Page 1

Physical Security Policy

PCI DSS Toolkit Version 4 ©CertiKit


Physical Security Policy [Insert Classification]

Implementation Guidance (The header page and this section must be removed from final version of the document)

Purpose of this document This document defines the organization’s policy with regard to the controls used to ensure the physical security of its buildings, offices etc.

Areas of the standard addressed The following areas of the PCI DSS standard are addressed by this document: Requirement 9: Restrict physical access to cardholder data

General Guidance Physical security is often common sense as it is one of the most visible aspects of information security. But often penetration testers have found that it’s all too easy to gain access to a building and explore unchallenged. Don’t assume that the building services or facilities management service provider has covered everything needed; look carefully at your organization’s specific needs and be prepared to put additional controls in place if necessary. Don’t forget that awareness training is a key part of physical security in order to ensure that procedural controls are followed and that physical controls are not easy circumvented e.g. via tailgating. PCI DSS only concentrates on physical security of the cardholder data environment. However it is recommended to implement this policy across the business where appropriate.

Review Frequency We would recommend that this document is reviewed annually and upon significant change to the organization.

Toolkit Version Number PCI DSS Toolkit Version 4

Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom

Version 1

Page 1 of 12

[Insert date]


Physical Security Policy [Insert Classification]

document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions.

Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.

Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from

Version 1

Page 2 of 12

[Insert date]


Physical Security Policy [Insert Classification]

which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Version 1

Page 3 of 12

[Insert date]


Physical Security Policy [Insert Classification]

[Replace with your logo]

Physical Security Policy

Document Classification: Document Ref. Version: Dated: Document Author: Document Owner:

Version 1

Page 4 of 12

[Insert Classification] PCI-DSS-DOC-09-2 1 [Insert date]

[Insert date]


Physical Security Policy [Insert Classification]

Revision History Version Date

Revision Author

Summary of Changes

Distribution Name

Title

Approval Name

Version 1

Position

Signature

Page 5 of 12

Date

[Insert date]


Physical Security Policy [Insert Classification]

Contents 1

INTRODUCTION ....................................................................................................................................... 7

2

SECURE AREAS ........................................................................................................................................ 8

3

PAPER AND EQUIPMENT SECURITY ................................................................................................. 9

4

EQUIPMENT LIFECYCLE MANAGEMENT ..................................................................................... 11

Version 1

Page 6 of 12

[Insert date]


Physical Security Policy [Insert Classification]

1 Introduction The protection of the physical environment is one of the most obvious yet most important tasks within the area of information security. A lack of physical access control can undo the most careful technical precautions and potentially put lives at risk. [Organization Name] is committed to ensuring the safety of its employees, contractors and assets and takes the issue of physical security very seriously. This policy sets out the main precautions that must be taken. This control applies to all offices, systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policy and procedures are relevant to this document: • •

Information Security Policy CDE Physical Access Procedure

Version 1

Page 7 of 12

[Insert date]


Physical Security Policy [Insert Classification]

2

Secure Areas

Sensitive information must be stored securely. A risk assessment must be carried out to identify the appropriate level of protection to be implemented to secure the information being stored. Physical security must begin with the building itself and an assessment of perimeter vulnerability must be conducted. A building must have appropriate control mechanisms in place for the classification of information and equipment that is stored within it. These may include, but are not restricted to, the following: • • • • • • •

Alarms fitted and activated outside working hours Window and door locks Window bars on lower floor levels Access control mechanisms fitted to all accessible doors (where codes are utilised they should be regularly changed and known only to those people authorised to access the area/building) CCTV cameras (recordings kept for at least 3 months) Staffed reception area Protection against damage - e.g. fire, flood, vandalism

Staff working in secure areas must challenge anyone not wearing a badge. Identification and access tools/passes (e.g. badges, keys, entry codes etc.) must only be held by persons authorised to access those areas and must not be loaned/provided to anyone else. Visitors to secure areas are required to sign in and out with arrival and departure times and are required to wear an identification badge. An organization employee must monitor all visitors accessing secure areas at all times. Keys to all secure areas housing IT equipment and lockable IT cabinets are held centrally by the [Service Provider] as appropriate. Where breaches do occur, or an employee leaves outside normal termination circumstances, all identification and access tools/passes (e.g. badges, keys etc.) must be recovered from the employee and any door/access codes changed immediately. Offsite backup locations will be reviewed at least annually to ensure these locations are physically secure for the media backups.

