Information Security Physical and

Environmental Security Procedure

A. Introduction
1. Executive Summary

1.1 The University of Newcastle is committed to and is responsible for ensuring the
confidentiality, integrity, and availability of the data and information stored on its
systems.

1.2 All users interacting with information assets have a responsibility to ensure the security
of those assets.

1.3 The University must have controls in place to ensure the smooth operation of the
University’s ICT Resources. Users must be trained, equipped and periodically
reminded to use information and associated infrastructure securely

B. Physical and Environmental Security Procedure

1. Secure Areas

Objective: To prevent unauthorised physical access, damage and interference to the

University’s information and assets

1.1 Physical Security Perimeter

(a) University information processing facilities must be protected by a physical

security perimeter.

(b) Information Owners must ensure appropriate controls are in place to establish
secure areas. Sensitive information and assets must be protected while
considering the safety of personnel. Control selection must be supported by an
appropriate Risk Assessment.

(c) Controls that must be applied are:

(i) security perimeters must be clearly defined, and the siting and strength
of each of the perimeters must depend on the security requirements of
the assets within the perimeter and the results of a risk assessment;

(ii) perimeters of a building or site containing information processing

facilities must be physically sound (i.e. there must be no gaps in the
perimeter or areas where a break-in could easily occur); the external
walls of the site must be of solid construction and all external doors
must be suitably protected against unauthorised access with control
 mechanisms, e.g. bars, alarms, locks, etc.; doors and windows must be
locked when unattended and external protection must be considered
for windows, particularly at ground level;

(iii) a manned reception area or other means to control physical access to

the site or building must be in place; access to sites and buildings must
be restricted to authorised personnel only;

(iv) physical barriers must, where applicable, be built to prevent

unauthorised physical access and environmental contamination;

(v) all fire doors on a security perimeter must be alarmed, monitored, and
tested in conjunction with the walls to establish the required level of
resistance in accordance to suitable regional, national, and
international standards;

(vi) suitable intruder detection systems must be installed to national,

regional or international standards and regularly tested to cover all
external doors and accessible windows; unoccupied areas must be
alarmed at all times; cover must also be provided for other areas, e.g.
computer room or communications rooms.

(d) A secure area may be a lockable office, or several rooms surrounded by a

continuous internal physical security barrier. Additional barriers and perimeters
to control physical access may be needed between areas with different security
requirements inside the security perimeter.

(e) Special consideration must be given towards physical access security when
the facility houses multiple organisations or business units

1.2 Physical Entry Controls

(a) Secure areas must be protected by appropriate entry controls to ensure that
only authorised personnel are allowed access.

(b) The following controls must be implemented:

(i) access to areas where sensitive information is processed or stored

must be restricted to authorised personnel only;

(ii) authentication controls, e.g. access control card system, must be used
to authorise and validate such access;

(iii) an audit trail of all access must be maintained;

(iv) visitors must be escorted by authorised personnel;

(v) visitors must only be allowed access for specific and authorised
purposes;

(vi) the date and time of entry and departure of visitors must be recorded;
 (vii) all employees and other authorised personnel must wear visible
identification;

(viii) visitors must be issued badges or tags of a different colour than

employees;

(ix) employees must notify security personnel when they encounter

unescorted visitors or anyone not wearing visible identification;

(x) third-party support personnel may be granted restricted access only

when required; their access must be authorised and monitored; and

(xi) access rights must be regularly reviewed

1.3 Securing Offices, Rooms and Facilities

(a) Controls to ensure security of information and information systems located in

University offices, rooms and other facilities must be designed, applied and
documented.

(b) Information Owners and IT Security Officers must regularly assess the security
of areas where sensitive information is processed and/or stored. Controls that
may be implemented to reduce associated risks are:

(i) physical entry controls described in Section 2.1.2;

(ii) ensure sensitive information is stored properly when not in use in

accordance with Section 2.2.9; and

(iii) directories that identify the locations of data centres and other areas
where sensitive information is stored must not be made public

1.4 Protecting Against External and Environmental Threats

1.5 Physical protection against natural disasters, malicious attack or accidents must be
designed and applied.

1.6 Information Owners, Data Center Managers, IT Security staff, planners and architects
must incorporate – to the extent possible – physical security controls that protect
against damage from fire, flood, earthquake, explosion, civil unrest and other forms of
natural and man-made disaster. Consideration must be given to any security threats
presented by neighbouring premises or streets. In addition to building code and fire
regulations:

(a) combustible or hazardous materials must be stored at a safe distance from the
secure area;

(b) bulk supplies, e.g. stationary, must not be stored in a secure area;

(c) backup equipment and backup media must be located at a safe distance to
avoid damage from a disaster affecting the main site; and
 (d) environmental alarm systems, fire suppression and firefighting systems must
be installed

1.7 Working in Secure Areas

(a) Additional security controls and procedures must be used by personnel when
working in secure areas.

