In the context of
computer systems, physical security policies describe how computer hardware and
direct access is managed. Because the computer systems reside in a building,
and that building may be used for other purposes as well, there may be some
overlap and potential conflicts of interest with the other purposes of the
building in Software Development Companies. These must be addressed and resolved in order to properly protect the
computers and the people who use them.
Building and Campus
Security
Building and campus security
policies describe what people are expected to do on the organization’s
property. These are physical security policies, and they often fall outside the
domain of information technology.
Room
Access Based on Job Function: Room access must be restricted based on
employee job function.
Physical
Security for Laptops: All laptops must be locked to a sturdy
fixture using a cable when not in transit.
Position
of Computer Monitors: Computer monitors must be faced away
from windows to discourage “eavesdropping.”
Badges
on the Organization’s Premises: All corporate
employees on the production premises must display badges with picture
identification in plain view.
Temporary
Badges: Temporary badges may be provided to employees who have lost
or forgotten their badges.
Guards
for Private Areas: Guards or receptionists must be
located in areas containing sensitive information.
Badge
Checking: Guards or receptionists must ask to see badges for all
people attempting to access the building.
Tailgating:
Tailgating or piggybacking (following a person into a building) is prohibited,
and allowing any person to tailgate or piggyback is prohibited.
Employee
Responsibility for Security: Employees are
responsible for the security of the servers at all facilities, and for the
actions of their co-workers.
Security
Policy Enforcement: Enforcement
of this physical security policy is the responsibility of HR.
Data Center Security
Data
center policies describe how computer equipment and data is protected in the physical
facilities in which the computer and network equipment resides. This protection
is very important, because unauthorized physical access can be the most direct
route to compromising a computer system in Software Development Companies.
Physical
Security for Critical Systems: All
critical equipment must be kept in locked rooms.
Security
Zones: Within the production equipment area of the production
facility, equipment is separated into two physical spaces with differing access
requirements:
•
Standard General production servers with standard sensitivity
•
Highly secure Production servers with higher security requirements
Non-Employee
Access to Corporate Systems: Non-employees (such
as contractors) are not allowed physical access to the organization’s
information resources.
Asset
Tags: All equipment in the production facility must carry an
asset tag bearing a unique identifier.
Equipment
Entrance Pass: All equipment entering the production
facility must be recorded in a log that contains at least the following
information:
• Employee name
• Date and time
• Type of equipment
• Asset tag
• Corporate employee
signature
• Production
employee signature
Equipment
Exit Pass: All equipment leaving the production facility must be
recorded in a log that contains at least the following information:
• Employee name
• Date and time
• Type of equipment
• Asset tag
• Corporate employee signature
• Production employee signature
Access
Authorization: Employees must be authorized in
advance by a corporate manager of director-level or higher status before
attempting to gain access to the production equipment facility. In general,
this authorization must come from the Director of Operations or their
designated backup.
Access
from Inside: Employees
already inside the production equipment area may not open the door to allow
access to anyone else from outside the area. This access must be provided
through the production staff escort.
Employee
Access Lifetime: Access accounts for all employees will
remain valid for a period of 12 months, unless otherwise requested by the
employee’s manager. The maximum limit on the requested lifetime of the account
is 24 months. After the lifetime of the account has expired, it can be
reactivated for the same length of time upon presentation of both proof of
identity and management approval for reactivation.
Inactive
Access Badges: Access accounts that have not been
used for a period of 90 days will be automatically disabled, to reduce the risk
of unused accounts being exploited by unauthorized parties in Software Development Companies. Any legitimate user
whose account has been disabled in this manner may have it reactivated by
providing both proof of identity and management approval for reactivation.
New
Access Requests: The manager responsible for a new
employee or an employee who has not previously had access must request access
to the production facility for that employee. Employees may not request their
own accounts. The new access request must be recorded and logged for the
record. When the access is no longer needed, the account must be disabled.
Production
Staff Access: Production staff may only enter the
secure area when explicitly requested by a corporate employee, and only after
confirming the request with the designated corporate director-level contact.
Access
Monitoring: All access to the production facility
must be constantly monitored during all hours of the day, 24×7×365. This
monitoring must consist of at least the following:
• Camera recording
of the production area
• Video screen
monitoring by production staff
• Video tape
recording
Access
via Secure Area: Access to the highly secure area is
provided via the secure area. Thus, all security requirements pertaining to the
secure area are prerequisites for access to the highly secure area.
Buddy
System: A minimum of two employees is required for access to the
highly secure production equipment facility. Unaccompanied access to the highly
secure production facility is prohibited.
Three-Badge
Access Requirement: Access to the highly secure equipment
room from the outside requires both a corporate employee and a production
facility employee. Once access is granted, the corporate employees may remain
in the production room without production employee escort.
Biometric
Authentication: All employees requiring access to the
highly secure facility must be authenticated via a biometric device that
uniquely identifies the individual based on some personal biological
characteristic.
Production
Staff Access: Production staff may not enter the
highly secure area under any circumstances.
Room
Access Based on Job Function: Room access to the
secure and the highly secure areas must be restricted based on employee job
function.
Health and Safety
The health and safety of
people is of paramount importance. There is no higher priority for any
organization. All other policies are secondary and must not infringe on the
safety of individuals during a crisis or during normal operations in Software Development Companies. Policies
designed to protect the lives of people vary widely—a few are listed here as
examples, but these are unique to each situation.
Search
of Personal Property: The
production facility must examine any bags or personal carrying items larger
than a purse or handbag.
Tailgating:
Tailgating or piggybacking (following a person into a building) is prohibited,
and allowing any person to tailgate or piggyback is prohibited.
Security
Drills: Regular
security drills (simulated security breaches without advance warning) must take
place to test the effectiveness of security measures. These drills can take the
form of unauthorized access attempts, equipment entrance or removal, or any
other appropriate test of production facility security measures.