5 KiB
7.2 Physical entry
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|------------------|-----------------------------------------|---------------------------|-----------------------------------------------------|---------------------|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Physical_security #Identity_and_Access
Control
Secure areas should be protected by appropriate entry controls and access points.
Purpose
To ensure only authorized physical access to the organization’s information and other associated assets occurs.
Guidance
General
Access points such as delivery and loading areas and other points where unauthorized persons can enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.
The following guidelines should be considered:
a) restricting access to sites and buildings to authorized personnel only. The process for the management of access rights to physical areas should include the provision, periodical review, update and revocation of authorizations (see 5.18);
b) securely maintaining and monitoring a physical logbook or electronic audit trail of all access and protecting all logs (see 5.33) and sensitive authentication information;
c) establishing and implementing a process and technical mechanisms for the management of access to areas where information is processed or stored. Authentication mechanisms include the use of access cards, biometrics or two-factor authentication such as an access card and secret PIN. Double security doors should be considered for access to sensitive areas;
d) setting up a reception area monitored by personnel, or other means to control physical access to the site or building;
e) inspecting and examining personal belongings of personnel and interested parties upon entry and exit;
NOTE Local legislation and regulations can exist regarding the possibility of inspecting personal belongings.
f) requiring all personnel and interested parties to wear some form of visible identification and to immediately notify security personnel if they encounter unescorted visitors and anyone not wearing visible identification. Easily distinguishable badges should be considered to better identify permanent employees, suppliers and visitors;
g) granting supplier personnel restricted access to secure areas or information processing facilities only when required. This access should be authorized and monitored;
h) giving special attention to physical access security in the case of buildings holding assets for multiple organizations;
i) designing physical security measures so that they can be strengthened when the likelihood of physical incidents increases;
j) securing other entry points such as emergency exits from unauthorized access;
k) setting up a key management process to ensure the management of the physical keys or authentication information (e.g. lock codes, combination locks to offices, rooms and facilities such as key cabinets) and to ensure a log book or annual key audit and that access to physical keys or authentication information is controlled (see 5.17for further guidance on authentication information).
Visitors
The following guidelines should be considered:
a) authenticating the identity of visitors by an appropriate means;
b) recording the date and time of entry and departure of visitors;
c) only granting access for visitors for specific, authorized purposes and with instructions on the security requirements of the area and on emergency procedures;
d) supervising all visitors, unless an explicit exception is granted. Delivery and loading areas and incoming material
The following guidelines should be considered:
a) restricting access to delivery and loading areas from outside of the building to identified and authorized personnel;
b) designing the delivery and loading areas so that deliveries can be loaded and unloaded without delivery personnel gaining unauthorized access to other parts of the building;
c) securing the external doors of delivery and loading areas when doors to restricted areas are opened;
d) inspecting and examining incoming deliveries for explosives, chemicals or other hazardous materials before they are moved from delivery and loading areas;
e) registering incoming deliveries in accordance with asset management procedures (see 5.9, 7.10) on entry to the site;
f) physically segregating incoming and outgoing shipments, where possible;
g) inspecting incoming deliveries for evidence of tampering on the way. If tampering is discovered, it should be immediately reported to security personnel.
Other information
No other information.