Physical & Environmental Security Policy
Document Name: | Physical & Environmental Security Policy
|
|
|
Classification: | Internal |
|
|
Document Owner: | CISO/MR- |
|
|
Document Approver: | Top Management |
|
|
Original Document Issue Date: | 10/03/2023 |
|
|
Current Edition: | Version 2.0 |
|
|
Revision History: |
|
|
|
S. No. | Description of Change | Date of Change | Version No. |
1 | Initial Release | 10/03/2023 | 1.0 |
2 | Second Release | 10/03/2024 | 2.0 |
3 |
|
|
|
5 |
|
|
|
6 |
|
|
|
7 |
|
|
|
Physical & Environmental Security Policy
Introduction
All the company information assets must have appropriate physical access and environmental controls in place to protect them from unauthorized or illegal access, damage and interferences as well as business and environmental threats.
Objective
The purpose of this procedure is to prevent unauthorized physical access, damage, and interference to the organization’s premises and information. This is to establish a set of requirements that defines the minimum level of physical and environmental security for all the Department of LEGISTIFY SERVICES PRIVATE LIMITED facilities to safeguard information resources.
Scope
This document addresses Policies and Procedures related to the Physical and Environmental security at LEGISTIFY SERVICES PRIVATE LIMITED. The procedure applies to LEGISTIFY SERVICES PRIVATE LIMITED’s Information assets and employees, third parties working in the premises and in possession of the company’s information assets.
Stakeholders
Stakeholders | Roles & Responsibility |
Admin/Maintenance Department | Ensuring that contracts and interagency agreements shall contain the necessary physical security provisions to protect sensitive and critical information for the execution of the procedures for ensuring physical and environmental security.
|
IT Department | Ensure that all appropriate access controls are applied for the execution of the procedures for ensuring physical and environmental security.
|
HR Department | Execution of the procedures for ensuring physical and environmental security. Ensure the candidates for employment are educated for limited access and they must be in close watch. |
Project Managers / Department Heads | Project Managers / Department Heads shall ensure that adequate physical security is provided to protect assets. |
All Employees / Contractors
| All Employees / Contractors need to adhere to the company guidelines / policy and have an obligation to protect LEGISTIFY SERVICES PRIVATE LIMITED’s information assets. |
Physical and Environment Security
Secure Areas
Physical Security Perimeter
At LEGISTIFY SERVICES PRIVATE LIMITED, all required security perimeters (barriers such as walls, card controlled entry gates, manned receptions for tail-gaiting, etc) are used to protect areas that contain information and information processing facilities.
There are various guidelines considered and implemented for physical security perimeters such as:
Perimeter of a site containing information processing facilities is physically sound. The external boundary of LEGISTIFY SERVICES PRIVATE LIMITED is of solid construction and all external doors have proximity readers installed, which ensures authorized access only.
Security perimeters are clearly defined:
Entry / Exit Doors;
Servers Rooms;
Camera Locations;
NOC Rooms;
Physical Entry Control
Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access. There are following practices considered and implemented:
Entry Restriction for Employees to Premises
Physical access to LEGISTIFY SERVICES PRIVATE LIMITED Campus is controlled by Security Personnel on a 24x7 basis, who ensures only authorize person is allowed after proper checking of his luggage. Every visitor is made to enter his/her details in the register placed at security gate;
Although Physical access to LEGISTIFY SERVICES PRIVATE LIMITED is controlled by Access control mecha LEGISTIFY SERVICES PRIVATE LIMITED for employees, whereas physical access for Visitor is restricted to authorized person only. Additionally all visitors are expected to declare all their IT belongings and its purpose (e.g. laptops, CDs, floppy disks, pen drive, etc) that they carry into the LEGISTIFY SERVICES PRIVATE LIMITED premises. This must be authorized by LEGISTIFY SERVICES PRIVATE LIMITED; otherwise IT belonging will not be allowed to carry within LEGISTIFY SERVICES PRIVATE LIMITED premises;
All employees of LEGISTIFY SERVICES PRIVATE LIMITED must be provided with Identity cards that they must have on at all times within the premises;
The security guards at the entrance of the building may verify if the employee is wearing the identification badge. Employees will oblige the request by the security guard for showing the Photo ID Card;
“Tailgating" is not permitted. Only employees with a valid identification badge and proximity card will be allowed within the organization premises;
Do not let intruders or strangers into your work area and alert your team leader and admiLEGISTIFY SERVICES PRIVATE LIMITEDtration personnel immediately if such an event happens;
Loss of Identity card / access badge will be immediately reported to HR for issuance of temporary card and then followed by issuing another Identity card / access badge;
Entry within premises is restricted based on the role of the employees;
Sensitive areas of LEGISTIFY SERVICES PRIVATE LIMITED have camera installed with minimum 15 days recording data retention period. This can all be monitored from one console and monitoring team are supposed to trigger security breach alarm or notification to Admin team if any malicious activity came to their knowledge.
