7.1 USE SECURE AREAS TO PROTECT FACILITIES

Use physical methods to control access
to information processing facilities.

Use physical methods to prevent people from damaging
or interfering with your information processing facilities.

Identify the areas within your facility that should receive
special protection and be treated as secure areas.

Use secure areas to protect sensitive
or critical information processing facilities.

Use entry controls to protect your
information processing facilities.

Make sure that your physical protection methods
are commensurate with your security risks.

7.1.1 USE PERIMETERS TO PROTECT SECURE AREAS

Use physical security perimeters and barriers to protect
your organization’s information processing facilities.

Make sure that your physical security perimeters
and barriers provide more protection for high
risk areas than low risk areas.

Make sure that your physical security barriers and
perimeters are free of physical gaps and weaknesses.

Make sure that external doors and entrance
ways are used to prevent unauthorized access
to information processing facilities.

Restrict building access to authorized personnel.

Use physical barriers to prevent unauthorized access.

Make sure that physical barriers are used to prevent
contamination from external environmental sources.

Make sure that external perimeter doors
are controlled by fire alarm systems.

Make sure that all external perimeter doors
automatically slam shut in response to a fire.

7.1.2 USE ENTRY CONTROLS TO PROTECT SECURE AREAS

Use physical entry controls to protect secure areas.

Make sure that your physical entry controls ensure that
only authorized people are given access to secure areas.

Make sure that visitors to secure
areas are given a security screening.

Make sure that you supervise
all visitors to secure areas.

Record the date and time visitors
enter and leave secure areas.

Make sure that all visitors to secure areas
are given specific security instructions.

Make sure that all visitors to secure areas are
made aware of your emergency procedures.

Use physical controls to restrict
access to sensitive information.

Use physical controls to restrict access
to information processing facilities.

Validate the identity of all persons
who wish to access secure areas.

Ensure that all persons who access
secure areas wear visible identity tags.

Maintain a record of all access to secure areas.

Review access rights to secure areas on a regular basis.

Update access rights to secure areas on a regular basis.

7.1.3 USE DESIGN STRATEGIES TO PROTECT SECURE AREAS

Design your secure areas to withstand natural disasters.

Design secure areas to withstand man‑made disasters.

Design your secure areas in accordance with all
relevant health and safety regulations and standards.

Protect your secure areas from security threats
that neighboring facilities might present.

Site secure areas in order to avoid public access to them.

Site secure area photocopiers and other equipment so
that routine access to them will not compromise security.

Design your information processing facilities in
order to hide their true purpose from the public.

Use locks to control access to secure areas.

Lock all information processing facility doors and
windows when these facilities are not being used.

Install external window protections
for your information processing facilities.

Use intruder detection systems
to prevent access to secure areas.

Make sure that your intruder detection systems
cover all external doors and accessible windows.

Make sure that your intruder detection systems comply
with professional installation and maintenance standards.

Test your intruder detection systems on a regular basis.

Keep unoccupied secure areas alarmed at all times.

Separate physically your information processing
facilities from facilities that are managed by third parties.

Prevent public access to internal directories and documents that
specify the location of sensitive information processing facilities.

Site fallback equipment away from secure areas
in order to avoid damage during a disaster.

Site backup media away from secure areas
in order to avoid damage during a disaster.

Store hazardous materials away from secure areas.

Store combustible materials away from secure areas.

7.1.4 USE WORK GUIDELINES TO PROTECT SECURE AREAS

Use guidelines to control the work that
your personnel perform in secure areas.

Use guidelines to control the work that
third parties perform in secure areas.

Allow third party support service personnel to access
secure areas only when access is clearly required.

Monitor third party access to your secure areas.

Ensure that third party access to secure areas is authorized.

Use a need‑to‑know policy to control
information about secure areas and facilities.

Supervise all work performed in secure areas.

Lock secure areas that are vacant.

Check secure areas that are vacant.

Prevent the unauthorized use of photographic
and other recording equipment inside secure areas.

7.1.5 USE HOLDING AREAS TO PROTECT SECURE AREAS

Control the use of delivery and loading areas.

Separate your delivery and loading areas from
all of your information processing facilities.

Make sure that all delivery and loading functions
are carried out in a carefully controlled holding area.

Make sure that you restrict access to your holding area.

Make sure that holding area is designed so that supplies
can be unloaded without allowing access to secure areas.

Make sure that your holding area is designed so that the
external door is secured when the internal door is open.

Inspect all incoming supplies and materials
to ensure that all hazards are identified before
these items are transferred to secure areas.

Record all incoming supplies and materials.

7.2 PROTECT EQUIPMENT FROM HAZARDS

Protect your equipment from
security threats and hazards.

Protect your equipment from
environmental threats and hazards.

Make sure that your physical security
measures reduce the risk that people will
have unauthorized access to your data.

Make sure that your physical security
measures protect data from loss or damage.

7.2.1 SAFEGUARD YOUR EQUIPMENT

Site your equipment so that unnecessary
access to related work areas is minimized.

Isolate all equipment that requires
an extra level of protection.

Adopt security measures that protect
your equipment against theft.

Adopt security measures that protect
your equipment against fire.

Adopt security measures that protect
your equipment against explosives.

Adopt security measures that protect
your equipment against smoke.

Adopt security measures that protect
your equipment against flooding.

Adopt security measures that protect
your equipment against water leaks.

Adopt security measures that protect
your equipment against dust.

Adopt security measures that protect
your equipment against grime.

Adopt security measures that protect
your equipment against vibration.

Adopt security measures that protect your
equipment against destructive chemicals.

Adopt security measures that protect your
equipment against electrical interference.

