Physical and environmental security

Secure areas of the organization cannot be accessed unnoticed. The premises are protected by appropriate access control. Only authorized persons have access to the secure areas.

To ensure authorized access and prevent unauthorized access to data and other related resources, the organization has defined and implemented clear rules for physical and logical access control.

Rules are implemented and enforced through several different tasks, but are also combined into an access control policy for clear communication and review.

All accounts, access rights and privileges should be traceable to the role responsible for them and the person who approved them.

The organization should take into account the environmental threats and hazards and protect from them with controls that commensurate with the importance of the premises.

The organization should ensure that the data centers used by the organization have controls in place to protect ICT and information assets from unauthorized access, attacks, and accidents.

The data center should also have controls and plans in place to protect the assets from environmental threats and hazards. The protection from environmental threats and hazards should commensurate with the importance of the data centers and the criticality of the operations or ICT systems located there.

When performing maintenance on ICT products, physical provider access should be regulated and monitored.

Organisation's premises and the operating environments of the equipment are actively protected by security.

The organization must ensure the integrity of its hardware components. This can be done:

• With hard to copy labels
• With verifiable serial numbers provided by the developer
• By requiring the use of anti-tampering technologies
• Hardware shipments include hardware and firmware upgrades

Access to buildings containing critical systems must be constantly monitored to detect unauthorized access or suspicious activity. The following issues should be taken into account in monitoring practices:

• touch, sound or motion detectors that trigger an intrusion alarm
• covering exterior doors and windows using sensors
• supervision of unstaffed and otherwise important (e.g. server or communication technology) premises
• regular testing of alarm systems

Information related to surveillance systems should be kept confidential, as disclosure of information can facilitate undetected breaches. The monitoring systems themselves must also be properly protected, so that the recordings or system status cannot be affected without permission.

Organization has defined the areas for handling confidential information and the operating rules that are followed in all activities that take place in the corresponding areas.

In the rules, consideration should be given to the following points:

• the rules and related areas are communicated only personnel for whom the information is relevant
• unsupervised work in areas is minimized
• areas are physically locked and checked regularly
• prohibition of unauthorized recording devices (e.g. phones, video cameras)
• monitoring the transportation of terminal devices
• publishing emergency instructions in an easily accessible way

The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.

Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.

Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.

Alarm systems monitor the level of key environmental conditions (e.g. temperature and humidity) that can adversely affect the operation of data processing equipment. There should also be a functioning fire alarm system in the environment.

Surge protectors prevent current level rises and falls from damaging the equipment. Uninterruptible power supplies (UPS), on the other hand, guarantee a limited amount of battery power, which allows you to work even during short power outages. Critical equipment is held in connection to a UPS.