Physical and environmental security policy

Purpose

Any loss, compromise, or misuse of council information and associated assets, however caused, could have potentially devastating consequences for the council and may result in financial loss and legal action.

The purpose of this document is to define the requirements for physical and environmental security that will be applied to maintain the confidentiality, integrity and availability of information and information systems supporting the business functions of the council.

Introduction

Information processing facilities supporting council business activities must be located within a secure area to protect them from unauthorised physical access and damage.

This policy applies to:

The policy is not designed to be obstructive. If you believe that any element of this policy hinders or prevents you from carrying out your duties, please contact the council’s Information Security Officer.

In adhering to these standards, employees must not put themselves at personal risk.

The following policies should be read in conjunction with this policy:

Physical security areas

Just as it is essential to identify sensitive information, there is also the need to identify and accord appropriate levels of protection to different areas within buildings. The physical security requirements for areas will depend upon:

The council has identified 4 such areas and the physical protection procedures required.

Public areas

These are areas that are freely accessible to the public. Here, the value of IT assets is either low (usually a desktop PC in reception) or the assets are physically large (for example, a self-service kiosk). Access to information may be unrestricted (for example, to publicly accessible web pages) or for a designated individual (for example, to enable a customer to pay their Council Tax bill).

All equipment not specifically for public access should be sited to minimise the risks of unauthorised access or compromise of information.

Publicly accessible systems used to display confidential information should be sited in such a way as to prevent another member of the public viewing the displayed data.

All publicly accessible kit should be appropriately defended against vandalism, modification and theft.

General office areas

These are the typical office areas that are normally accessible only to employees and admitted guests (including commercial/business people, members of the public) Here, the value of IT assets is not excessive (usually desktop PCs and laptops) and access to sensitive information (for example, a specific individual’s Council Tax account, rent arrears reports) is closely controlled.

General office areas must be protected by appropriate entry controls to ensure that only authorised personnel are allowed access.

Visitors must be supervised, and their name, company (if relevant), date and time of entry and departure, and person(s) visited. Visitors must only be granted access for specific, authorised purposes.

All employees issued with an identification badge must have it clearly on display when inside council properties and sites. Only issued corporate staff lanyards are to be used by permanent employees. Identification cards and lanyards should not be worn in public unless there is a work-based necessity.

Support functions and equipment (for example, photocopiers, fax machines, printers) must be sited to minimise the risks of unauthorised access or compromise of information.

Sensitive areas

These are also typical office environments with desktop PCs and laptops. However, the sensitivity of the information processed is high (for example, Child Protection Register, personal information).

Sensitive areas must be protected by appropriate entry controls to ensure that only authorised employees are allowed access.

Visitors must be supervised, and their name, company (if relevant), date and time of entry and departure, person(s) visited and the purpose of the visit recorded. Visitors must only be granted access for specific, authorised purposes.

All employees issued with an identification badge must have it clearly on display when inside council properties and sites. Only issued corporate staff lanyards are to be used by permanent employees. Identification cards and lanyards should not be worn in public unless there is a work-based necessity.

Employees supplying or maintaining support services will be granted access to sensitive areas only when required and authorised. Where appropriate, their access will be restricted and their activities monitored.

Sensitive areas must be physically locked outside office hours and checked periodically.

Support functions and equipment (for example, photocopiers, fax machines, printers) must be sited to minimise the risks of unauthorised access or compromise of sensitive information.

Secure areas

These are communication rooms and computer rooms, rooms accommodating servers, etc. that support critical and/or sensitive activities, and areas housing vital information and documents that require a higher level of physical security compared to other operating environments.

Secure areas must have a higher level of physical and environmental security protection to minimise the possibility of damage from fire, flood, explosion, terrorism, and other forms of natural or man-made disaster. Officers must determine and designate the area(s) within their operating environment according to the above classification and ensure the relevant physical protection mechanisms are implemented.

Access will be controlled by an access control device, preferably one with an audit trail (something other than a key or a keypad). If such a device is not fitted then a manual log of entry and exit must be maintained.

When unattended, or where the support employees are remote, rooms should be kept locked and an access and egress log maintained.

The fire control system must meet BS6266 – Code of Practice for Fire Protection for Electronic Data Processing installations, and the following must be in place:

All computer rooms should undergo cleaning of all surfaces at least every six months by personnel experienced in the cleaning of electronic equipment.

