Physical and Environmental Security Policy Document Number: OIL-IS-POL-PES

Transcription

1 Physical and Environmental Security Policy Document Number: OIL-IS-POL-PES

2 Document Details Title Description Version 1.0 Author Classification Physical and Environmental Security Policy Physical and Environmental Security controls of Oil India Limited Information Security Manager Internal Review Date 27/03/2018 Reviewer & Custodian Approved By CISO Release Date 23/03/2015 Owner Information Security Council (ISC) CISO Distribution List Name Internal Distribution Only Version History Version Number Version Date /03/2015 Internal Page 2 of 12

3 Table of Content 1. Purpose Policy Application Secure Areas Equipment Security Non Compliance Internal Page 3 of 12

4 1. Purpose This Policy supports the high level policy statements defined in Information Security Policy. Information Assets are required to be physically protected from security threats to prevent loss, damage or compromise assets which may lead to disruption of business continuity. Physical & Environmental Security refers to the protection of office site and equipment (and all other information and information assets) from theft, vandalism, natural disaster, manmade catastrophes, and accidental damage (e.g., from electrical surges, extreme temperatures etc.) which may lead to disruption of business operations. The purpose of this document is to describe the acceptable and non acceptable activities to prevent unauthorized access, damage and interference of business premises and information. 2. Policy 2.1 Application The policy applies to employees, including full-time staff, part-time staff, contractors, freelancers, and other agents accessing Oil India business premises and information assets. 2.2 Secure Areas Physical Security Perimeter Security perimeters (barriers such as walls, card controlled entry gates or manned reception desks) will be used to protect areas that contain information and information processing facilities. Physical protection will be achieved by creating several physical barriers around the business premises and information processing facilities. Each barrier establishes a security perimeter, creating a defence in depth strategy and eliminating a single point of failure. The following guidelines and controls will be considered and implemented where appropriate: The security perimeter will be clearly defined; Internal Page 4 of 12

5 The perimeter of a building or site containing information processing facilities will be physically sound (i.e. there will be no gaps in the perimeter or areas where a break-in could easily occur). The external walls of the site will be of solid construction and all external doors will be suitably protected against unauthorized access, e.g. control mechanisms, alarms, locks etc; A manned reception area or other means to control physical access to the site or building will be in place. Access to Oil India premise is restricted to authorized personnel only; Physical barriers will, if necessary, be extended from real floor to real ceiling to prevent unauthorized entry and environmental contamination such as that caused by fire and flooding; and All fire doors/exits on a security perimeter will be access controlled, monitored, and tested in conjunction with the walls to establish the required level of resistance Physical Entry Controls Secure areas will be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. The following controls will be implemented to ensure adequate protective measures: Each employee will be issued proximity card for entry to secure areas along with an identification card which will have the following details: Employee name Unique Employee ID Photograph Business Unit Blood Group + emergency contact numbers Department Employees who have forgotten their identification badge/proximity card will obtain a temporary badge after approval team leader. This will not have access to floors such a temporary badge will stay valid for a single day only. The employee needs to return the temporary badge while leaving the office. Internal Page 5 of 12

6 Identification badges that have been lost or stolen or are suspected of being lost will be reported instantly. Such cards will be deactivated once mail is received from the employee or any other user with immediate effect. All temporary workers, trainees, consultants, engineers who require access to secure areas will be issued a temporary card after approval from their respective SPOC and immediate superior in the Department. This will not have access to floors. Such a temporary badge will stay valid for a single day only. The employee needs to return the temporary badge while leaving the office. Visitors to secure areas will be supervised, and their date and time of entry along with the photo identity proof and departure recorded. All personnel will be required to wear their identification card at all times and will be encouraged to challenge unescorted strangers and anyone not wearing visible identification. Access rights to secure areas will be regularly reviewed on quarterly basis and updated by management responsible for the specified areas Securing offices, rooms and facilities A secure area may be a locked office or several rooms inside a physical security perimeter, which may be locked and may contain lockable cabinets or safes. The selection and design of a secure area will take into account the possibility of damage from fire, flood, explosion, accident, malicious intent, and other forms of natural or man-made disaster. Consideration will be given also to any security threats presented by neighbouring premises, e.g., leakage of water from other areas. The following controls are essential considerations: Key facilities will be sited to avoid public access; Buildings will be unobtrusive and will give minimum indication of their purpose; Doors and windows will be locked when unattended and external protection will be considered for windows, particularly at ground level; Internal Page 6 of 12

7 Hazardous or combustible materials will be stored securely at a safe distance from a secure area. Bulk supplies such as stationery will not be stored within a secure area until required. Fallback equipment and back-up media will be sited at a safe distance to avoid damage from a disaster at the main site. Any outlying buildings or areas that house/contain data centre support equipment (backup generators, UPS, etc) will have the similar level of security controls as the data centre itself; secure structure, access control, and technical surveillance systems for monitoring access and activities around the area. CCTV may be implemented to track movement at all critical entry and exit points. The recordings of CCTV will be kept for next 15 days. Surveillance and monitoring is subject to legal limitations in many jurisdictions, and will be subject to contractual limitations in union, Works Council or shop agreements. Legal Counsel will be consulted before implementing these measures. A manned reception area or other means to control physical access to the building will be in place. Access to the building will be restricted to authorized-personnel only. Visitor and Escort Control procedures will be implemented to ensure that all visitors to the company facilities are positively identified and authorized prior to granting access. Visitors to secure areas will be escorted or cleared for unescorted access, and their date and time of entry and departure recorded. Visitors will only be granted access for specific, authorized purposes. Visitor photo pass logs will be established and maintained. Wherever possible, Technical Surveillance Systems (CCTV) will be utilized to monitor activities around the immediate environs of the building and entrances. All safety/fire emergency doors will be access controlled and have closing and locking mechanisms along with hooters in case if it is opened. Special care will be given to ensure the security of loading areas Working in Secure Areas The following guidelines may be considered: Internal Page 7 of 12

