This snapshot, taken on 26/07/2008, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
 
 26 July 2008
Department for Innovation, Universities and Skills (DIUS)
 
You are here:
 

Physical Security

One of the simplest but most effective means of protecting information assets is to use physical controls.

These range from the obvious, such as locking sensitive papers away in a drawer at the end of each working day, to more complex solutions such as integrating door access control systems with Closed Circuit Television Cameras (CCTV).

Methods used will depend on budget, the size and type of business, and the sensitivity of information. The following sections provide broad guidance on physical controls. Some may not be applicable to your organisation, but all are worth considering:

Risk Analysis

It is worthwhile performing a risk analysis  exercise to understand the risks and requirements relating to physical security. This should help to decide the appropriate controls required.

Physical Access Control Cards/Tokens

If you use access control cards, all permanent staff and contractors should be issued with one. The card should remain the property of the company and be revocable at any time.

Entry cards should only be used by the person to whom they are issued, and should not be given to anyone else, even temporarily.

If you have front desk security staff, all badge holders should produce their ID or access token on request.

Review of access control rights on a regular basis, across all areas of the company, is essential.

Security Perimeter

It can be worth establishing a defined security perimeter around the company's premises.

This security perimeter should incorporate several layers, with consideration given to the following controls:

  • External walls that form part of the perimeter should be of solid construction
  • External doors that form part of the perimeter should be protected against unauthorised access attempts
  • The doors should slam shut and be alarmed
  • The perimeter should incorporate barriers extending from floor to ceiling
  • Unauthorised recording, photography or filming must be prohibited within the perimeter
  • All building entrances likely to be used by outsiders (visitors, delivery people) should be manned

Secure Areas

There are areas within the security perimeter that may require additional controls. These areas are known as secure areas. Examples include:

  • Computer rooms
  • Network and communications equipment rooms/cabinets
  • Human Resources areas
  • Areas handling concentrations of sensitive information e.g. medical records stores

Only authorised personnel should be permitted to enter secure areas, and visitors to them should be supervised.

It is sensible to record the entry and departure of visitors to secure areas (for example, identities, dates, times), and visitors should be permitted access only for defined and authorised purposes.

All personnel within secure areas should wear visible identification, and staff should be encouraged to query unescorted strangers in secure areas.

As control lists tend to become out of date quite quickly, access rights to secure areas should be reviewed on a regular basis.

Local Environment & Location

Many companies have limited choice when it comes to location. However, if possible, bear the following points in mind when deciding location and office organisation (data centres, computer rooms, etc):

  • Fire
  • Flood
  • Explosion
  • Civil unrest
  • Other forms of natural or man-made disaster

The location exercise should also take account of:

  • Health and safety regulations
  • Threats from neighbouring premises (for example, a company making volatile chemicals)

Doors and Windows

  • Lock your doors and windows when they're not in use
  • Consider installing intruder detection systems. If you do so, test them periodically

Delivery Areas

If possible, isolate delivery and loading areas from main office work areas and information handling facilities. Access to holding and delivery areas should be restricted only to those who need it.

Holding areas should enable items to be loaded or unloaded without access being gained to other parts of the building. External doors should be secured when doors giving access to other parts of the building are open.

Deliveries to a holding area should be registered on entry to the site and inspected for hazards before movement to their point of use.

Storage & Supplies

Hazardous or combustible material should be stored securely at a safe distance from normal premises. Computer supplies (such as stationery) should be stored away from computer rooms until needed.

General Controls

The following controls are common-sense suggestions that should enhance the protection of your information assets:

 

  • Establish a 'clear-desk' policy. Sensitive material left on a desk could be asking for trouble

 

  • Establish a 'clear-screen' policy. Workstations should not be left logged on when not in use

 

  • Consider using padlocks, passwords or equivalent controls to protect workstations and laptop computers

 

  • If you have an internal mail point, it should be protected, as should unattended fax machines

 

  • Consider locking photocopiers outside normal working hours

 

  • If you print sensitive or classified information, clear it from the printer immediately

 

  • Information, software, equipment or items belonging to the company should not be taken off-site without formal approval. Equipment should be logged out when removed from the premises and logged back in when returned

 

For further information about security for remote working, please see our Physical Security and Remote Working section.Also, please see our useful Physical Security checklist

© Crown copyright 2008