(b) Information Owners and University IT Security Officers must identify and
document requirements that apply to personnel who have been authorised to
work in secure areas. Authorised personnel must be informed that:

(i) sensitive information cannot be discussed in a non-secure area;

(ii) sensitive information cannot be disclosed to personnel who do not have

a need-to-know;

(iii) no type of photographic, smartphone, video, audio or other recording

equipment can be brought into a secure area unless specifically
authorised;

(iv) maintenance staff, cleaners and others who require periodic access to
the secure area must be screened and their names added to an access
list; and

(v) visitors must be authorised, logged and escorted

1.8 Delivery and Loading Areas

(a) Access points such as reception, delivery and loading areas and other points
where unauthorised persons may enter the premises must be controlled and, if
possible, isolated from secure areas or offices to avoid unauthorised access.

(b) Information Owners, University IT Security Officers, planners and architects

must ensure that:

(i) access to a delivery and loading area from outside of the building must
be restricted to identified and authorised personnel;

(ii) the delivery and loading area must be designed so that supplies can be
unloaded without delivery personnel gaining access to other parts of
the building;

(iii) the external doors of a delivery and loading area must be secured when
the internal doors are opened;

(iv) loading docks and delivery areas must be regularly inspected and
actively monitored;

(v) incoming material must be inspected for potential threats before this
material is moved from the delivery and loading area to the point of use;
 (vi) incoming material must be registered in accordance with asset
management procedures on entry to the site; and

(vii) incoming and outgoing shipments must be physically segregated where

possible

2. Equipment

Objective: To prevent loss, damage, theft or compromise of assets and

interruption to the University’s operations

2.1 Equipment Siting and Protection

(a) Equipment must be protected to reduce the risks from unauthorised access,
environmental threats and hazards.

(b) Information Owners, University IT Security Officers, planners and architects

must ensure that University facilities are designed in a way that safeguards
sensitive information and assets.

(c) Servers, routers, switches and other centralised computing equipment must be
located in a room with access restricted to only those personnel who require it.

(d) Workstations, laptops, digital media and storage devices should be located and
used in an area that is not accessible to the public.

(e) Equipment must be located, and monitors angled, in such a way that
unauthorised persons cannot observe the display.

(f) Shared printers, scanners, copiers and fax machines should not be located in
an area that is accessible to the public.

(g) Kiosks and other devices that are intended for public use must be clearly
labelled and placed in a publicly accessible area

2.2 Supporting Utilities

(a) Equipment must be protected from power supply interruption and other
disruptions caused by failures in supporting utilities.

(b) The following controls must be implemented to help ensure availability of critical
services.

(c) All supporting utilities such as electricity, water supply, sewage,

heating/ventilation and air conditioning must be adequate for the systems they
are supporting. Support utilities must be regularly inspected and as appropriate
tested to ensure their proper functioning and to reduce any risk from their
malfunction or failure. A suitable electrical supply must be provided that
conforms to the equipment manufacturer’s specifications.

(d) An uninterruptible power supply (UPS) to support orderly close down or

continuous running is recommended for equipment supporting critical business
operations. Power contingency plans must cover the action to be taken on
 failure of the UPS. A back-up generator must be considered if processing is
required to continue in case of a prolonged power failure. An adequate supply
of fuel must be available to ensure that the generator can perform for a
prolonged period. UPS equipment and generators must be regularly checked
to ensure it has adequate capacity and is tested in accordance with the
manufacturer’s recommendations. In addition, consideration could be given to
using multiple power sources or, if the site is large, a separate power
substation.

(e) Emergency power off switches must be located near emergency exits in
equipment rooms to facilitate rapid power down in case of an emergency.
Emergency lighting must be provided in case of main power failure.

(f) The water supply must be stable and adequate to supply air conditioning,
humidification equipment and fire suppression systems (where used).
Malfunctions in the water supply system may damage equipment or prevent
fire suppression from acting effectively. An alarm system to detect malfunctions
in the supporting utilities must be evaluated and installed if required.

(g) Telecommunications equipment must be connected to the utility provider by at

least two diverse routes to prevent failure in one connection path removing
voice services. Voice services must be adequate to meet local legal
requirements for emergency communications

2.3 Cabling Security

(a) Power and telecommunications cabling carrying data or supporting information

services must be protected from interception or damage.

(b) Power and telecommunications lines into information processing facilities must
be underground, where possible, or subject to adequate alternative protection.

(c) When identified in a Risk Assessment, network cabling must be protected from
unauthorised interception or damage by using a conduit and by avoiding routes
through public areas.

(d) Power cables should be segregated from communications cables to prevent

interference.

(e) Cables and equipment must be clearly marked to minimise handling errors
such as accidental patching of wrong network cables. A documented patch list
must be used to reduce the possibility of errors.

(f) When a Risk Assessment finds a need for more safeguards, consider:

(i) installation of rigid conduit and locked rooms or boxes at inspection and
termination points;

(ii) use of alternative routings and/or transmission media providing

appropriate security;

(iii) use of fibre optic cabling;

 (iv) use of electromagnetic shielding to protect the cables;

(v) initiation of technical sweeps and physical inspections for unauthorised

devices being attached to the cables; and

(vi) controlled access to patch panels and cable rooms

2.4 Equipment Maintenance

(a) Equipment must be correctly maintained to help ensure availability and integrity
of sensitive information and assets.

