Physical Security Policy

Version: 1.00Issue Date: 3/3/2015

This Physical Security Policy specifies methods used to physically protect organizational computer systems and who is responsible for implementing methods used.

1.0 Overview

This Physical Security Policy will help ensure the physical security of organizational computer systems and information by specifying responsibilities for physical security.

2.0 Purpose

This Physical Security Policy is intended to ensure that physical computer resources and information resources are properly protected physically.

3.0 Scope

This Physical Security Policy applies to all organizational computer systems and information including printed copies of information which may be sensitive. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Physical Requirements

Appropriate access control, environmental, and protective, measures must be in place to properly protect physical computer systems and information resources from physical harm or unauthorized disclosure. These resources include informational assets that are not computer related. All organizational members are responsible for ensuring that information resources and computer systesm have proper and adequate physical security.

  • Access to server rooms must be logged either electronically or on log sheets. The person getting access must be required to log in and the log in requirement must not be voluntary. Places where authentication devices or data storage facilities exist must require access logs records to be maintained.
  • Removal or addition of equipment must be logged and the Asset Control Policy must be enforced.
  • Physical controls must be used to be sure equipment cannot be removed or added without proper logging.
  • All those who have access to where organizational computer systems are must pass a security background check or be escorted by a staff member who has passed a security background check.
  • Computer equipment that allows access to systems without logical controls such as account login must be protected in rooms with proper physical access controls. These controls must include mandatory logging of access and proper construction of the room to prevent unauthorized break-in. All terminals with no logical controls must be identified and only terminals registered with host computer systems should be permitted access to the host computer.

5.0 Responsibilities

Employee Responsibilities

  • Be alert and aware of suspicious characters in or near organizational premises. Report or challenge suspicious characters or activities as is appropriate and safe.
  • Keep computer equipment in your possession secure at all times whether on organizational premises or away from the organization.
  • Report loss or theft of any sensitive documents, memory storage devices, or computer equipment to management and document it with appropriate forms.
  • Be sure information assets being disposed of are disposed of properly in accordance with the Equipment and Media Disposal Policy.

Information Technology Staff Responsibilities

  • Follow appropriate policies and procedures regarding data storage. Be sure to store backed up data at approved off-site locations according to the File Backup and Restore Policy.
  • System administrators must retain system security logs and review logs on a daily basis according to the Server Monitoring Policy. Logs must be retained according to the Audit Trail Policy.
  • Computer Center managers and administrators must keep records of people with access codes, keys, and combinations to secure areas.
  • Computer Center managers and administrators must be sure physical security requirements for the computer center are being followed and that access to facilities and secure areas is properly logged.
  • Auditors must evaluate the computer center policies to determine their effectiveness in providing the desired outcome of keeping the facility secure and environmentally controlled (at least every 6 months).
  • Auditors must periodically audit the computer center (at least every 6 months) to be sure proper policies and procedures are being followed to secure the facility and to keep environmental controls in operation.

Information Technology Security Director Responsibilities

  • Identify and specify required physical security measures.
  • Identify and specify required environmental controls for computer centers and other appropriate facilities including network facilities such as switch closets.
  • Designate individuals to enforce physical security requirements.
  • Designate qualifications for use of access codes and keys for computer center facilities so only staff members with a need for access are granted access.
  • Be sure and designate individuals to be sure the Asset Control Policy is being enforced and the list of computer equipment is accurate.
  • Designate individuals to keep lists of those with need and approval for access to computer facilities including employees, contractors, and service vendors.
  • Be sure an escort is provided for those who enter the computer center when their job does not require it or they have temporary access.
  • Determine the required frequency of both internal and independent evaluations of the security control environment and the environmental controls. The evaluations should consider controls in place, the need to modify controls, and the effectiveness of those controls.
  • Establish processes for performing evaluations of the security control environment controls and effectiveness of environmental controls.

6.0 Enforcement

Since proper physical security is critical for protecting the security of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.


Approved by:__________________________ Signature:_____________________ Date:_______________