ISO IEC 17799 2000*

TRANSLATED INTO PLAIN ENGLISH

Section 7: Physical and Environmental Security

FREE DETAILED STANDARD

TO SECTION 6

 MAIN MENU TO SECTION 8

* ISO 17799 2000 is now OBSOLETE.
Please see ISO IEC 17799 2005 (27002)!

ISO 17799

ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

7.1 USE SECURE AREAS TO PROTECT FACILITIES

 

Use physical methods to control access
to information processing facilities.

 

Use physical methods to prevent people from damaging
or interfering with your information processing facilities.

 

Identify the areas within your facility that should receive
special protection and be treated as secure areas.

 

Use secure areas to protect sensitive
or critical information processing facilities.

 

Use entry controls to protect your
information processing facilities.

 

Make sure that your physical protection methods
are commensurate with your security risks.

7.1.1 USE PERIMETERS TO PROTECT SECURE AREAS

 

Use physical security perimeters and barriers to protect
your organization’s information processing facilities.

 

Make sure that your physical security perimeters
and barriers provide more protection for high
risk areas than low risk areas.

 

Make sure that your physical security barriers and
perimeters are free of physical gaps and weaknesses.

 

Make sure that external doors and entrance
ways are used to prevent unauthorized access
to information processing facilities.

 

Restrict building access to authorized personnel.

 

Use physical barriers to prevent unauthorized access.

 

Make sure that physical barriers are used to prevent
contamination from external environmental sources.

 

Make sure that external perimeter doors
are controlled by fire alarm systems.

 

Make sure that all external perimeter doors
automatically slam shut in response to a fire.

7.1.2 USE ENTRY CONTROLS TO PROTECT SECURE AREAS

 

Use physical entry controls to protect secure areas.

 

Make sure that your physical entry controls ensure that
only authorized people are given access to secure areas.

 

Make sure that visitors to secure
areas are given a security screening.

 

Make sure that you supervise
all visitors to secure areas.

 

Record the date and time visitors
enter and leave secure areas.

 

Make sure that all visitors to secure areas
are given specific security instructions.

 

Make sure that all visitors to secure areas are
made aware of your emergency procedures.

 

Use physical controls to restrict
access to sensitive information.

 

Use physical controls to restrict access
to information processing facilities.

 

Validate the identity of all persons
who wish to access secure areas.

 

Ensure that all persons who access
secure areas wear visible identity tags.

 

Maintain a record of all access to secure areas.

 

Review access rights to secure areas on a regular basis.

 

Update access rights to secure areas on a regular basis.

7.1.3 USE DESIGN STRATEGIES TO PROTECT SECURE AREAS

 

Design your secure areas to withstand natural disasters.

 

Design secure areas to withstand man‑made disasters.

 

Design your secure areas in accordance with all
relevant health and safety regulations and standards.

 

Protect your secure areas from security threats
that neighboring facilities might present.

 

Site secure areas in order to avoid public access to them.

 

Site secure area photocopiers and other equipment so
that routine access to them will not compromise security.

 

Design your information processing facilities in
order to hide their true purpose from the public.

 

Use locks to control access to secure areas.

 

Lock all information processing facility doors and
windows when these facilities are not being used.

 

Install external window protections
for your information processing facilities.

 

Use intruder detection systems
to prevent access to secure areas.

 

Make sure that your intruder detection systems
cover all external doors and accessible windows.

 

Make sure that your intruder detection systems comply
with professional installation and maintenance standards.

 

Test your intruder detection systems on a regular basis.

 

Keep unoccupied secure areas alarmed at all times.

 

Separate physically your information processing
facilities from facilities that are managed by third parties.

 

Prevent public access to internal directories and documents that
specify the location of sensitive information processing facilities.

 

Site fallback equipment away from secure areas
in order to avoid damage during a disaster.

 

Site backup media away from secure areas
in order to avoid damage during a disaster.

 

Store hazardous materials away from secure areas.

 

Store combustible materials away from secure areas.

7.1.4 USE WORK GUIDELINES TO PROTECT SECURE AREAS

 

Use guidelines to control the work that
your personnel perform in secure areas.

 

Use guidelines to control the work that
third parties perform in secure areas.

 

Allow third party support service personnel to access
secure areas only when access is clearly required.

 

Monitor third party access to your secure areas.

 

Ensure that third party access to secure areas is authorized.

 

Use a need‑to‑know policy to control
information about secure areas and facilities.

 

Supervise all work performed in secure areas.

 

Lock secure areas that are vacant.

 

Check secure areas that are vacant.

 

Prevent the unauthorized use of photographic
and other recording equipment inside secure areas.

7.1.5 USE HOLDING AREAS TO PROTECT SECURE AREAS

 

Control the use of delivery and loading areas.

 

Separate your delivery and loading areas from
all of your information processing facilities.

 

Make sure that all delivery and loading functions
are carried out in a carefully controlled holding area.

