Office Physical & Enviromental Security Review

The physical perimeter of the building and site containing information processing facilities is physically sound

external doors are suitably protected against unauthorised access with control mechanisms (alarms, locks, window blinds).

Doors and windows are locked when unattended

Where there are no provisions for bars on the ground floor windows, blinds are drawn at the end of each working day and covered in the risk register

Access to sites and buildings is restricted to authorised personnel

All fire doors are the required level of resistance

Suitable intruder detection systems are installed to national standards

Access rights to secure areas are regularly reviewed and updated and revoked when necessary

Access to secure areas defaults to deny

Access to areas where confidential information is processed or stored is restricted to authorised individuals

Logs of access are held and maintained for a minimum of 3 months

External third-party support service personnel are granted restricted access to secure areas or confidential information processing facilities only when required

Photographic, video, audio, or other recording equipment is not permitted in secure areas

Employee access is based on least privilege providing access based on role

Access control tokens, badges, are allocated to identify the employee or personnel and must be always worn

Access control tokens, badges, are not shared, transferred, or loaned

Access is revoked immediately upon termination and all physical access tokens are disabled and must be returned

Visitors are allowed unfettered access to the public areas only

Visitors are issued with instructions on the security requirements of the area and on emergency procedures

Visitors are recorded in the visitor logbook and the information maintained for a minimum of 3 months

Visitors are allocated a visitor pass that clearly identifies the visitor status, denies access to secure areas, and is returned at the end of the business day on which issued.

Visitor access to secure areas requires verification of identity and presenting photographic identification

Access to a delivery and loading area from outside is via a single-entry point into the main office

Supplies are loaded and unloaded without delivery personnel gaining access to other parts of the building without prior approval or an escort

Incoming material should be inspected and examined for explosives, chemicals, or other hazardous materials

hazardous materials and any incoming material should be registered in accordance with asset management procedures.

Incoming and outgoing shipments should be physically segregated, where possible

Incoming material should be inspected for evidence of tampering on route. If such tampering is discovered, it should be immediately reported

Physical access to networking equipment is restricted which includes wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines

Network points in public areas do not allow access to the company internal network

Network points that allow access to the company internal network are secured by physical access control for entry and exit

Visitors are prohibited from connecting devices to network points that allow access to the company internal network unless explicitly authorised to do so and are always escorted in areas with active network points

Power and telecommunications cabling carrying data or supporting information services should be protected from interception

Power and telecommunication lines into processing facilities are underground

Power cables are segregated from communication cables to prevent interference

Physical access to network cables is restricted where possible

Access to cable rooms and patch panels is restricted by physical access control

Equipment should be sited to minimise unnecessary access into work areas

Information processing facilities handling sensitive data should be positioned carefully to reduce the risk of information being viewed by unauthorised persons

Security screens are used where sensitive work is being undertaken.

Storage facilities should be secured to avoid unauthorised access

Items requiring special protection should be safeguarded

Controls should be adopted to minimise the risk of potential physical and environmental threats, e.g., theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference,

Guidelines for eating, drinking, and smoking in proximity to information processing facilities should be established

Environmental conditions, such as temperature and humidity, should be monitored for conditions which could adversely affect the operation of information processing facilities

Lightening protection should be applied to all buildings and lightening protection filters should be fitted to all incoming power and communications lines.

Equipment processing confidential information should be protected to minimise the risk of information leakage due to electromagnetic emanation.