Physical Security Policy [Insert classification]
Physical Security Policy
PCI DSS Toolkit: Version 6 ©CertiKit Version 1
Page 1 of 11
[Insert date]
Physical Security Policy [Insert classification]
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document defines the organization’s policy with regard to the controls used to ensure the physical security of its buildings, offices etc.
Areas of the standard addressed The following areas of the PCI DSS standard are addressed by this document: •
Requirement 9: Restrict physical access to cardholder data
General guidance Physical security is often common sense as it is one of the most visible aspects of information security. But often penetration testers have found that it’s all too easy to gain access to a building and explore unchallenged. Don’t assume that the building services or facilities management service provider has covered everything needed; look carefully at your organization’s specific needs and be prepared to put additional controls in place if necessary. Don’t forget that awareness training is a key part of physical security in order to ensure that procedural controls are followed and that physical controls are not easy circumvented e.g. via tailgating. PCI DSS only concentrates on physical security of the cardholder data environment. However, it is recommended to implement this policy across the business where appropriate.
Review frequency We would recommend that this document is reviewed annually and upon significant change to the organization.
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document):
Version 1
Page 2 of 11
[Insert date]
Physical Security Policy [Insert classification] 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document.
Version 1
Page 3 of 11
[Insert date]
Physical Security Policy [Insert classification] CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 11
[Insert date]
Physical Security Policy [Insert classification]
Physical Security Policy
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
PCI-DSS-DOC-09-2
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 11
[Insert date]
Physical Security Policy [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 11
DATE
[Insert date]
Physical Security Policy [Insert classification]
Contents 1
Introduction ........................................................................................................................ 8
2
Secure areas ........................................................................................................................ 9
3
Paper and equipment security ............................................................................................ 10
4
Equipment lifecycle management ....................................................................................... 11
Version 1
Page 7 of 11
[Insert date]
Physical Security Policy [Insert classification]
1 Introduction The protection of the physical environment is one of the most obvious yet most important tasks within the area of information security. A lack of physical access control can undo the most careful technical precautions and potentially put lives at risk. [Organization Name] is committed to ensuring the safety of its employees, contractors and assets and takes the issue of physical security very seriously. This policy sets out the main precautions that must be taken. This control applies to all offices, systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policy and procedures are relevant to this document: • •
Information Security Policy CDE Physical Access Procedure
Version 1
Page 8 of 11
[Insert date]
Physical Security Policy [Insert classification]
2 Secure areas Sensitive information must be stored securely. A risk assessment must be carried out to identify the appropriate level of protection to be implemented to secure the information being stored. Physical security must begin with the building itself and an assessment of perimeter vulnerability must be conducted. A building must have appropriate control mechanisms in place for the classification of information and equipment that is stored within it. These may include, but are not restricted to, the following: • • • •
• • •
Alarms fitted and activated outside working hours Window and door locks Window bars on lower floor levels Access control mechanisms fitted to all accessible doors (where codes are utilised they should be regularly changed and known only to those people authorised to access the area/building) CCTV cameras (recordings kept for at least 3 months) Staffed reception area Protection against damage - e.g. fire, flood, vandalism
Staff working in secure areas must challenge anyone not wearing a badge. Identification and access tools/passes (e.g. badges, keys, entry codes etc.) must only be held by persons authorised to access those areas and must not be loaned/provided to anyone else. Visitors to secure areas are required to sign in and out with arrival and departure times and are required to wear an identification badge. An organization employee must always monitor all visitors accessing secure areas. Keys to all secure areas housing IT equipment and lockable IT cabinets are held centrally by the IT function as appropriate. Where breaches do occur, or an employee leaves outside normal termination circumstances, all identification and access tools/passes (e.g. badges, keys etc.) must be recovered from the employee and any door/access codes changed immediately. Offsite backup locations will be reviewed at least annually to ensure these locations are physically secure for the media backups.
Version 1
Page 9 of 11
[Insert date]
Physical Security Policy [Insert classification]
3 Paper and equipment security Paper in an open office must be protected by the controls for the building and via appropriate measures that may include, but are not restricted to, the following: • • • •
Filing cabinets that are locked with the keys stored away from the cabinet Locked safes Stored in a secure area protected by access controls Paper deposable containers secured
All general computer equipment must be in suitable physical locations that: • • • •
Limit the risks from environmental hazards – e.g. heat, fire, smoke, water, dust and vibration Limit the risk of theft – e.g. if necessary, items such as laptops should be physically attached to the desk Allow workstations handling sensitive data to be positioned so as to eliminate the risk of the data being seen by unauthorised people Restrict physical access to wireless access points and gateways
Data will be stored on network file servers where appropriate. This ensures that information lost, stolen or damaged via unauthorised access can be restored and its integrity maintained. All servers located outside of the data centre must be sited in a physically secure environment. Business critical systems must be protected by an Un-interruptible Power Supply (UPS) to reduce the operating system and data corruption risk from power failures. All items of equipment must be recorded, both on the departmental and the overall [Organization Name] inventory. Procedures must be in place to ensure inventories are updated as soon as assets are received or disposed of. All equipment must be security marked and have a unique asset number allocated to it. This asset number will be recorded in the departmental and the overall [Organization Name] inventories. Cables that carry data or support key information services must be protected from interception or damage. Power cables must be separated from network cables to prevent interference. Network cables must be protected by conduit and where possible avoid routes through public areas. Physical and/or logical controls must be implemented to restrict access to publicly accessible network ports on office walls; for example, network ports located in public areas and areas accessible to visitors will be disabled and only enabled when network access is explicitly authorized. Device tamper inspections will be performed and recorded to ensure payment devices are not compromised. Training will be provided to staff members to inspect devices appropriately.
Version 1
Page 10 of 11
[Insert date]
Physical Security Policy [Insert classification]
4 Equipment lifecycle management The IT function and 3rd party suppliers must ensure that all of [Organization Name]’s IT equipment is maintained in accordance with the manufacturer’s instructions and any documented internal procedures, to ensure it remains in effective working order. Staff involved with maintenance must: • • • • • • •
Retain all copies of manufacturer’s instructions Identify recommended service intervals and specifications Enable a call-out process in event of failure Ensure only authorised technicians complete any work on the equipment Record details of all remedial work carried out Identify any insurance requirements Record details of faults incurred and actions required
A service history record of equipment must be maintained so that decisions can be made regarding the appropriate time for it to be replaced. Manufacturer’s maintenance instructions must be documented and available for support staff to use when arranging repairs. The use of equipment off-site must be formally approved by the user’s line manager. Equipment that is to be reused or disposed of must have all its data and software erased/destroyed. If the equipment is to be passed onto another organization (e.g. returned under a leasing agreement) data removal must be achieved by using approved, appropriately secure, wipe programs. Sensitive paper records will be disposed of via one of the following methods • • •
Crosscut shredded Incinerated Pulped
Equipment deliveries must be signed for by an authorised individual using an auditable formal process. This process should confirm that the delivered items correspond fully to the list on the delivery note. Actual assets received must be recorded. Loading areas and holding facilities must be adequately secured against unauthorised access and all access should be auditable. Subsequent removal of equipment must be via a formal, auditable process. All Information security arrangements (office, storage containers, devices and media) must be subject to independent audit at least annually and security improvements recommended where necessary.
Version 1
Page 11 of 11
[Insert date]