Physical security policy

Overview

This policy aims to prevent loss, damage, and theft of our assets by deterring, delaying, or preventing unauthorised physical access.

Scope

This policy applies to all our assets.  This includes information and Information and Communication Technology (ICT).

The policy must be used as a framework for ensuring good physical security when:

  • working from our premises
  • utilising shared occupancy premises
  • working remotely
  • when working from home

Introduction

Maintaining a physically secure working environment is fundamental to good security and involves:

  • the appropriate layout and design of premises
  • suitable security measures

Physical security controls must consider the following factors:

  • the value, sensitivity or number of assets held
  • the impact and likelihood of a loss of the site or asset
  • the level of threat and vulnerability
  • environment, location and whether occupancy is sole or shared

Staff must take all reasonable measures to safeguard our assets.

Working from home

Physical documents, files, and devices must be always subject to a reasonable level of security.  For example by placing them in a locked drawer.

Family and friends must be prevented from accessing or using our assets.

Ensure you lock your computer screen before leaving it unattended.

Keep the amount of paper documents to an absolute minimum.

Staff must be careful if removing sensitive or confidential paper documents from the office.  They must seek authority from their line manager before doing so.

Where possible set up a designated place to work.  This will help keep your work organised, reducing the likelihood of misplaced information.

Maintain a clear desk at home.

When having work conversations take steps to keep things confidential by:

  • being in another room to any family members
  • ensuring that the door is closed
  • avoid disruption if possible
  • turn off smart devices to avoid accidental recording or listening

Building security

Control of access must be in place and always engaged. Only authorised persons should be allowed access. 

Building security controls such as locks and intruder alarms, must be engaged prior to vacating or when left unoccupied.

‘Tailgating’ is not permitted.  Persons attempting to gain access without presenting an access card must be refused entry.  Direct them to an appropriate visitor reception.

Room security

Rooms which are used to store sensitive assets in the open, which includes personal data, must be subject to additional access control to prevent unauthorised access.

Key security

Keys that are used to control access to premises or protect assets must be controlled at all times. 

Visitor access to buildings

Visitor access to buildings must be controlled.

Visitors must:

  • be required to record their visit via a sign in and out process
  • be clearly identified and escorted by authorised staff

Access control cards and access codes

The issuing of access cards and access codes must be strictly controlled at all times.

Access cards and access codes must only be used by the individual it was issued to.

Access cards are to be returned to the issuing authority as soon as the business need ceases to exist.

Access codes must be changed on a regular basis or immediately if the need arises.  For example, a suspected or actual compromise of a code.

Personal identification

Staff and visitors must always wear issued identification. 

Staff acting as hosts must ensure that visitors always obtain and wear a visitor’s badge. 

Name badges must not be accepted as a form of identification.

Any person not displaying formal identification must be denied access to premises.

Staff must challenge any person not displaying identification within premises.  

Line managers must encourage a ‘challenge culture’.

Clear desk and screen

All staff must adopt a clear desk and clear screen policy.  This will help to reduce the risk of compromise, loss, or theft of information. 

A clear desk policy means securing assets under lock and key when not in use.  

If a clear desk policy is not achievable because of limited storage space, then lockable storage is to be used for sensitive data as a priority.

A clear screen policy means applying access controls such as:

  • screen locking ICT when not in use
  • logging off from systems when not in use for an extended period of time

Accommodation moves

Prior to accommodation moves adequate provision must be made for the security of assets in line with this policy.

When accommodation is no longer required physical security measures must remain in place until all assets have been removed. 

ICT and information assets

All ICT and information assets must be protected from physical compromise, theft, or tampering at all times. 

Mobile devices and hard copy documents are to be securely stored when not in use.

Access to our owned or managed network equipment such as switches, and routers must be strictly controlled.  Physical security measures must be in place to prevent casual access. 

Unauthorised staff must not tamper with council owned or managed network equipment.

Data centre

Physical security controls which benefit the Data Centre must be engaged at all times.  Access must be strictly controlled.

Visits to the Data Centre must have a business purpose.  Visitors must be always escorted by authorised staff.
   
All visitors to the Data Centre must be authorised by Serco (Lincoln). 

All entry and egress to the Data Centre must be via the main access point unless there is an emergency.

Data Centre entry and exit must be subject to a documented audit trail.