Physical Security Policies in Information Security

In the context of computer systems, physical security policies describe how computer hardware and direct access is managed. Because the computer systems reside in a building, and that building may be used for other purposes as well, there may be some overlap and potential conflicts of interest with the other purposes of the building in Software Development Companies. These must be addressed and resolved in order to properly protect the computers and the people who use them.

Building and Campus Security

Building and campus security policies describe what people are expected to do on the organization’s property. These are physical security policies, and they often fall outside the domain of information technology.

Room Access Based on Job Function: Room access must be restricted based on employee job function.

Physical Security for Laptops: All laptops must be locked to a sturdy fixture using a cable when not in transit.

Position of Computer Monitors: Computer monitors must be faced away from windows to discourage “eavesdropping.”

Badges on the Organization’s Premises: All corporate employees on the production premises must display badges with picture identification in plain view.

Temporary Badges: Temporary badges may be provided to employees who have lost or forgotten their badges.

Guards for Private Areas: Guards or receptionists must be located in areas containing sensitive information.

Badge Checking: Guards or receptionists must ask to see badges for all people attempting to access the building.

Tailgating: Tailgating or piggybacking (following a person into a building) is prohibited, and allowing any person to tailgate or piggyback is prohibited.

Employee Responsibility for Security: Employees are responsible for the security of the servers at all facilities, and for the actions of their co-workers.

Security Policy Enforcement: Enforcement of this physical security policy is the responsibility of HR.

Data Center Security

Data center policies describe how computer equipment and data is protected in the physical facilities in which the computer and network equipment resides. This protection is very important, because unauthorized physical access can be the most direct route to compromising a computer system in Software Development Companies.

Physical Security for Critical Systems: All critical equipment must be kept in locked rooms.

Security Zones: Within the production equipment area of the production facility, equipment is separated into two physical spaces with differing access requirements:

• Standard General production servers with standard sensitivity

• Highly secure Production servers with higher security requirements

Non-Employee Access to Corporate Systems: Non-employees (such as contractors) are not allowed physical access to the organization’s information resources.

Asset Tags: All equipment in the production facility must carry an asset tag bearing a unique identifier.

Equipment Entrance Pass: All equipment entering the production facility must be recorded in a log that contains at least the following information:

• Employee name

• Date and time

• Type of equipment

• Asset tag

• Corporate employee signature

• Production employee signature

Equipment Exit Pass: All equipment leaving the production facility must be recorded in a log that contains at least the following information:

• Employee name

• Date and time

• Type of equipment

• Asset tag

• Corporate employee signature

• Production employee signature

Access Authorization: Employees must be authorized in advance by a corporate manager of director-level or higher status before attempting to gain access to the production equipment facility. In general, this authorization must come from the Director of Operations or their designated backup.

Access from Inside: Employees already inside the production equipment area may not open the door to allow access to anyone else from outside the area. This access must be provided through the production staff escort.

Employee Access Lifetime: Access accounts for all employees will remain valid for a period of 12 months, unless otherwise requested by the employee’s manager. The maximum limit on the requested lifetime of the account is 24 months. After the lifetime of the account has expired, it can be reactivated for the same length of time upon presentation of both proof of identity and management approval for reactivation.

Inactive Access Badges: Access accounts that have not been used for a period of 90 days will be automatically disabled, to reduce the risk of unused accounts being exploited by unauthorized parties in Software Development Companies. Any legitimate user whose account has been disabled in this manner may have it reactivated by providing both proof of identity and management approval for reactivation.

New Access Requests: The manager responsible for a new employee or an employee who has not previously had access must request access to the production facility for that employee. Employees may not request their own accounts. The new access request must be recorded and logged for the record. When the access is no longer needed, the account must be disabled.

Production Staff Access: Production staff may only enter the secure area when explicitly requested by a corporate employee, and only after confirming the request with the designated corporate director-level contact.

Access Monitoring: All access to the production facility must be constantly monitored during all hours of the day, 24×7×365. This monitoring must consist of at least the following:

• Camera recording of the production area

• Video screen monitoring by production staff

• Video tape recording 

Access via Secure Area: Access to the highly secure area is provided via the secure area. Thus, all security requirements pertaining to the secure area are prerequisites for access to the highly secure area.

Buddy System: A minimum of two employees is required for access to the highly secure production equipment facility. Unaccompanied access to the highly secure production facility is prohibited.

Three-Badge Access Requirement: Access to the highly secure equipment room from the outside requires both a corporate employee and a production facility employee. Once access is granted, the corporate employees may remain in the production room without production employee escort.

Biometric Authentication: All employees requiring access to the highly secure facility must be authenticated via a biometric device that uniquely identifies the individual based on some personal biological characteristic.

Production Staff Access: Production staff may not enter the highly secure area under any circumstances.

Room Access Based on Job Function: Room access to the secure and the highly secure areas must be restricted based on employee job function.

Health and Safety

The health and safety of people is of paramount importance. There is no higher priority for any organization. All other policies are secondary and must not infringe on the safety of individuals during a crisis or during normal operations in Software Development Companies. Policies designed to protect the lives of people vary widely—a few are listed here as examples, but these are unique to each situation.

Search of Personal Property: The production facility must examine any bags or personal carrying items larger than a purse or handbag.

Tailgating: Tailgating or piggybacking (following a person into a building) is prohibited, and allowing any person to tailgate or piggyback is prohibited.

Security Drills: Regular security drills (simulated security breaches without advance warning) must take place to test the effectiveness of security measures. These drills can take the form of unauthorized access attempts, equipment entrance or removal, or any other appropriate test of production facility security measures.