Version 1

Page 8 of 12

[Insert date]


Physical Security Policy [Insert Classification]

3 Paper and Equipment Security Paper in an open office must be protected by the controls for the building and via appropriate measures that may include, but are not restricted to, the following: • • • •

Filing cabinets that are locked with the keys stored away from the cabinet Locked safes Stored in a secure area protected by access controls Paper deposable containers secured

All general computer equipment must be located in suitable physical locations that: • • • •

Limit the risks from environmental hazards – e.g. heat, fire, smoke, water, dust and vibration Limit the risk of theft – e.g. if necessary items such as laptops should be physically attached to the desk Allow workstations handling sensitive data to be positioned so as to eliminate the risk of the data being seen by unauthorised people Restrict physical access to wireless access points and gateways

Data will be stored on network file servers where appropriate. This ensures that information lost, stolen or damaged via unauthorised access can be restored and its integrity maintained. All servers located outside of the data centre must be sited in a physically secure environment. Business critical systems must be protected by an Un-interruptible Power Supply (UPS) to reduce the operating system and data corruption risk from power failures. All items of equipment must be recorded, both on the departmental and the [Service Provider] inventory. Procedures must be in place to ensure inventories are updated as soon as assets are received or disposed of. All equipment must be security marked and have a unique asset number allocated to it. This asset number will be recorded in the departmental and the [Service Provider] inventories. Cables that carry data or support key information services must be protected from interception or damage. Power cables must be separated from network cables to prevent interference. Network cables must be protected by conduit and where possible avoid routes through public areas. Physical and/or logical controls must be implemented to restrict access to publicly accessible network ports on office walls; for example, network ports located in public

Version 1

Page 9 of 12

[Insert date]


Physical Security Policy [Insert Classification]

areas and areas accessible to visitors will be disabled and only enabled when network access is explicitly authorized. Device tamper inspections will be performed and recorded to ensure payment devices are not compromised. Training will be provided to staff members to inspect devices appropriately.

Version 1

Page 10 of 12

[Insert date]


Physical Security Policy [Insert Classification]

4 Equipment Lifecycle Management [Service Provider] and 3rd party suppliers must ensure that all of [Organization Name]’s IT equipment is maintained in accordance with the manufacturer’s instructions and any documented internal procedures, to ensure it remains in effective working order. Staff involved with maintenance must: • • • • • • •

Retain all copies of manufacturer’s instructions Identify recommended service intervals and specifications Enable a call-out process in event of failure Ensure only authorised technicians complete any work on the equipment Record details of all remedial work carried out Identify any insurance requirements Record details of faults incurred and actions required

A service history record of equipment must be maintained so that decisions can be made regarding the appropriate time for it to be replaced. Manufacturer’s maintenance instructions must be documented and available for support staff to use when arranging repairs. The use of equipment off-site must be formally approved by the user’s line manager. Equipment that is to be reused or disposed of must have all of its data and software erased / destroyed. If the equipment is to be passed onto another organization (e.g. returned under a leasing agreement) data removal must be achieved by using approved, appropriately secure, wipe programs. Sensitive paper records will be disposed of via one of the following methods • • •

Crosscut shredded Incinerated Pulped

Equipment deliveries must be signed for by an authorised individual using an auditable formal process. This process should confirm that the delivered items correspond fully to the list on the delivery note. Actual assets received must be recorded. Loading areas and holding facilities must be adequately secured against unauthorised access and all access should be auditable. Subsequent removal of equipment must be via a formal, auditable process.

Version 1

Page 11 of 12

[Insert date]


Physical Security Policy [Insert Classification]

All Information security arrangements (office, storage containers, devices and media) must be subject to independent audit at least annually and security improvements recommended where necessary.

Version 1

Page 12 of 12

[Insert date]

PCI-DSS-DOC-09-2 Physical Security Policy  
PCI-DSS-DOC-09-2 Physical Security Policy