Although Physical access to LEGISTIFY SERVICES PRIVATE LIMITED is controlled by Access control mechaLEGISTIFY SERVICES PRIVATE LIMITEDm for employees and visitor access is also restricted. Mobile phones and mobile phones with camera feature are adding risk of data leakage hence mobile phones and mobile phones with camera is not allowed inside LEGISTIFY SERVICES PRIVATE LIMITED premises, Employees involved in client relationship role and requiring approachability round the clock can be allowed as exception case, To achieve exception approval employee will have to send privilege requisition request through email and get this duly approved by business head and ISMS Manager / LEGISTIFY SERVICES PRIVATE LIMITED CEO. Admin department will inform security post and security personals on periodic basis for exception cases to bring mobile phone inside premises and maintain exception forms for records.
Entry Restriction for Visitors to Premises
Reception at LEGISTIFY SERVICES PRIVATE LIMITED is manned at working hours, which ensures authorized access to visitors. Additionally all visitors are expected to declare all their IT belongings and its purpose (e.g. laptops, CDs, floppy disks, pen drive, etc) that they carry into the LEGISTIFY SERVICES PRIVATE LIMITED premises. This must be authorized by LEGISTIFY SERVICES PRIVATE LIMITED; otherwise IT belonging will not be allowed to carry within LEGISTIFY SERVICES PRIVATE LIMITED premises.
Visitors sign-in in the visitors’ logbook, which is with the security guard and at reception. This log contains Date and time of Entry & Departure of the visitor. This log is retained and reviewed every day by the AdmiLEGISTIFY SERVICES PRIVATE LIMITEDtration Department;
Visitors are provided Visitor’s card after proper authorization which they are expected to wear at all times in the LEGISTIFY SERVICES PRIVATE LIMITED premises;
LEGISTIFY SERVICES PRIVATE LIMITED concerned Personnel must always accompany visitors.
Securing offices, rooms and facilities
Access to server rooms
Specific employees who need to access the sensitive areas (e.g. server room) must be authorized by ISMS Manager/CEO on Biometric/Card based access device. Employees should use and authenticate through Biometric/Card based access device and also sign in the register with employee name, signature and time of entry;
Server room access should be limited only to IT Infrastructure personnel and few Admin Staff. The restriction is enforced through the use of electronic locks with access through proximity readers and cards;
The ISMS Manager authorizes the access and review the log of accesses to server room on a monthly basis;
If any vendor need to access the server room for maintenance work for the IT equipment or for the maintenance of other infrastructure equipment (such as furniture and fittings) and/or Admin Personnel for cleaning;
The authorized IT Personnel must accompany such third parties and all the work is done under their supervision. No third party is allowed inside the server room unless supervised by the Network Admin Department personnel;
The Server room access register must provide details of the visitors who have visited the server room and the equipment’s accessed by them. In addition, the logbook must contain the details of the activity performed by visitors.
Annexure - Visitors’ Register for Server Room
LEGISTIFY SERVICES PRIVATE LIMITED_FMT_SRV_ACCESS Register
Date | Name of the Visitor | Organization | Purpose & IT Equipment | Time in | Time out | Sign of Visitor | Name & Sign of SYSTEM ADMIN |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Protecting against external and environmental threats Heat and Air Pollution
The whole premises have air-conditioning facilities to prevent dust, heat and air pollution affecting IT equipment.
Temperature
The server room must have dedicated air-conditioning equipment with the temperature maintained below 24 degrees Centigrade. This should be maintained even when the power supply is unavailable, i.e., the generator should be able to support the server room air-conditioning. Thermometers are also installed at Server Rooms to keep an eye on temperature. Whenever an alarming situation arises, admin is informed immediately by IT Department, Admin personnel to take necessary action.
Humidity
The humidity level in the server room must not cross adequate limit. Whenever an alarming situation arises, admin is informed immediately by Network Admin personnel to take necessary action.
Dust
The particulate dust content of the air in the server room should be maintained at acceptable level. Cleaning of Server room is done by Admin Staff and verified by Network Admin Personnel on a daily basis.
Risk of Fire
Server Room
The server room must ideally be fitted with inert gas (e.g. CO2) based fire extinguisher. After detection of fire, alarm must immediately be sounded and the fire plan must get activated. The staff in the server room must evacuate the room.
Fire Alarms
The whole premises must be fitted with automatic fire alarms. There must be manual alarms located at strategic places in the building, which can be started, by any employee who notices fire, which the fire detectors have failed to detect.
Fire fighting methods
The organisation has comprehensive disaster recovery plan in place, which covers Firefighting methods, classification of fire, etc.
