9. Physical & Environment Security

Control objective: to prevent unauthorized physical access, damage and interference to the organization premises and information.

PDF 9.1 Secure Areas

    9.1.1 Physical security perimeter

    The Organization uses security perimeters to protect areas that contain information and information processing facilities. All the Organization sites have physical security perimeters. The minimum specification checklist for the physical security perimeter is in DOC 9.7 and the Information Security Manager ensures that each site is checked on a monthly basis. The Information Security Manager is responsible for maintaining both site’s secure perimeter. The Organization central information processing facilities are within secure areas, each of which have Owners (see sub section 7.1.2) that are themselves within a site’s secure perimeter. The Information Security Manager has a site map for each site or secure area, together with a current security checklist DOC in sub section 9.7 that identifies the current state of conformity to the requirements in that checklist.

    9.1.2 Physical entry controls
    Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access. A risk assessment (see sub section 4.4) is used to determine the type of entry controls that might be required for secure areas and these are implemented in line with the requirements of DOC 9.6 and DOC 9.8. Information Security Manager is responsible for maintaining required physical entry controls.

    9.1.3 Securing offices, rooms and facilities

    The Organization has designed and applied physical security for offices, rooms and facilities. Organization conducts risk assessments (DOC 4.4) of individual offices, rooms and facilities that contain confidential or high risk information assets to identify the controls that might be necessary to secure them. These are implemented in line with DOC 9.7. There are no sites where confidential information processing facilities are shared with a third party organization, other than under the terms of a contract (see sub section 6.2.3)

    9.1.4 Protecting against external and environmental threats

    The Organization has designed and applied physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster Organization has assessed the risk of external and environmental threats and has applied controls that are included in DOC 9.7 or that are part of the Business Continuity Management framework (see Section 14).

    9.1.5 Working in secure areas

    The Organization has designed and applied physical protection and guidelines for working in secure areas and these are contained in DOC 9.8.

    9.1.6 Public access, delivery and loading areas

    Access points such as delivery and loading areas and other points where unauthorized persons may enter the premises are controlled and isolated from information processing facilities to avoid unauthorized access. Organization controls for delivery and loading areas are detailed in DOC 9.9.

9.2 Equipment security

Control objective: to prevent loss, damage, theft or compromise of assets and interruption to the organization activities

    9.2.1 Equipment site locating and protection

    Equipment is sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access The Information Security Manager is responsible for implementing the requirements of DOC 9.10, which include this control.

    9.2.2 Supporting utilities
    Equipment is protected from power failures and other disruptions caused by failures in supporting utilities. Information Security Manager is responsible for implementing the requirements of DOC 9.10, which include this control.

    9.2.3 Cabling security
    Power and telecommunications cabling carrying data or supporting information services is protected from interception or damage Information Security Manager is responsible for implementing the requirements of DOC 9.10, which include this control.

    9.2.4 Equipment maintenance
    Equipment is correctly maintained to ensure its continued availability and integrity Information Security Manager is responsible for implementing the requirements of DOC 9.10, which include this control.

    9.2.5 Security of equipment off-premises

    Security is applied to off-site equipment taking into account the different risks of working outside the Organization premises of mobile equipment are required, as part of their User Agreements (see 11.1), to provide appropriate physical security for equipment when off-site and to ensure that manufacturer’s instructions for protecting equipment are followed. Home working is not permitted for the Trust Centre. The Organization specifically does not provides cover against loss of or damage to mobile devices because no mobile divides are used by the Trust Centre.

    9.2.6 Secure disposal or re-use of equipment
    All items of equipment containing storage media are checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal Organization has a standard procedure (DOC 9.11) to ensure that storage media are made safe for disposal.

    9.2.7 Removal of property
    Equipment, information or software may not be taken off-site without prior authorization as required by DOC 9.12

9.7 Additional requirements

    9.7.1 All organizational sites that contain information processing facilities are required to conform to the following minimum specification. Additional requirements may, dependent on a risk assessment, be applied to any site. In such cases, details of the risk assessment will be attached to the copy of this list.

    9.7.2 If there is a computer or communications room or other designated secure area within one of the Organization’s sites, treat it as a separate set of premises and complete a checklist for each room AS WELL AS for the site.

    9.7.3Ensure any Health and Safety issues have been identified and resolved.

