Management of secure areas

Cyber criminals can exploit configuration errors or technical vulnerabilities in applications, firewalls, or networks to access our information.

An organization must use defense-in-depth technologies to protect against, detect, and respond to cyber-attacks. The techniques should be suitable for controlling physical, logical and administrative controls.

Secure areas of the organization cannot be accessed unnoticed. The premises are protected by appropriate access control. Only authorized persons have access to the secure areas.

Visitors shall have access to secure areas only with permission, after they are appropriately identified and their access rights shall be limited to the necessary facilities. All visits are recorded in the visitor log. In addition, staff have guidelines about safe operating in connection with visits.

Organization has defined the areas for handling confidential information and the operating rules that are followed in all activities that take place in the corresponding areas.

In the rules, consideration should be given to the following points:

• the rules and related areas are communicated only personnel for whom the information is relevant
• unsupervised work in areas is minimized
• areas are physically locked and checked regularly
• prohibition of unauthorized recording devices (e.g. phones, video cameras)
• monitoring the transportation of terminal devices
• publishing emergency instructions in an easily accessible way

Access to areas where confidential information is handled or stored should be restricted to authorized individuals through appropriate access control, e.g. using a two-step authentication mechanism such as an access card and a passcode.

People can't move around the organization's premises without a visible identifier.

An owner is defined for an organization's networks. The owner is responsible for planning the structure of the network and documenting it.

Separate network areas are used in network design as needed. Domain areas can be defined by e.g.:

• trust level (eg public, workstations, server)
• organizational units (eg HR, financial management)
• or by some combination (for example, a server domain that is connected to multiple organizational units)

Separation can be implemented either with physically separate networks or with logically separate networks.

Organisation's premises and the operating environments of the equipment are actively protected by security.

External support staff, such as maintenance or cleaning staff, will only be granted access to the necessary security areas and confidential data processing services they need. Access rights for external support staff are reviewed regularly.

Security personnel use camera surveillance to verify unauthorized access, sabotage, or other alarms at the organization's premises.