Professional Documents
Culture Documents
Standard 9.1 Secure Areas
Standard 9.1 Secure Areas
Group
Information Management
Standard 9.1 Secure Areas
Change history
Next review date: 1.9.06
Objective
To prevent unauthorised access, damage and interference to business premises and
information.
Standard
1. Physical security perimeter
Physical site security is achieved through the implementation of security barriers to
ensure that IT facilities supporting critical or sensitive business activities have a
consistent level of security protection.
The security perimeter must be clearly defined for the general protection of the site
and its personnel, property and equipment, which are all vulnerable to the threat of
criminal activity including assault, illegal entry, theft and vandalism.
Security measures such as security guards, perimeter fence, controlled access, lighting
and Closed Circuit Television (CCTV) should be considered for the security
perimeter.
A formal site procedure for physical security must be defined on a sitebysite basis
and reviewed if the level of threat changes. Every site within the Company must have
a local senior manager nominated by management as being responsible for the site,
i.e. a site landlord.
The security of the site is the responsibility of the site landlord, with support from the
IM Security and Policies team. The site landlord and the IM Security and Policies
team must assess the threat of a breach of security in the building where computer
equipment is housed. They must consider the level of security for the computer suite
in addition to the offices where computer equipment is located.
2. Physical entry controls
Appropriate entry controls must be provided for each secure area to ensure that only
authorised personnel are allowed access.
Secure Areas Version 1.2
ã 2005 BG Group page 1 Date: Aug 2005
BG Group
Information Management
All visitors must report to a reception area and their date and time of entry and
departure recorded. A visitor’s pass must be issued. Visitors’ badges must be
displayed at all times and returned when leaving the premises.
Visitors must only be granted access for specific authorised purposes. Visitors must
be escorted to and from reception area.
All personnel are required to wear visible identification passes and are encouraged to
challenge strangers.
Security passes and access rights must be revoked immediately for staff who leave
employment.
3. Securing offices, rooms and facilities
Sensitive information, documents and equipment must always be stored securely in a
way that is commensurate with its value and risk of loss, tampering or disclosure.
IT facilities supporting critical or sensitive business activities must be physically
protected from unauthorised access, damage and interference. They must be sited in
secure areas, protected by a defined security arrangement, with appropriate entry
controls and security barriers. Servers are not permitted outside secure computer
rooms that are designated and properly equipped for that purpose.
4. Protecting against external and environmental threats
Physical protection should be present to ensure against damage from fire, flood,
earthquake, explosion, civil unrest, and other disasters.
Equipment for the purposes of disaster recovery and backup media should be stored a
safe distance from main computer installations to reduce the risk of a disaster causing
damage to both.
5. Working in secure areas
Locations housing IT facilities that support critical business activities, determined by
risk analysis, may require a higher level of physical security protection. Locations that
need this consideration are:
· Data Centres
· Rooms containing LAN servers
· Rooms containing business specific computer hardware, such as mail servers,
etc.
· Rooms containing LAN or WAN communications facilities, such as cabling,
hubs, modem racks, patch panels, controllers etc.
· Rooms containing sensitive information, e.g. Finance, Human Resources.
The following guidelines need to be taken into consideration:
Locations must be sited away from areas of public access and away from hazardous
and combustible materials.
All sites must have appropriate devices for the detection of smoke and fire. (Specific
computer rooms must have exceptional temperature and humidity controls). These
must be connected to alarms that are tested on a regular basis. In addition, safety
Secure Areas Version 1.2
ã 2005 BG Group page 2 Date: Aug 2005
BG Group
Information Management
equipment must be checked regularly in accordance with manufacturers’ instructions
and employees properly trained in their use.
There must be established emergency procedures to cover evacuation of sites,
necessitated by fire and other physical hazards, which must be published and
rehearsed.
Food and drink must not be taken into a controlled computer room environment.
Fire doors must remain closed but not locked.
The power supply must isolate automatically when a fire is detected.
Physical access to data centres and IT equipment rooms must be restricted by means
of physical access control devices such as keys, combination locks, or card keys.
Access by unauthorised personnel must be prevented at all times
The identity and authorisation of all persons seeking to enter computer rooms must be
verified.
Installation, maintenance and other engineers must be given a temporary pass only;
each visit must be supervised and recorded.
Upon leaving the Company or moving to another department all access authorisations
must be revoked, for example entry keys or cards surrendered immediately.
A visitor's log must be maintained, detailing name, time of entry, company etc. for all
visitors to the secure areas of the site.
6. Isolated delivery and loading areas
The loading and delivery area for computer supplies and equipment deliveries should
be separate from the data centre or computer equipment room, to reduce the
opportunity for unauthorised access. The loading area must be designed so that
supplies can be delivered without access being gained to other areas of the building.
Procedures
Procedure 9.1 TVP Access Control Procedure
Warwick access procedures
Control Evidence
Annual inspection of computer room and secure areas.
TVP monthly review of access control
Secure Areas Version 1.2
ã 2005 BG Group page 3 Date: Aug 2005