(b) When equipment is serviced Information Owners must consider the sensitivity
of the information it holds and the value of the assets. The following controls
must be applied:

(i) equipment must be maintained in accordance with the supplier’s

recommended schedule and specifications;

(ii) only authorised maintenance personnel may carry out repairs and
service equipment;

(iii) records must be kept of all suspected faults and all preventive and
corrective maintenance;

(iv) maintenance must be scheduled at a time of day that limits interference

with services or operations;

(v) users must be notified before equipment is taken off-line for

maintenance.

(c) If off-site maintenance is required then the asset must be cleared of all sensitive
information. If it’s not possible to de-sensitise assets before sending for
maintenance then the University CIO and Information Owner must consider
destruction of the asset

2.5 Removal of Assets

(a) University-owned equipment, information and software must not be removed

from University premises without prior authorisation.

(b) Information Owners must establish a formal authorisation process for the
removal of assets for re-location, loan, maintenance, disposal or any other
purpose. Authorisation must include:

(i) item description and serial number(s);

(ii) information indicating where the asset will be located;

(iii) the removal date and return date;

(iv) the name of the individual responsible for the asset; and
 (v) the reason for removal.

(c) The description and serial numbers must be verified when the asset is returned.

(d) Personnel must be informed of and accept responsibility for protection of the
asset

2.6 Security of Equipment and Assets Off-Premises

(a) Assets must be safeguarded using documented security controls when off-site
from University premises.

(b) Information Owners must ensure that equipment used or stored off-site is
safeguarded in accordance with the sensitivity of the information and the value
of the assets. Controls to apply include:

(i) encrypt sensitive data;

(ii) use a logical or physical access control mechanism (BIOS password,

USB key, smart card) to protect against unauthorised access;

(iii) use a physical locking or similar mechanism to restrain the equipment;

(iv) ensure personnel are instructed on the proper use of the chosen
controls. Personnel in possession of University equipment:

(v) must not leave it unattended in a public place;

(vi) must ensure the equipment is under his/her direct control at all times
when traveling;

(vii) must take measure to prevent viewing of sensitive information by

unauthorised personnel;

(viii) must not allow other persons to use the equipment;

(ix) must report loss or stolen equipment immediately

2.7 Secure Disposal or Re-Use of Equipment

(a) All data and software must be erased from equipment prior to disposal or
redeployment.

(b) Information owners must consider the sensitivity of information and the value
of the assets when determining whether or not hardware or media will be re-
used or destroyed.

(c) Prior to re-use within the University:

(i) the integrity of University records must be maintained by adhering to

the Records Management policy;
 (ii) information and software must be backed up by the original Information
Owner; and

(iii) the storage media must be wiped in accordance with the Asset
Management Procedure (Disposal of Media).

(d) Storage media that will no longer be used in the University must be wiped by a
method approved by the IT Security team, in compliance with the Asset
Management Procedure. Asset inventories must be updated to record details
of the data wiping including:

(i) asset identifier;

(ii) date of erasure;

(iii) names of personnel conducting the erasure.

(e) When a supplier conducts the data wiping there must be contractual and audit
procedures to ensure complete destruction of the information. The University
must receive certification that the destruction has occurred

2.8 Unattended User Equipment

(a) Users must ensure unattended equipment has appropriate protection.

(b) User must safeguard unattended equipment by:

(i) terminating the active session when finished;

(ii) lock the session with a password protected screen saver or other
approved mechanism;

(iii) logoff computers, servers, terminals and other devices when the
session is finished;

(iv) enabling password protection on mobile devices, printers, kiosks and

portable storage devices; and

(v) secure devices with a cable lock when enhanced physical security is
justified

2.9 Clear Desk and Clear Screen Policy

(a) Users must safeguard sensitive information from unauthorised access, loss or
damage.

(b) Users must secure their work space when it cannot be monitored by authorised
personnel. Secure work spaces by:

(i) clearing desktops and work areas;

(ii) locking hard copy sensitive information in an appropriate cabinet;

 (iii) locking portable storage devices with sensitive information in an
appropriate cabinet;

(iv) activating a password-protected screen saver;

(v) safeguarding incoming and outgoing mail;

(vi) retrieving documents from printers and fax machines; and

(vii) ensuring that sensitive hard copy documents no longer needed are
placed in shredding bins, not recycle bins.

(c) When visitors, cleaning staff or other personnel without a “need-to-know” are
in the area, safeguard sensitive information by:

(i) covering up and maintaining control of hard copy files;

(ii) blanking computer screens or activating the password-protected screen

saver.

(d) Sensitive information must not be discussed in public or other areas where
there is a risk of being overheard by unauthorised personnel

3. Definitions

3.1 See Information Security Definitions document

4. Related Documents

4.1 Polices

(a) Information Security Policy

About this Document

Further information

TRIM Number
Approval Authority Chief Information Officer
Subject Matter Expert Patrick McElhinney – Senior Security Specialist
Contact Details [email protected]
Review Date 1st July 2018
Approval History

No. Effective Date Approved by Amendment

V1.0 31st March 2017 CIO