Adopt security measures that protect your
equipment against electromagnetic radiation.

Adopt security measures that protect your
equipment against accidental damage.

7.2.2 PROTECT YOUR POWER SUPPLIES

Protect your equipment from power failures.

Protect your equipment from electrical anomalies.

Make sure that your power supplies comply with the
specifications provided by equipment manufacturers.

Ensure that electrical power will
be provided without interruption.

Consider using multiple power feeds.

Use uninterruptible power supplies (UPSs)
to protect your critical equipment.

Develop contingency plans to address UPS failures.

Check your UPS equipment on a regular basis.

Test your UPS equipment on a regular basis.

Make sure that you have back‑up generators
that you can use during prolonged power failures.

Test your back‑up generators on a regular basis.

Make sure that you have an adequate supply of fuel available
that back‑up generators can use during emergencies.

Make sure that your equipment rooms have emergency power switches.

Make sure that power switches are located near emergency exits.

Attach lightning protection filters to all external communication lines.

Install emergency back‑up lights.

Install lightning protection for all buildings.

7.2.3 SECURE YOUR CABLES

Protect your power lines from
unauthorized interception or damage.

Protect your telecommunications cables
from unauthorized interception or damage.

Place power lines underground whenever those lines
are connected to information processing facilities.

Place telecommunications cables underground whenever
they are connected to information processing facilities.

Use conduits to prevent unauthorized
interception or damage to cables and lines.

Use armored conduit to protect critical systems.

Avoid routing cables and lines through public areas.

Segregate your power lines from your telecommunications cables.

Use locked rooms and boxes at cable inspection and termination points.

Consider using alternative routings.

Consider using alternative transmission media.

Consider using fiber optic cables

Consider using sweeps to detect the presence
of unauthorized cable monitoring devices.

7.2.4 MAINTAIN YOUR EQUIPMENT

Maintain your equipment to
ensure that it functions properly.

Follow the equipment manufacturer’s
recommended maintenance schedule.

Follow the equipment manufacturer’s
recommended maintenance specifications.

Allow only authorized maintenance people
to service and repair your equipment.

Keep a record of all preventive and
corrective maintenance activities.

Keep a record of all equipment faults and problems.

Control off‑site equipment maintenance and repair.

Comply with the requirements that insurance polices
impose on off‑site equipment maintenance and repair.

7.2.5 CONTROL OFF‑SITE EQUIPMENT

Make sure that management authorization is required before
information processing equipment can be removed and used
outside of your organization’s premises.

Make sure that off‑site equipment security measures are at
least as rigorous as on‑site equipment security measures.

Take additional equipment security measures to deal
with the added risks associated with working off‑site.

Make sure that all appropriate security measures are
taken to control the off‑site use of personal computers.

Make sure that all appropriate security measures are
taken to control the off‑site use of personal organizers.

Make sure that all appropriate security measures are
taken to control the off‑site use of mobile phones.

Make sure that all appropriate security measures are
taken to control the off‑site use of paper documents.

Make sure that your personnel never leave
information processing equipment or media
unattended in public places.

Make sure that personnel treat portable computers
as hand luggage while they are traveling.

Make sure that your personnel conceal or disguise
their portable computers while they are traveling.

Develop special security measures
for people who work at home.

Develop special security measures to address your
organization’s unique or unusual security risks.

Ensure that your personnel follow your equipment
manufacturers’ recommended security precautions.

Make sure that you have adequate
insurance for off‑site equipment.

7.2.6 CONTROL EQUIPMENT DISPOSAL

Control the disposal of old or obsolete
information processing equipment.

Control the re‑use of old or obsolete
information processing equipment.

Destroy all data storage devices or securely overwrite
all data before you re‑use or dispose of those devices.

Ensure that all licensed software has been overwritten or
removed before you re‑use or dispose of storage devices.

Check all storage devices, before you re‑use or dispose of them,
in order to verify that all security requirements have been met.

7.3 CONTROL ACCESS TO INFORMATION AND PROPERTY

Prevent unauthorized access to your
sensitive or critical information.

Prevent the unauthorized modification
of your sensitive or critical information.

Prevent the theft of your information.

Minimize the damage that would be
caused by the loss of your information.

Prevent unauthorized access to
your information processing facilities.

Prevent the theft of your information
processing equipment.

Minimize the damage that would be caused by
the loss of your information processing equipment.

7.3.1 ESTABLISH A CLEAR‑DESK AND CLEAR‑SCREEN POLICY

Establish a clear‑desk policy to protect
your information processing facilities.

Use a clear‑desk policy to protect paper.

Use a clear‑desk policy for removable storage media.

Established a clear‑screen policy to protect
your information processing facilities.

Store important papers in locked cabinets.

Store computer media in locked cabinets.

Store your organization’s most critical or sensitive
information in fire‑resistant safes or cabinets.

Make sure that users log off when personal
computers, terminals, and printers are not in use.

Protect personal computers, terminals, and printers by
means of passwords or other suitable security controls.

Protect your incoming and outgoing mail points.

Protect your unattended fax and telex machines.

Protect your photocopiers from unauthorized
use during weekends and after‑work hours.

Clear immediately sensitive or classified
information from printers after every print job.

7.3.2 CONTROL THE REMOVAL OF PROPERTY

Make sure that management authorization
is required before equipment is taken off‑site.

Make sure that management authorization
is required before information is taken off‑site.

Make sure that management authorization
is required before software is taken off‑site.

Make sure that users log out and log
back in whenever equipment is returned.

Make sure that personnel are warned that spot‑checks
will be carried out to detect missing equipment.

Make sure that you carry out unannounced spot‑checks
to detect the unauthorized removal of equipment.