 

Make sure that you restrict access to your holding area.

 

Make sure that holding area is designed so that supplies
can be unloaded without allowing access to secure areas.

 

Make sure that your holding area is designed so that the
external door is secured when the internal door is open.

 

Inspect all incoming supplies and materials
to ensure that all hazards are identified before
these items are transferred to secure areas.

 

Record all incoming supplies and materials.

ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

7.2 PROTECT EQUIPMENT FROM HAZARDS

 

Protect your equipment from
security threats and hazards.

 

Protect your equipment from
environmental threats and hazards.

 

Make sure that your physical security
measures reduce the risk that people will
have unauthorized access to your data.

 

Make sure that your physical security
measures protect data from loss or damage.

7.2.1 SAFEGUARD YOUR EQUIPMENT

 

Site your equipment so that unnecessary
access to related work areas is minimized.

 

Isolate all equipment that requires
an extra level of protection.

 

Adopt security measures that protect
your equipment against theft.

 

Adopt security measures that protect
your equipment against fire.

 

Adopt security measures that protect
your equipment against explosives.

 

Adopt security measures that protect
your equipment against smoke.

 

Adopt security measures that protect
your equipment against flooding.

 

Adopt security measures that protect
your equipment against water leaks.

 

Adopt security measures that protect
your equipment against dust.

 

Adopt security measures that protect
your equipment against grime.

 

Adopt security measures that protect
your equipment against vibration.

 

Adopt security measures that protect your
equipment against destructive chemicals.

 

Adopt security measures that protect your
equipment against electrical interference.

 

Adopt security measures that protect your
equipment against electromagnetic radiation.

 

Adopt security measures that protect your
equipment against accidental damage.

7.2.2 PROTECT YOUR POWER SUPPLIES

 

Protect your equipment from power failures.

 

Protect your equipment from electrical anomalies.

 

Make sure that your power supplies comply with the
specifications provided by equipment manufacturers.

 

Ensure that electrical power will
be provided without interruption.

 

Consider using multiple power feeds.

 

Use uninterruptible power supplies (UPSs)
to protect your critical equipment.

 

Develop contingency plans to address UPS failures.

 

Check your UPS equipment on a regular basis.

 

Test your UPS equipment on a regular basis.

 

Make sure that you have back‑up generators
that you can use during prolonged power failures.

 

Test your back‑up generators on a regular basis.

 

Make sure that you have an adequate supply of fuel available
that back‑up generators can use during emergencies.

 

Make sure that your equipment rooms have emergency power switches.

 

Make sure that power switches are located near emergency exits.

 

Attach lightning protection filters to all external communication lines.

 

Install emergency back‑up lights.

 

Install lightning protection for all buildings.

7.2.3 SECURE YOUR CABLES

 

Protect your power lines from
unauthorized interception or damage.

 

Protect your telecommunications cables
from unauthorized interception or damage.

 

Place power lines underground whenever those lines
are connected to information processing facilities.

 

Place telecommunications cables underground whenever
they are connected to information processing facilities.

 

Use conduits to prevent unauthorized
interception or damage to cables and lines.

 

Use armored conduit to protect critical systems.

 

Avoid routing cables and lines through public areas.

 

Segregate your power lines from your telecommunications cables.

 

Use locked rooms and boxes at cable inspection and termination points.

 

Consider using alternative routings.

 

Consider using alternative transmission media.

 

Consider using fiber optic cables

 

Consider using sweeps to detect the presence
of unauthorized cable monitoring devices.

7.2.4 MAINTAIN YOUR EQUIPMENT

 

Maintain your equipment to
ensure that it functions properly.

 

Follow the equipment manufacturer’s
recommended maintenance schedule.

 

Follow the equipment manufacturer’s
recommended maintenance specifications.

 

Allow only authorized maintenance people
to service and repair your equipment.

 

Keep a record of all preventive and
corrective maintenance activities.

 

Keep a record of all equipment faults and problems.

 

Control off‑site equipment maintenance and repair.

 

Comply with the requirements that insurance polices
impose on off‑site equipment maintenance and repair.

7.2.5 CONTROL OFF‑SITE EQUIPMENT

 

Make sure that management authorization is required before
information processing equipment can be removed and used
outside of your organization’s premises.

 

Make sure that off‑site equipment security measures are at
least as rigorous as on‑site equipment security measures.

 

Take additional equipment security measures to deal
with the added risks associated with working off‑site.

 

Make sure that all appropriate security measures are
taken to control the off‑site use of personal computers.

 

Make sure that all appropriate security measures are
taken to control the off‑site use of personal organizers.

 

Make sure that all appropriate security measures are
taken to control the off‑site use of mobile phones.

 

Make sure that all appropriate security measures are
taken to control the off‑site use of paper documents.

 

Make sure that your personnel never leave
information processing equipment or media
unattended in public places.