Where equipment requires environmental control, rooms must be air-conditioned with humidity set at 50-55% and temperature at 65oF. Means of monitoring the environment and an alarm on the conditioning equipment must be installed. All such environmental controls must meet the requirements of BS7083 - Recommendations for the Accommodation of Operating Environment of Computer Equipment.

Equipment siting and protection

Workstations displaying sensitive data must be positioned to reduce the risk of overlooking.

Where possible, IT equipment must be sited or protected to reduce risks from unauthorised access, theft, and environmental hazards such as fire, flood, dust, chemicals, electromagnetic interference, and loss or fluctuation of power supply.

CCTV may be a useful aid to monitor the activities of the public/visitors in publicly accessible areas.

Buildings – external physical security

The physical security requirements for areas will, at least to some extent, depend upon the security classification of the areas that they contain.

Security lighting

Security lighting can offer a high degree of deterrence to the potential intruder in addition to providing the illumination necessary for effective surveillance. The standard of lighting should, however, meet the minimum requirement and its installation be appropriate to the site conditions.

Doors

External doors should provide some resistance to forced attack. Keys to external doors be held under secure conditions but should be readily accessible to authorised persons. External doors that are never used and which are not emergency exits should be bricked up or permanently secured.

External doors leading to areas other than public areas must have an unauthorised access control mechanism. These should normally be locked outside of normal working hours.

Emergency exits

There is often a conflict between demands for security and those of safety when it comes to securing emergency exits. Most emergency exit locks, including those of bar release type, are not fully secure and emergency exits should normally be fitted with intruder detection devices.

Inter-communicating doors

Doors communicating with other parts of a building designated as being of a different security classification in general provide a degree of security similar to that of external doors. Doors leading to sensitive or secure areas may need to be protected with intruder alarms.

Windows

Basement, ground floor and other windows that are readily accessible should have secure fittings. Window catches should be regularly examined and defective catches replaced. Intruder alarms should be considered for windows in secure or sensitive areas.

Where it is necessary to secure a window more effectively than by the use of lock, catch or bolt (for example, secure areas), the use of bars, grilles or shutters should be considered along with the use of intruder detection sensors.

Any window or opening described here must be closed and secured when the room or area it could access is unoccupied.

Double-glazing can provide excellent protection against covert attack and some protection against forced attack. It is unobtrusive, may draw less attention to a sensitive area and is more acceptable than bars or grilles. Double-glazing can also be alarmed.

Other access points

Roofs and roof doors should be periodically surveyed to see whether there is access on to them from adjoining buildings, nearby buildings, trees, fire escapes, window cleaning equipment, etc.

Access to the upper floors of a building or from the roof may often be afforded by way of rainwater or soil down-pipes. Such access may be restricted by boxing in the pipes or by treating them with anti-climb paint - this should be applied at heights above 8 feet to avoid accidental contact by passers-by.

Public utilities

Gas, electricity and water supply installations within buildings may offer potential vulnerability access points. Where possible, cables and pipes within buildings should enter the building underground. Public service meters should, wherever possible, be so sited that access to them does not require entry into secure or sensitive areas.

Delivery and loading areas

At each site an isolated delivery and loading area is provided for supplies and equipment deliveries. It is sited to reduce the opportunities for unauthorised access to the working areas and secure offices. The following controls are implemented:

Perimeter fence

Given that, in many cases, the public will have access to buildings, a perimeter fence is unlikely to be generally acceptable. However, as it does form a useful barrier and delay to the opportunist intruder it may be most appropriate to protect secure areas.

Where installed, the following features are desirable:

Fire and flood prevention

Fire prevention

The following is a checklist of the various precautions that may be taken against fire:

Flood prevention

Water damage can easily ruin computers, putting the organisation out of business for a long time. The following is a checklist of the various actions that may be taken as a precaution against flooding:

Power supplies

Information processing equipment should be protected from power failures or other electrical anomalies. A suitable electrical supply is to be provided that complies with the equipment manufacturers specifications. Options to achieve continuity of power supplies include:

A UPS to support orderly close down or continuous running is recommended for equipment supporting critical business operations. Contingency plans cover the action to be taken on the expiry of the UPS. UPS equipment is regularly tested in accordance with manufacturer’s instructions.

