course depend upon a number of factors including the procedural controls put in place and how well they are complied with. However without adequate thought being put into the design from the start it will be much more difficult to keep our information assets secure.
Version 1
Page 13 of 13
[Insert date]