Building security
Control of access must be in place and always engaged. Only authorised persons should be allowed access.
Building security controls such as locks and intruder alarms, must be engaged prior to vacating or when left unoccupied.
‘Tailgating’ is not permitted. Persons attempting to gain access without presenting an access card must be refused entry. Direct them to an appropriate visitor reception.
Room security
Rooms which are used to store sensitive assets in the open, which includes personal data, must be subject to additional access control to prevent unauthorised access.
Key security
Keys that are used to control access to premises or protect assets must be controlled at all times.
Visitor access to buildings
Visitor access to buildings must be controlled.
Visitors must:
- be required to record their visit via a sign in and out process
- be clearly identified and escorted by authorised staff
Access control cards and access codes
The issuing of access cards and access codes must be strictly controlled at all times.
Access cards and access codes must only be used by the individual it was issued to.
Access cards are to be returned to the issuing authority as soon as the business need ceases to exist.
Access codes must be changed on a regular basis or immediately if the need arises. For example, a suspected or actual compromise of a code.
Personal identification
Staff and visitors must always wear issued identification.
Staff acting as hosts must ensure that visitors always obtain and wear a visitor’s badge.
Name badges must not be accepted as a form of identification.
Any person not displaying formal identification must be denied access to premises.
Staff must challenge any person not displaying identification within premises.
Line managers must encourage a ‘challenge culture’.
Clear desk and screen
All staff must adopt a clear desk and clear screen policy. This will help to reduce the risk of compromise, loss, or theft of information.
A clear desk policy means securing assets under lock and key when not in use.
If a clear desk policy is not achievable because of limited storage space, then lockable storage is to be used for sensitive data as a priority.
A clear screen policy means applying access controls such as:
- screen locking ICT when not in use
- logging off from systems when not in use for an extended period of time
Accommodation moves
Prior to accommodation moves adequate provision must be made for the security of assets in line with this policy.
When accommodation is no longer required physical security measures must remain in place until all assets have been removed.