Recommend Practices for Sites and Physical Security

Revised: 15 Oct 2015 by ITSC

Appropriate controls should be employed to protect physical access to resources. These may range from extensive security installations to protect a room or facility where server machines are located to simple measures taken to protect a user’s display screen.

Physical Site and Environment

  • Careful site selection and accommodation planning of a purpose-built computer installation shall be conducted. Reference to the security specifications for construction of special installation or office as standard should be made.
  • Data centers and computer room shall have good physical security and strong protection from disaster and security threats, whether natural or caused by other reasons, in order to minimize the extent of loss and disruption.
  • Backup media containing business essential and/or mission critical information shall be sited at a safe distance from the main site in order to avoid damage arising from a disaster at the main site.

Equipment Security

  • All information systems shall be placed in a secure environment or attended by staff to prevent unauthorized access. Regular inspection of equipment and communication facilities shall be performed to ensure continuous availability and failure detection.
  • Staff in possession of mobile device or removable media for business purposes shall safeguard the equipment in his/her possession, and shall not leave the equipment unattended without proper security measures.
  • IT equipment shall not be taken away from sites without proper control.

Physical Access Control

  • A list of persons who are authorized to gain access to data centers, computer rooms or other areas supporting critical activities, where computer equipment and data are located or stored, shall be kept up-to-date and be reviewed periodically.
  • All access keys, cards, passwords, etc. for entry to any of the information systems and networks shall be physically secured or subject to well-defined and strictly enforced security procedures.
  • All visitors to data centers and computer rooms shall be monitored at all times by authorized staff. A visitor access record shall be kept and properly maintained for audit purpose.
  • If there has been no activity for a predefined period of time, to prevent illegal system access attempt, re-authentication should be activated or the logon session and connection should be terminated. Also, user workstation should be switched off, if appropriate, before leaving work for the day or before a prolonged period of inactivity.
  • All staff shall ensure the security of their offices. Offices that can be directly accessed from public area and contain information systems or information assets should be locked up when not in use or after office hours.
  • The display screen of an information system on which classified information can be viewed shall be carefully positioned so that unauthorized persons cannot readily view it.