    Site Address:

    Date and time of Inspection:

    9.7.3 Attach a current site (room) map, with the physical security perimeter clearly marked.

    9.7.4 Identify and list the information assets that are on the site together with their information security classification:

    9.7.5 Checklist (identify improvement requirements):

    a) Completeness of perimeter:
    b) External walls of solid construction:
    c) Access possible over walls/through roof?
    d) Access possible under walls?
    e) External doors solid?
    1. With required locks/breach alarms?
    2. With automatic closing mechanisms?
    3. Remote access doors protected by cameras?
    f) External windows locked/barred?
    g) Fire doors alarmed and monitored in accordance with Work Instruction DOC 9.2
    h) Fire alarms installed and working (DOC 9.2)
    i) Fire suppression equipment installed and working (DOC 9.4)
    j) Burglar/intruder alarms installed and working (DOC 9.3)
    1. All [accessible] external windows covered?
    2. All external doors covered?
    3. Unoccupied areas alarmed at all times?
    4. Reception area controlled (DOC 9.6)
    k) Air conditioning installed and working (DOC 9.5)
    l) Health and safety regulations [insert details of relevant code] applied?
    m) (If it houses systems processing confidential information) how easy is it for the public to access the facility?
    n) (If it houses systems processing confidential information) how unobtrusive is this to the public? Are there any obvious signs of information processing activities?
    o) Are internal directories appropriately classified to restrict access to details of confidential sites?
    p) Are hazardous, combustible materials safely stored (at a safe distance from a secure area)?
    q) Are bulk supplies of non-confidential items stored outside secure areas?
    r) Are necessary fire extinguishers available [insert details of requirements] and tested [insert details of testing regime]?

    Distribution: copies of this report are held by the Premises Security Manager and the Information Security Manager.

    The Site Security Managers at the CIO are the owners of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the ISMS.

9.8 Physical Entry Controls & Secure Areas

    1 Scope [ISO 17799 clauses 9.1.2 and 9.1.3]

    All designated secure areas (see DOC 9.7 and DOC 9.10) on any of the Organization’s premises are subject to controlled access and usage.

    2 Responsibilities

      2.1 Every secure area has an Owner (see sub section 7.1.2 of the Manual) and the Owner is responsible for ensuring that prescribed controls are maintained and as otherwise specified below.

      2.2 The [Site Manager/secure area Owner] is responsible for authorizing access to secure areas.

      2.3 All employees, contractors and third parties have certain responsibilities as defined below. Procedure

    3 Secure areas must be locked at all times. The lock specification is as set out in sub section 11.1 of this manual. The Owner must check the secure area at least once per day, even if no-one is working in it.

    4 Access to secure areas/areas where confidential or restricted information is processed (including in conversation) or stored is restricted to authorized persons. Authorization is provided as set out in sub section 11.1 of this manual.

    5 Access to secure areas requires authentication and authorized persons are issued with username and password access controls as provided and set out in sub section 11.1 of this manual.

    6 The Owner of a secure area is responsible for ensuring that no unsupervised working takes place within the secure area.

    7 The authentication system retains a record of accesses and these are reviewed monthly to identify any unauthorized accesses.

    9 The Owner of a secure area is responsible for ensuring that photographic, video, audio or other recording equipment and mobile phone cameras are not taken into the secure area.

    10 All employees, contractors and third parties are required to wear an identification badge issued by the Guards at the entry point to the National Smart Card Centre on arrival. These ID cards are only issued upon presentation and verification of a Passport or CPR card and are required to notify security if they encounter unescorted visitors and anyone not wearing required identification (see DOC 9.6).

    11 Third party support personnel only have access to secure areas when required and this access is specifically requested, authorized and monitored as set out in sub section 11.1 of this manual.

    12 In general, the Owner of a secure area and all those who are authorized to work within it, are required only to divulge details of the area and what is done in the area to other staff on a need to know basis.

9.10 Equipment Security

All information processing equipment owned or used by the Organization is subject to secure site location and protection requirements.

    9.10.2 Responsibilities Owner of an information asset as described in this ISMS is responsible for the site location and protection of information equipment. The Site Managers are responsible for ensuring that equipment is protected from possible power supplies and other power-related disruptions. The Site Managers are responsible for cabling security. The Site Managers are is responsible for maintenance of equipment. The Site Managers are responsible for the secure site location or all telecommunications facilities. The Information Security Manager is responsible for defining and resourcing business continuity needs. Director General of IT is responsible for insurance. Where necessary, other responsibilities are identified in the course of this procedure. Access to secure areas is controlled in line with DOC 9.8.

    9.10.3 Site location and protection of equipment [ISO 17799 clause 9.2.1]

    The requirements are:

    a) That equipment is sited so as to minimize [public/unnecessary] access to work areas;
    b) Information processing and storage equipment (including faxes, photocopiers and telephone equipment used for confidential information) is sited in secure areas [server/communications rooms/secured offices] so that it is not possible for confidential information to be seen by unauthorized people;
    c) Secure areas are subject to the same level of physical perimeter protection as secure sites;
    d) Equipment that requires special protection is isolated in the CA Inner Core Room;
    e) Controls are implemented to deal with theft (see sub section 9.1 of the Manual), natural or man-made disaster (see sub section 9.1.4 of the Manual).
    f) The Organization does not allow smoking inside any of its sites, nor does it allow eating or drinking inside secure areas;
    g) Secure areas are monitored for temperature increases above X degrees Celsius and an acceptable limit has been set at X degrees Celsius and the Information Security Manager receives an immediate alert as set out in the OWI for the fire detection system once they are breached.

