info@nissa.gov.ly
+218 21 3614115

Physical Security Policy

You can National Information Security & Safety Authority policies as pdf by clicking on this link

Physical Security Policy

Introduction

Physical security is a set of security measures adopted to make sure that only authorized individuals are allowed access to resources, equipment, and other assets in a data center. Physical security procedures and measures can consist of a broad spectrum of methods to discourage intruders, which may also resort to methods based on technology. A well employed physical security policy protects the data center’s resources and equipment against theft, vandalism, natural disaster, sabotage, cyber-attack and other malicious acts. All personnel should make themselves aware of the contents of the security policy and adhere to those parts of the policy that cover their areas of work.

Purpose

It is essential to state and enforce physical and environmental controls in order to protect information assets and systems from unauthorized access, and defense against environmental threats. This policy sets out the requirements for the protection of data centers from both physical and environmental threats to ensure the confidentiality, integrity, and availability of the data contained within.

Scope

This policy describes the physical security requirements for the (ORGANIZATION)’s Data Center, including Network Operating Center (NOC) offices and the data center, and all contents therein. It covers a wide variety of property and people requirements. All employees, contractors, service engineers, and agents of the (Organization) are covered by this policy and expected to comply with its requirements.

Policy

      1. Natural Disaster Risks:

        The location of the data center should be selected where the risk of natural disasters is at acceptable levels. Natural Disasters include but are not limited to lightning storms, heavy rain, sandstorms and floods.

      2. Man-Made Disaster Risks:

        The site should be within an area where the risk of man-made disaster is as low as possible. Man-made disasters include but are not limited to plane crashes, riots, explosions, armed conflicts, and fires. The Site should not be adjacent to airports, prisons, freeways, stadiums, and parade routes.

      3. Infrastructure:

        The reliability of the facilities providing electrical power to the site should be at 99.9% or better. Electricity must be received from two separate substations (or more) preferably attached to two separate power plants. There should be two sources of water available to the site. There must be connectivity to more than one access provider at the site.

      4. Sole purpose:

        Data center should not share same space with other offices, especially those not owned by the same entity. In case the data center must share space with other offices, it should not have walls adjacent to them.

      5. Site Perimeter:

        Each entry point of the data center should be guarded, where the data center employees’ access to the facility should be controlled using a reliable method of automatic authentication. There should not be anything that could obstruct the surveillance via CCTV camera or by the patrolling guards in the surrounding areas. There should not be a sign advertising that the place is in fact a data center or what (Organization) owns it.

      6. Surveillance :

        CCTV cameras should be installed outside the building to monitor places nearby properties. Guards should patrol the property’s perimeter regularly. All vehicles belonging to (Organization)’s staff, contractors, guards, and cleaning crew should be issued parking permits. Others should only be allowed to use the visitor parking areas. Vehicles not fitting either of these classifications should be towed.

      7. Outside Windows and Computer Room Placement:

        The rooms containing the computers should not have windows to the outside. Those windows pose the risk of remote eavesdropping and the introduction of extra heat from casting sunlight inside the rooms. Those rooms should also be located in the interior of the data center. If they must have a wall at the edge of the data center, a physical barrier should be placed outside the wall preventing any direct access the room’s wall.

      8. Access Points:

        Automatic authentication technique should be placed at all entry points of the facility. Any equipment or items accompanying any individual entering the facility should be logged by security guards when entering and accounted for on exit detailing the time and person’s identity. Access to the authentication badges database should be available at the security kiosk, where the pictures of badge’s holder must be accessible. Badges must have a picture of the holder.

Server Rooms

      1. Access:

        Signs designating the room as restricted access and prohibiting food, drink, and smoking in the servers’ room should be present. Its doors should be equipped with an automatic authentication method. Besides, the doors should be fireproof. Only two doors should be at each server room. Due to the lack of windows, one door is considered a poor design in most fire codes. Access to computer rooms should only be granted to those maintaining the servers or room’s infrastructure. During holidays, access should be restricted to emergencies.

      2. Infrastructure:

        Server rooms should be monitored by CCTV cameras. Redundant access to power, cooling, and connectivity should be present at each computer room. The server rooms should have a raised floor of around 46 centimeters in order to provide air flow and cable management. Besides, those rooms should be equipped with air filtration. Server room’s ceiling should be high to allow for heat dissipation.

