close

What Is Truth to Power?

[+] A research and advisory resource...

dedicated to bridging the gaps between governance and practice, technology and business, regulation and control, risk management and real market pressures, and your own knowledge and the knowledge of your peers.

[+] An open forum and community...

built to create a common pool of knowledge—one big brain—that lets you work more efficiently, build technology and business practices more effectively, and endure audits more effortlessly.

[+] A plexus nexus...

a neutral hub through which you can reach many valuable information nodes, resource collections, and organizations that are helping people like you already, but in fractured ways.

[+] A rebellion...

against the idea that auditors, analysts, and consultancies can control information simply through their ability to collect and distill it. T2P's goal is to unlock the vast body of knowledge, insight, and conventional wisdom that we all have, make it freely available to you, and help you digest and interpret it—without undue cost, bias, or hype.

Top Panel
WHAT IS T2P?
Top Panel
Submit in FaceBook
Submit Physical%20Security%20%28Policy%29 in Google Bookmarks
Tweet this!
|
Print
E-mail
 
Physical Security (Policy)
------- INDEX AND GLOSSARY. DO NOT CHANGE OR DELETE! ----------

Open IT Policy Index

-------------------------------------------------------------------------------------------------

Overview and Purpose

Controlling physical access to Information Resources is an extremely vital/ principal function of the [variable: Covered Organization] security program. This policy sets forth rules for establishing, controlling, and monitoring physical access to Information Resource facilities.

Coverage

All individuals within the [variable: Covered Organization] responsible for installation and support of Information Resources, information security management and personnel, and data owners.

Definitions

Policy

Information resources must be physically protected in proportion to the criticality, sensitivity, or business importance of their function(s)

General

  • All physical security systems must comply with all applicable regulations, including, but not limited to, building codes and fire prevention codes
  • Restricted areas and facilities must be clearly marked. Signage for restricted areas and facilities should contain enough information to be practical, but present minimal discernible evidence as to the nature of the importance of the location.
  • Each individual granted physical access to restricted Information Resources or facilities must receive training on emergency procedures for the facility

Physical access management

  • Access to Information Resources facilities must follow the principle of Least privilege access. Personnel, including full- and part-time staff, contractors, and vendor service staff, should be granted access only to facilities and systems that are necessary for the fulfillment of their job responsibilities
  • Requests for access must come from [variable: Role] and include sign-off from an applicable data/system owner
  • The process for granting physical access to Information Resources facilities must include the approval of [variable: Role(s)]
  • Each individual granted physical access to an Information Resources facility must sign appropriate access, information protection, and nondisclosure agreements
  • [variable: organizational role] must remove card and/or key access rights of individuals that leave or change roles within [variable: Covered Organization]
  • [variable: organizational role] must review card and/or key access rights for the facility on a periodic basis and remove access for individuals that no longer require access.
  • Visitors who have not been granted special access privileges must at all times be escorted and monitored in access-controlled areas [variable: Covered Organization] facilities

Protection of physical access cards and keys

  • Personnel must not share or transfer access cards and/or to other individuals within or external to [variable: Covered Organization]
  • Access cards and/or keys that are no longer needed must be returned to [variable: organizational role]. Cards must not be transferred or reallocated to another individual, bypassing the return process
  • Lost or stolen access cards and/or keys must be reported to the [variable: Role]
  • Cards and/or keys must not have identifying information other than a return mail address
  • A service charge may be assessed for access cards and/or keys that are lost, stolen, or not returned

Monitoring and documentation

  • Physical access to all restricted Information Resources and facilities must be documented and monitored through CCTV cameras by a dedicated/designated team.
  • All facilities that allow visitors must track visitor access with a sign in/sign out log
  • Card access records and visitor logs for Information Resources facilities must be kept for routine review based upon the criticality of the Information Resources being protected.
  • [variable: organizational role] must review access records and visitor logs for the facility on a periodic basis and investigate any unusual access

Enforcement

Gross negligence or willful disregard of this standard may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [variable: covered Organization] Information Resources access privileges, civil, and criminal prosecution.

Supporting Documentation

This policy is supported by the following rules, standards, and procedures:

  • [variable: internal documents (with links, if available)]
  • [variable: external documents (with links, if available)]

Policy Support Contact

  • [variable: title (not personal name) of role responsible for overseeing this procedure]
  • [variable: Contact information of office responsible for overseeing this procedure]

References

Research Resources

Policy Model(s)

State of Texas, Department of Information Resources
 
Hide comment form

Antispam Refresh image Case sensitive

T2P RECOMMENDS:

AuditNet logo
AuditNet is an online portal for auditors. Created and run by the venerable Jim Kaplan, the organization's mission is to develop a complete "utility" for audit-related information, products, and services.

T2P RECOMMENDS:

The BeyeNETWORK provides resources and professional community support for business intelligence, performance management, data warehousing, data integration and data quality.

T2P RECOMMENDS:

IIA Logo

The Institute of Internal Auditors (IIA) is a powerful research and guidance organization focusing on audit principles and processes for business and IT functions. IIA guidance related to information control includes the Global Technology Audit Guide (GTAG) series and the Guide to the Assessment of IT Risk (GAIT) series.