A back-up generator should also be available for equipment supporting critical business operations in order to continue any processing in case of prolonged power failure. Where generators are in place they should be regularly tested in accordance with the manufacturer’s instructions.

For further information on business continuity requirements, please refer to the Business Continuity Management Policy.

Lightning protection is applied to all buildings and lightning protection filters are fitted to external communications lines.

Cabling security

Power and telecommunications cabling carrying data or supporting information services are protected from interception and damage.

Within council office working areas, power and telecommunications lines into information processing facilities are hidden/underground and avoid routes through public areas.

Power cables are segregated from communication cables to prevent interference.

Supporting utilities

All supporting utilities, such as electricity, water supply, sewage, heating, ventilation, air conditioning should be adequate for the systems they are supporting. Supporting utilities should be regularly inspected and as appropriate tested to ensure their proper functioning and to reduce any risk from their malfunction or failure.

Access controls

Control of entry into council buildings, sites and locations is important for the security of our information systems (both computerised and manual) and their employees. Appropriate entry controls must be provided to ensure that only authorised employees are allowed access. This can best be achieved through an ID card/pass system. This system of access control must be rigidly enforced in buildings and areas housing sensitive information assets. In buildings where IT facilities are located and where there is public access, special measures for the enforcement of the access control system should be taken, particularly after normal office hours.

ID card/pass system

To be effective, the following needs to be observed:

Visitors

As well as the above conditions relating to ID cards, holders of visitors passes must be escorted by the person visited (or their representative) from and to Reception.

Any person not wearing their ID card should be questioned or reminded. Tailgating (allowing a person without proper ID to follow through security doors) is not permitted.

Security of equipment off premises

Security procedures and controls must cover the security of equipment used outside council premises. IT equipment (regardless of ownership) used outside council premises to support business activities must be subject to the equivalent degree of security protection as office equipment.

The following must be applied:

Security of paper-based information

The same standards of physical and environmental security that are applied to electronic based information should also be applied to paper based information.

Where appropriate, consideration should be given to using fireproof safes for storing ‘vital’ paper based information.

Paper based information should be processed and stored in secluded rooms. However, due to space restrictions, rooms/areas may be shared with other non-sensitive functions and effective physical controls will be difficult to achieve in such conditions. Wherever possible, sensitive information (paper based and electronic) should be processed and stored away from non-sensitive information, so they may be afforded appropriate levels of protection.

Filing cabinets and rooms holding sensitive paper based information, back up disks, video and audio recordings, should be locked outside normal working hours, unless auditable access controls are in place.

Clear desk policy

Employees are required by the Acceptable Use Policy advised to adopt a clear desk policy to reduce the risks of unauthorised access, loss of or damage to information.

Disposal of confidential waste

Council information can be compromised through careless disposal and reuse of equipment.

All disposal of equipment and paper must follow the Confidential Waste Disposal policy

Re-use of equipment

All items of equipment containing storage media (fixed or hard disks) are checked to ensure that any sensitive data or licensed software is removed overwritten before disposal.

All re-use of equipment must follow the Confidential Waste Disposal policy.

Policy compliance

The council expects that all employees will achieve compliance to the directives presented within this policy. This policy will be included within the Information Security Internal Audit Programme, and compliance checks will take place to review the effectiveness of its implementation.

Exceptions

In the following exceptional cases compliance with some parts of the policy may be relaxed. The parts that may be relaxed will depend on the particular circumstances of the incident in question:

In such cases, the staff member concerned must take the following action:

Failure to take these steps may result in disciplinary action.

In addition, the ICT Security Analyst maintains a list of known exceptions and non-conformities to the policy. This list contains:

The council will not take disciplinary action in relation to known, authorised exceptions to the information security management system.

Penalties

Non-compliance is defined as any one or more of the following:

Penalties may include termination of employment or contractual arrangements, civil or criminal prosecution.


Policy details

Author – Information and Data Governance Board
Owner – Cyber Security
Version – 3.8
Reviewer – Information and Data Governance Board
Classification – Official
Issue status – Final
Date of first issue – 16.01.2008
Date of latest re-issue – 30.05.2024
Date approved by IGB – 19.05.2024
Date of next review – 30.04.2025

Council news directly to you

The latest news in your inbox every week. Council news, community updates, local events and more.

Sign up Sign up