      3. Environment:

        The temperature at each server room should be maintained between 12 and 24 degrees Celsius. The humidity should be kept between 20% and 80%. Both the temperature and humidity should be monitored using sensors installed in the rooms and their readings needs to be logged and reported to the Network Operating Center.

      4. Fire Prevention:

        A total flooding agent solution should be in place in each server room. Suitable fire extinguishers must be placed in each server room. Preferable Pipe sprinkler systems must not be used in server rooms.

Facilities

      1. Cooling Systems:

        There must be redundant cooling system in place. Outdoor Parts of the Cooling Systems must be secluded from the car park of the Data Center.

      2. Power:

        The server room must have at least battery based power source onsite with that can provide enough time of operation to switch over to fossil fuel power generation. In case there is no fossil fuel backup, the battery should last for at least 24 hours. The fuel should be enough for 24 hours and it should be stored onsite, while there should be a contract to obtain up to a week worth already in place.

      3. Trash:

        While dumpsters should be monitored by CCTV cameras, all paper documents containing any sensitive information should be at least shredded onsite or destroyed beyond retrieval before discarding them.

      4. Network Operating Center (NOC):

        The NOC must have fire, power, weather, temperature, and humidity monitoring systems in place. There must be redundant methods of communication between the NOC and the outside world. It must be manned 24/7. It is recommended that NOC staff need to monitor news outlets for events effecting the security of the data center.

Disaster Recovery

Disaster Recovery Plan

The data center must have a disaster recovery plan. Ensure that the plan addresses the following questions: What constitutes a disaster? Who gets notified regarding a disaster and how? Who conducts damage assessment and decides what back-up resources are utilized? Where are backup sites located and what is done to maintain them on what schedule? How often and under what conditions is the plan updated? If the organization does not own the data center what downtime does the service level agreement with the center allow? A list of people within the organization to notify must be maintained by the NOC of the data center including office, home, and mobile phone numbers and Instant Message Names if available. How often are those people updated?

Offsite Backup

There must be regular offsite backups of sensitive data. A backup policy must be issued and implemented regarding the steps that should be followed to restore backup and containing a schedule of rehearsals for testing the readiness of the backup procedures.

People Section

Outsiders

  1. Guards:

    All security guards should be submitted to criminal background checks prior to hiring and repeated regularly. They should be familiarized and trained on strictly enforcing the physical security policy.

  2. Cleaning Crews:

    All Cleaning staff should work in groups of at least two. Cleaning crew should be restricted to offices and the NOC. If cleaning staff must access a Computer Room for any reason they must be escorted by NOC personnel.

  3. Service Engineers:

    The times of entering and leaving the premises of the service engineers must be logged at the building entrance. The NOC staff should log the Service Engineers’ badge exchange to access a server room.

  4. Visitors:

    Visitors must be accompanied by the person whom they are visiting all the time during their visit. Visitors must not be permitted access to a server room without written consent from data center administration. All visitors who enter Computer Rooms must sign Non-Disclosure Agreements.

  5. Users:
    1. Education
      1. The users must be aware of the risk of shoulder surfing and other social engineering methods and they must be trained to watch out for intruders. They also should be trained on securing desktops and laptops within the center and laptops outside of it, awareness of surroundings, and emergency procedures.
    2. Policy

All users at the data center must sign Non-Disclosure Agreements. A Physical Security Policy should be signed by each user and enforced by security guards.

 

Disaster Recovery

  1. Organizational Chart:

    An organizational chart should be maintained detailing job function and responsibility. Ideally the organization chart would also have information on which functions the worker has been cross trained to perform.

  2. Job Function Documentation:

    It’s not enough to document only what current employees know at the moment about existing systems and hardware. All new work, all changes, must be documented as well.

  3. Cross Training:

    Data Center employees should be cross trained in a number of other job functions. This allows for a higher chance of critical functions being performed in a crisis.

  4. Contact Information:

    A contact database must be maintained with contact information for all Data Center employees.

  5. Telecommuting:

    Data Center employees should regularly practice telecommuting. If the data center is damaged or the ability to reach the data center is diminished then work can still be performed remotely.

  6. Disparate Locations
    If the organization has multiple Data Centers then personnel performing duplicate functions should be placed in disparate centers. This allows for job consciousness to remain if personnel at one center are incapacitated.

Authority Membership

Contact info

+218 21 3614115

+218 21 361 4277

info@nissa.gov.ly

Albareed,Tripoli-Libya

All Rights Reserved Nissa © 2021