Fire Drills
Fire Drills must be carried out at regular intervals of time to ensure that all employees are aware of the various procedures involved in case of a fire and do not panic unnecessarily. Responsibility of Awareness is carried out at periodic intervals by Admin department via: circulars, trainings, etc.
Indian law and regulations require frequent fire drills for facilities. All occupants of buildings, at the time of the drill, must participate in the fire drill, vacate the building in an orderly fashion when the fire alarm signal is given, and not return until the “ALL CLEAR” signal is given by Building Management Department. The object of the drill is to prepare building occupants for exiting a building during a fire or related building emergency. The drills are conducted by the building management and no prior notification should be given to any occupant as to a specific date or time.
How to Report a Fire
If you discover a fire in your building, do the following:-
Pull the fire alarm and call Fire department contact numbers.
Fire department contact numbers along with other emergency contact numbers should be placed inside buildings.
Do not attempt to fight the fire without proper fire extinguishers unless the fire is small and you have been trained in their proper use. DO NOT PUT YOUR LIFE IN DANGER WHILE ATTEMPTING TO CONTROL A FIRE. When in doubt, evacuate.
Remain calm while talking to the teams, management departments, fire departments. Be prepared to answer several questions as to location, size of fire, your name, number of persons in the building (if known) and any injuries. Remain on the line until the operator is fiLEGISTIFY SERVICES PRIVATE LIMITEDhed.
Meet fire or police personnel when they arrive at the building. Stand by to answer any questions they may have concerning the fire. Once out of the building DO NOT RE-ENTER THE BUILDING FOR ANY REASON, unless emergency personnel have given the “ALL CLEAR” signal.
Fire Exit Procedure
Below are the steps to follow when establishing and participating in fire drills or emergencies:
The fire exit plan shall include everybody in the building. This includes all visitors, employees, and attendants. There are no excuses for not participating. Everyone must leave the building during a drill period.
Diagram and post routes to the outside from all rooms.
Establish a method to account for those known to be in the building at the time the alarm is sounded. In case of actual fire conditions, information regarding persons believed to be in the building should be made available to responding emergency crews. (Do not return inside. Only trained search and rescue personnel should re-enter an evacuated area.)
Tips to Remember:-
Learn how to use portable fire extinguishers. Remember the acronym PASS
P Pull the pin.
A Aim at the base of the fire.
S Squeeze the trigger.
S Sweep the nozzle from side to side.
If the fire is INSIDE your room: Leave your room and close the door.
If the fire is NOT in your room:
With your hands, test the door for heat before opening.
IF THE DOOR IS HOT:
Stay in your room.
Phone for help.
Stay calm.
Wait for help.
IF THE DOOR IS COOL:
Open the door slowly.
WALK to the nearest exit and leave the building.
If the exit is unsafe, return to the room and remain there.
If the hall is smoky, stay low or crawl out on your hands and knees.
DO NOT USE THE ELEVATOR!!!
Water Damage Risk
Protection from Floods
The premises should have adequate flood and rainwater drains. The premises should be continuously maintained to ensure that water seepage, if any, is detected and corrective action is initiated.
Drainage System
The drainage system should be such that water and drainpipes are located away from the server room.
Working in Secure Areas
The following guidelines are considered and implemented:
Personnel are informed about existence or activities happening within a Secure Area, only on a need to know basis,
Unsupervised working in secure areas is avoided for safety reasons,
Vacant secure areas are physically locked and periodically checked,
Photographic, video, audio or other recording equipment, such as cameras in mobile devices, are not allowed. For this purpose, awareness posters may also be placed at strategic locations.
Public Access, Delivery, and Loading Areas
Access points such as delivery and loading areas are identified and are isolated from information processing facilities to avoid unauthorised access. To ensure this following guidelines are considered:-
Access to a delivery and loading area from outside of the building is restricted to identified and authorized personnel. All visitors make an entry into Visitors Log book available at entrance gate,
LEGISTIFY SERVICES PRIVATE LIMITED Admin Personnel always accompany any visitor such as vendor, contractor etc, at the time of unloading activity,
Incoming material is inspected for potential threats by LEGISTIFY SERVICES PRIVATE LIMITED House-keeping staff, before this material is moved from the delivery and loading area to the point of use,
Access to the reception area is closely controlled and restricted to authorized personnel,
The process begins when the person who issued the order receives notification of delivery. While procedures may vary, the main point is that the reception area must be controlled and, if possible, isolated from the information processing area.
Policy Revision History
Date | Version | Author | Reviewer | Approver | Comments |
| 0.1 | ISMS Manager | CIO | LEGISTIFY SERVICES PRIVATE LIMITED Management | Draft Version of Physical & Environmental Security Policy
|
|
|
|
|
|
|