Sample Physical Access Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Sample Physical Access Control Standard


The <Your Company Name> (the "Company") Sample Asset Protection Policy defines objectives for establishing specific standards for protecting the confidentiality, integrity, and availability of Company information assets.

This Physical Access Standard builds on the objectives established in the Sample Asset Protection Policy, and provides specific instructions and requirements for proper controls to physically access Company information assets.

I. Scope


All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.

Authorization refers to the controls for determining the resources that Users are permitted to access based upon the permissions and privileges for which they have been authorized.

Confidential Areas refers to the Company facilities and areas that serves as the physical location for servers and networks that store, process, and transmit information that has been classified as "Confidential".

Confidentiality classifications are defined in the Sample Information Classification Standard.

Information assets are defined in the Sample Asset Identification and Classification Policy.

Internal Use Only Areas refers to the Company facilities and areas that serve as the physical location for servers and networks that store, process, and transmit information that has been classified as "Internal Use Only".

Non-Temporary Employee refers to all employees, part-time workers, temporary workers, consultants, and contractors that require access to Company premises for more than 30 days.

Restricted Areas refers to the Company facilities and areas that serve as the physical location for servers and networks that store, process, and transmit information that has been classified as "Restricted".

Sensitive Information refers to information that is classified as Restricted or Confidential. Refer to the Sample Information Classification Standard for confidentiality classification categories.

Temporary Employee refers to all employees, part-time workers, temporary workers, consultants, and contractors that require access to Company premises for less than 30 days.

II. Requirements


A. General


1. Sensitive information assets must be protected with physical access controls that correspond to the confidentiality classification of the information.


2. Physical access controls must be defined to provide only the level of physical access required to meet an approved need or perform prescribed job responsibilities.


3. Server and network devices that store, process, and transmit sensitive information must be kept in a secured facility with access restricted to authorized persons.


4. Company-issued electronic key cards are required to access Company Confidential Areas and Restricted Areas.


5. All Non-Temporary Employees must be provided with a Company-issued picture identification badge.


6. Temporary identification badge will be issued to all Visitors, Temporary Employees, and Non-Temporary employees who have forgotten their identification badges after an authorized Non-Temporary Employee displays a valid picture identification badge and signs them in.


7. All temporary identification badges must be returned by the end of the business day.


8. All persons must visibly display a valid identification badge while inside Company controlled areas.


9. Lost or misplaced identification badges and electronic key cards must be reported to the <SPECIFY CONTACT> and immediate supervisor within twenty-four (24) hours.


10. Lost or misplaced electronic key cards should be disabled immediately upon notification.


11. Identification badges and electronic key cards must be collected by immediate supervisors or Human Resources representatives as part of "out-processing" for terminated employees, at the end of contract or service for consultants and contractors, and for departmental transfers (as needed).


12. Electronic key cards must be disabled within twenty-four (24) hours of notification of a status change (for example, termination or change in job).


13. Identification badges and electronic key cards should not be shared.


14. Non-employees must be escorted at all times while on Company premises.


15. An independent, third party should exercise physical access controls at least annually to identify and assess vulnerabilities and weaknesses in Company processes and procedures.


B. Internal Use Only Areas


1. Access to Internal Use Only Areas should be controlled.


2. Entrance doors must never be propped open while unattended.


3. Access logs should be regularly reviewed for compromises and abnormal patterns.


4. Access lists and records should be reviewed and reconciled on an annual basis to validate employee access permissions.


C. Confidential Areas


1. Access to Confidential Areas should be controlled by Company-issued electronic key cards and logged.


2. Confidential Areas should be limited to a single primary entrance location.


3. The entrance door must never be propped open.


4. Access logs and security reports should be reviewed weekly for violations, compromises, and abnormal patterns.


5. Access lists and records should be reviewed and reconciled on a monthly basis to validate employee access permissions.


D. Restricted Areas


1. Access to Restricted Areas should be controlled by Company-issued electronic key cards and logged.


2. Restricted Areas should be limited to a single primary entrance location.


3. The entrance location should be video monitored and recorded.


4. The entrance door should be equipped with a system (e.g., mantrap) that will separately admit only one individual at a time.


5. The entrance door should be equipped with additional authentication devices such as biometrics to uniquely identify the employee.


6. The entrance door must never be propped open.


7. Access logs and security reports should be reviewed daily for violations, compromises, and abnormal patterns.


8. Access lists and records should be reviewed and reconciled on a weekly basis to validate the level of access granted to individuals.


9. The systems located in Restricted Areas should be physically secured in locked enclosures.


10. Each system enclosure should have a unique lock and key.


11. Keys to system enclosures will be provided to authorized personnel only on Company premises upon proper authentication and must be returned immediately after use.


12. System enclosures should remain locked at all time when not in use.


III. Responsibilities


The Chief Information Security Officer (CISO) approves the Physical Access Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Physical Access Standard.

Company management, including senior management and department managers, is accountable for ensuring that the Physical Access Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Physical Access Standard.

Building and Facilities Managers are responsible for reviewing access logs and records in accordance with the requirements of the Physical Access Standard; periodically validating the access granted to individuals; and providing a physically secure environment for sensitive information assets.

Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Physical Access Standard; defining the physical access control requirements for information assets associated with their functional authority; processing requests associated with Company-approved access request procedure; determining the level of access and authorizing access based on Company-approved criteria; and ensuring the revocation of access for those who no longer have a business need to access information assets.

Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; reporting physical access violations in a timely manner; and implementing procedural safeguards and cost-effective controls that are consistent with the Physical Access Standard.

Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for familiarizing and complying with the Physical Access Standard and associated guidelines; reporting physical access violations in a timely manner; reporting loss or misplaced Company-issued identification credentials such as badges and key cards within twenty-four (24) hours to <SPECIFY CONTACT> and their immediate supervisor; cooperating with reasonable security investigations; and ensuring identification credential such as badges and key cards are not stored in a place where unauthorized persons might discover them.

IV. Enforcement and Exception Handling


Failure to comply with the Sample Physical Access Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Sample Physical Access Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Sample Physical Access Standard.

V. Review and Revision


The Physical Access Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Security Officer