    9.10.4 Supporting utilities [ISO 17799 clause 9.2.2] All servers and communications equipment used for the CA project are in secure areas that have adequate power supplies. For each secure area, the maximum power requirements are calculated by reference to the manufacturer’s recommendations for each device plus the requirements for other items running off the same supply plus an element for buffer to be allow for ongoing changes and the Site Managers have incoming power cables checked by cleared suppliers to ensure that they supply adequate power. Offices and other (non-secure) areas that contain information-processing equipment are similarly assessed to ensure that power supplies are adequate.

      b) The Site Managers are responsible for ensuring that Heating and Ventilation engineers provide a formal report on the heating, cooling/air conditioning and ventilation requirements of each secure area and each site that contains information processing equipment and for reporting on the adequacy or otherwise of current installations. Shortfalls in requirements are to be treated by escalating their concerns to the Information Security Manager for Risk Assessment, treatment and the creation of an Operation Work Instruction [OWI] as necessary.

      c) The Site Managers are responsible for ensuring that all supporting utilities and equipment is inspected (also see DOC 9.7 and DOC 9.8) on a frequency determined by manufacturer’s recommendations [and previous inspections] and that inspection certificates are retained in line with sub section 15.1.3 of the Manual. A UPS is installed outside each secure area and their operation and working are outside the scope of this ISMS other than to state that they are available and operational as a ‘fail over’ power supply. The Information Security Manager has assessed the risk of their failure and prepared the OWI in Appendix III to address the Risk associated with this system.

    9.10.5 Cabling security [ISO 17799 clause 9.2.3] Information Security Manager has a site map that identifies all network cabling and all incoming power and all lines are protected. cabling is protected from unauthorized access by virtue of this being a closed network and power and network cables are segregated using separate conduits and clearly marked for ease of maintenance on the site map. between these are further protected by:
      a) Electromagnetic shielding for cables;
      e) Technical sweeps and physical inspections that are carried out by the Information Security Manager and/or the Security Administrator to ensure that no unauthorized devices are attached to cables.

    9.10.6 Equipment maintenance [ISO 17799 clause 9.2.4] Information Security Manager The Information Security Manager is responsible for ensuring that all equipment on the site is maintained in line with manufacturers’ recommended service intervals and specifications. The Information Security Manager is maintains a schedule of all equipment, showing its due and actual service dates, and retains copies of the service reports, together with fault reports and details of preventative or corrective action (also see DOC 9.7). Only authorized and experienced maintenance personnel and only from suppliers identified on the current signed Asset List are permitted to carry out maintenance at the Trust Centre in line with the policy set out in sub section 11.1 of this manual. Equipment that processes or stores confidential information is serviced only by technicians who have been screened in line with the requirements of 8.1.2 of the Manual is cleaned of confidential information prior to servicing. The Organization’s insurance policy is the responsibility of the Director General of IT and is outside the commitments normally associated with a private enterprise.


      The Organization requires, under sub section 9.2.6 of the Manual, that all removable storage media are clean (which means: it is not possible to read or re-constitute the information that was stored on the device or document) prior to disposal.


      The Information Security Manager is responsible for managing the secure disposal of all storage media in line with this procedure when they are no longer required, and is the Owner of the relationship with Al Falwa Cleaning WLL who is the approved contractor for removing shredded documents.

      All Owners (see sub section 7.1.2 of the Manual) of removable storage media are responsible for ensuring that these media are disposed of in line with this procedure.

      Procedure [ISO 17799 clause 9.2.6]

      Hard disks must be cleared of all software and all Organizational confidential and restricted information prior to disposal or re-use, as set out in clause 5 below.

      The Information Security Manager is responsible for the secure disposal of storage media and the disposal of all information processing equipment is routed through his/her office. A log (REC 9.1) is retained showing what media was destroyed, disposed of, and when. The asset inventory is adjusted once the asset has been disposed of.

      Hard disks are cleaned by the Security Administrator prior to destruction.

      Devices containing confidential information are broken and then burnt prior to disposal and are never re-used.

      Devices containing confidential information that are damaged are subject to a risk assessment prior to sending for repair, to establish whether they should be repaired or replaced in which case they are destroyed according to this procedure.

      Documents containing confidential and restricted information which are to be destroyed are shredded by their owners, using a shredder with an appropriate security classification. These shredders are located in the ISA Town National Smart Card Centre outside the Trust Centre. The waste is removed by the approved contractor.

      The Information Security Manager is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the ISMS.

      Yousif Mohammed Ali Muthanna Yousif Mohammed Abdulla
      Site Security Manager Site Security Manager

    ____________________________ ____________________________

    On: On:

    08 November, 2007

    Change history

    Issue 1 08 November, 2007 Initial issue