Effective physical security measures help protect against unauthorized access, damage, or interference in areas where critical or sensitive information is prepared or located, or where information processing services supporting key business processes are hosted.
The requirements and placement of each physical security barrier should depend upon the value of the information or service being protected.
Each level of physical protection should have a defined security perimeter, around which a consistent level of physical security protection is maintained.
Physical information processing resources that support key business processes in a production mode, (i.e., mainframes, minicomputers, etc.) must be housed in a secure area that reasonably protects the resources from unauthorized physical access, fire, flooding, explosions, and other forms of natural or man-made disaster.
Managers responsible for sensitive information or for information processing resources should periodically perform a self-assessment to determine the existing level of security vulnerability and compliance with the physical security requirements.
It is the responsibility of the appropriate individuals to enforce appropriate entry controls and authentication procedures that ensure that only authorized personnel are allowed entry into areas that house critical or sensitive information or information processing resources that host the processing of critical or sensitive information (i.e. information processing centers).
Facilities where access by unauthorized personnel is to be prevented must, at a minimum, require that ID badges are worn and visible at all times. Personnel should be encouraged to challenge strangers and report their presence to local physical security personnel. Visitors should be escorted.
Physical access to secured areas must be controlled.
The award and distribution of keys or passes (including ID badges, card/pass keys) used to physically access secure areas must be strictly controlled and subject to frequent review to ensure that only currently authorized individuals are in possession of access devices. Quarterly reviews should be performed to ensure that only those individuals with a job related need have access to the computing facilities. Whenever individuals change jobs or leave Emory, their access cards should be removed from the card key access system.
Organizations should encourage employees to practice a clear desk policy for papers and diskettes or other media that are sensitive in nature, in order to reduce the risks of unauthorized access, loss of and damage to information outside of normal working hours. The following guidelines should be applied, where appropriate:
It is the responsibility of site management to enforce authorization and control procedures that ensure information-processing assets such as equipment or software from company property are removed from Emory for business purposes only.
Note: Removal of Emory information and data is governed by its classification controls as stipulated in the Emory Information and Resource Access Policy
Information processing resources should be located away from hazardous processes or materials.
Adequate power supplies and auxiliary power supplies should be provided to information processing resources.
Adequate protection should be provided to information and information processing resources against damage from exposure to water, smoke, dust, chemicals, electrical supply interference, etc.
The minimum-security protection activities specified by the vendor/manufacturer of information processing equipment must also be implemented.
Physical emergency procedures should be clearly documented. Emory personnel should be trained in appropriate behavior in emergencies.
Air-conditioning units should be sufficient to support the equipment in computing facilities.
Both manually activated and automatically activated fire suppression equipment should be installed. As a safety measure, if the automatic fire suppression system employs water, power to the computer room should be automatically shut off prior to water release. The automatically activated fire suppression system should be inspected and tested annually.
Self-contained portable fire extinguishers should be sufficient to ensure complete coverage. Fire extinguishers should be conveniently located, well marked and inspected on a periodic basis.
An Uninterruptible Power Source (UPS) should be used to support critical business information processing operations. UPS equipment should be regularly tested according to the manufacturer's recommendations. Computer hardware should be protected from electrical surges.
Power and communications lines servicing buildings should be underground, where possible, or subject to adequate alternative protection. Network cabling should be protected from unauthorized interception or damage.
Information processing equipment should be maintained in accordance with the vendor/manufacturer's recommended service intervals and specifications. Only authorized personnel should perform repairs and servicing of information processing equipment. Records should be maintained of all repairs, maintenance, faults and suspected faults on information processing resources.
Virus controls must be enabled to protect Emory resources.
Information processing equipment and media containing highly restricted and confidential data should not be left unattended in public places. Portable computers containing sensitive data should be carried as hand luggage when traveling.
Off premise computers with Emory classified information should be protected with an appropriate form of access protection, e.g. passwords, smart cards, or encryption, to prevent unauthorized access.
Manufacturers' instructions regarding physical protection of equipment should be observed at all times.
Security risks (e.g. of damage, theft, eavesdropping) vary considerably between locations and should be considered in determining the most appropriate security measures.
Drives and software should be identified so when the computer is recovered, the police can more identify the owner. Properly register and brand each piece of software. Branding software could be used to brand the hard drive. Record serial numbers of hardware.
Minimum guidelines should be established for removing ("wiping") the hard drive of computing equipment. If this is contracted to a vendor, the operation should be reviewed and verified.
All equipment containing storage media, e.g., fixed hard drives, should be checked to ensure that any classified information and licensed software are removed or over written prior to disposal.
Damaged storage devices containing information classified as restricted should be repaired or destroyed.