IT physical security policy
February 13, 2020
This policy will help your organization safeguard its hardware, software, and data from exposure to persons (internal or external) who could intentionally or inadvertently harm your business and/or damage physical assets.
From the policy:
Physical security guidelines and requirements
The following guidelines should be followed in designing and enforcing access to IT assets.
Server room/IT equipment room access
- Access to server rooms and IT equipment rooms should be restricted to only those whose job responsibilities require that they maintain the equipment or infrastructure of the room.
- Signs should be placed at the entrance to server rooms and IT equipment rooms, warning that access is restricted to authorized personnel and prohibiting food, drink, and smoking.
- Server rooms and IT equipment rooms should not double as office space or storage space or any other shared purpose.
- Doors to server rooms and IT equipment rooms should be fireproof and secured with deadbolt type locks that can’t be easily picked.
- Access to server rooms and IT equipment rooms should be controlled by a strong authentication method, such as an electronic combination lock, a badge reader, a fingerprint reader, or other biometric scanning device. Lock combinations should be changed on a regular basis.
- Keys to server room doors—both electronic and traditional—should be numbered and the whereabouts of each copy logged. Traditional keys should be marked “Do not duplicate” and electronic keys should be copy protected.
- Server rooms and IT equipment rooms should not have windows through which a person could gain access. If there are windows, they should be bulletproof/shatterproof, and/or protected by metal grates to prevent access if broken.
- Server rooms and IT equipment rooms should be monitored by CCTV or IP cameras 24/7.
- Server rooms and IT equipment rooms should have redundant power sources, such as a generator, to power electronic locks and authentication systems in case of a power failure or outage.
- A complete inventory of server room and IT network room equipment, including brands, models, serial numbers, and physical descriptions, should be completed and kept up to date.
- A system for securely disposing of unwanted discs, tapes, cards, hard drives, printed paper, and anything else that could contain confidential information should be implemented.