8 Access to sensitive information and information processing facilities, will be controlled and restricted to authorized persons only. Authentication controls, (e.g. Card/Badge Access Control System), will be used to authorize and validate all access. An audit trail of all access will be securely maintained. These secure areas will also include telephone and network closets, environmental, UPS and server room etc. All personnel will be required to wear identification badges, and security personnel may challenge unescorted strangers and anyone not wearing visible identification. Access rights to secure areas will be regularly reviewed (quarterly) and updated; Personnel will only be aware of the existence and activities in a secure area on a need to know basis; Unsupervised working in secure areas will be avoided both for safety reasons and to prevent opportunities for malicious activities; and Vacant secure areas will be physically locked and periodically checked Isolated Delivery Loading Areas Delivery and loading areas will be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. The following controls will be considered: Access to a holding area from outside of the building will be restricted to identified and authorized personnel; The holding area will be designed so that supplies can be unloaded without delivery staff gaining access to other parts of the building; Incoming material will be inspected for potential hazards and registered, if appropriate, before it is moved from the holding area to the point of use; and Incoming and outgoing shipments will be physically segregated; wherever required. Internal Page 8 of 12

9 2.3 Equipment Security Equipment Location and Protection LAN servers, routers, midranges, mainframe, PBX s and other computer hardware which would not typically reside on an individual user s desktop or in common working areas will be physically located in a secured area, with adequate controls for preventing or suppressing environmental hazards like fire and other non-environmental threats such as theft which could hamper availability of data. The following guidelines will be considered for protecting the equipments: Equipment will be located to minimize unnecessary access into work areas; Information processing facilities handling sensitive data will be positioned and the viewing angle restricted to reduce the risk of information being viewed by unauthorized persons during their use, and storage facilities secured to avoid unauthorized access; Items requiring special protection will be isolated to reduce the general level of protection required; Controls will be adopted to minimize the risk of potential physical threats, e.g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation, and vandalism; Smoke detectors and fire extinguishers/ water sprinklers may be placed at all strategic locations across Oil India premises to set off an alarm in case of fire; and Random checks/rounds will be carried to ensure that eating, and smoking in proximity to information processing facilities is not carried out Power Supplies Computer hardware will be protected from electrical problems that might cause a computer malfunction or failure. Magnets or sources of magnetic fields will not be located near computer diskettes or tapes. Examples include radios, magnetic picture and/or coat hangers, flashlight magnets, magnetized screwdrivers, paper clip holders, transformers and motors. Internal Page 9 of 12

10 The following options for continuity of power supplies will be used: Multiple feeds to avoid a single point of failure in the power supply; Uninterruptible power supplies (UPS); and Back-up generator Cabling Security Power and telecommunications cabling carrying data or supporting information services will be protected from interception or damage. The following controls will be considered: Power and telecommunications lines into information processing facilities will be underground, where possible, or subject to adequate alternative protection; Network cabling will be protected from unauthorized interception or damage. Examples of this protection include using conduit or avoiding routes through public areas; and Network distribution areas will be physically secured to prevent unauthorized access or modification. For sensitive or critical systems armoured conduit and locked rooms or boxes will be installed at inspection and termination points Equipment Maintenance Equipments will be correctly maintained to ensure their continued availability and integrity. The following controls will be considered: Internal Page 10 of 12

11 Equipment will be maintained in accordance with the supplier s recommended service intervals and specifications; Records will be kept of all suspected or actual faults and all preventive and corrective maintenance; Only authorized maintenance personnel will carry out repairs and service equipment; and Appropriate controls will be taken when sending equipment off premises for maintenance to prevent unauthorized access to sensitive information Security of Equipment off-premises Security will be applied to off-site equipment taking into account the different risks of working outside the organization s premises. The following controls will be considered: Equipment and media taken off the premises will not be left unattended in public places; Manufacturers instructions for protecting equipment will be observed at all times, e.g. protection against exposure to strong electromagnetic fields; and Adequate insurance cover will be in place to protect equipment off-site Secure disposal or re-use of equipment All items of equipment containing storage media will be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal. Devices containing sensitive information will be physically destroyed or the information will be destroyed, deleted or overwritten using techniques to make the original information nonretrievable rather than using the standard delete or format function Removal of Property Equipment, information or software will not be taken off-site without prior authorization. The following controls may be considered: Equipment, information or software will not be taken off-site without prior authorization; Internal Page 11 of 12

12 Employees, contractors and third party users who have authority to permit off-site removal of assets will be clearly identified; Equipment will be recorded as being removed off-site and recorded when returned; and A log of items, facilities and keys in possession of employees will be maintained. 3 Non Compliance Failure to comply with the Physical & Environmental Security Policy may, at the full discretion of the Oil India, result in disciplinary action as per Information Security Policy. Internal Page 12 of 12